Prohibiting Secure Sockets Layer (SSL) Version 2.0

Turner, Seán; Polk, Tim

doi:10.17487/rfc6176

Cited by 42 publications

(21 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…All TLS versions since SSL3 protect the integrity of the full handshake and SSL2 has been deprecated [61]. miTLS does not support SSL2, and our Theorem 4 guarantees agreement over all handshake parameters, including the version and ciphersuite, on safe epochs, that is, when both peers are honest and negotiate strong handshake algorithms.…”

Section: Attacks Involving Multiple Algorithms and Handshakesmentioning

confidence: 99%

Proving the TLS Handshake Secure (As It Is)

Bhargavan

Fournet

Kohlweiss

et al. 2014

Advances in Cryptology – CRYPTO 2014

View full text Add to dashboard Cite

The TLS Internet Standard features a mixed bag of cryptographic algorithms and constructions, letting clients and servers negotiate their use for each run of the handshake. Although many ciphersuites are now well-understood in isolation, their composition remains problematic, and yet it is critical to obtain practical security guarantees for TLS. We experimentally confirm that all mainstream implementations of TLS share key materials between different algorithms, some of them of dubious strength. We outline attacks in their handling of resumption and renegotiation, stressing the need to model multiple related instances of the handshake.We study the provable security of the TLS handshake, as it is implemented and deployed. To capture the details of the standard and its main extensions, we rely on miTLS, a verified reference implementation of the protocol. miTLS inter-operates with mainstream browsers and servers for many protocol versions, configurations, and ciphersuites; and it provides application-level, provable security for some.We propose new agile security definitions and assumptions for the signatures, key encapsulation mechanisms (KEM), and key derivation algorithms used by the TLS handshake. By necessity, our definitions are stronger than those expected with simple modern protocols. To validate our model of key encapsulation, we prove that both RSA and Diffie-Hellman ciphersuites satisfy our definition for the KEM. In particular, we formalize the use of PKCS#1v1.5 encryption in TLS, including recommended countermeasures against Bleichenbacher attacks, and build a 3,000-line EasyCrypt proof of the security of the resulting master secret KEM against replayable chosen-ciphertext attacks under the assumption that ciphertexts are hard to re-randomize.Based on our new agile definitions, we construct a modular proof of security for the miTLS reference implementation of the handshake, including ciphersuite negotiation, key exchange, renegotiation, and resumption, treated as a detailed 3,600-line executable model. We present our main definitions, constructions, and proofs for an abstract model of the protocol, featuring series of related runs of the handshake with different ciphersuites. We also describe its refinement to account for the whole reference implementation, based on automated verification tools.

show abstract

Section: Attacks Involving Multiple Algorithms and Handshakesmentioning

confidence: 99%

Proving the TLS Handshake Secure (As It Is)

Bhargavan

Fournet

Kohlweiss

et al. 2014

Advances in Cryptology – CRYPTO 2014

View full text Add to dashboard Cite

show abstract

“…Rationale: Today, SSLv2 is considered insecure [RFC6176]. Rationale: TLS compression has been subject to security attacks, such as the CRIME attack.…”

Section: Ssl/tls Protocol Versionsmentioning

confidence: 99%

Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)

Holz¹,

Sheffer²,

Saint-Andre³

2015

View full text Add to dashboard Cite

Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) are widely used to protect data exchanged over application protocols such as HTTP, SMTP, IMAP, POP, SIP, and XMPP. Over the last few years, several serious attacks on TLS have emerged, including attacks on its most commonly used cipher suites and their modes of operation. This document provides recommendations for improving the security of deployed services that use TLS and DTLS. The recommendations are applicable to the majority of use cases.

show abstract

“…See current publications by the IETF TLS working group, including RFC 6176 [RFC6176], for guidance on the ciphersuites currently considered to be appropriate for use. Also, see "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)" [RFC7525] for recommendations on improving the security of software and services using TLS.…”

Section: Tls Requirementsmentioning

confidence: 99%