Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate

Bhargavan, Karthikeyan; Blanchet, Bruno; Kobeissi, Nadim

doi:10.1109/sp.2017.26

Cited by 139 publications

(90 citation statements)

References 72 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…More precisely, we revisit a previous analysis of TLS 1.3 Draft 18 by Bhargavan et al [9,10]. This analysis splits TLS 1.3 into 3 pieces: the initial handshake, the handshake with pre-shared key, and the record protocol, and claims that security of TLS 1.3 can be obtained by composing these 3 pieces.…”

Section: Introductionmentioning

confidence: 89%

See 1 more Smart Citation

Composition Theorems for CryptoVerif and Application to TLS 1.3

Blanchet

2018

2018 IEEE 31st Computer Security Foundations Symposium (CSF)

Self Cite

View full text Add to dashboard Cite

We present composition theorems for security protocols, to compose a key exchange protocol and a symmetric-key protocol that uses the exchanged key. Our results rely on the computational model of cryptography and are stated in the framework of the tool CryptoVerif. They support key exchange protocols that guarantee injective or non-injective authentication. They also allow random oracles shared between the composed protocols. To our knowledge, they are the first composition theorems for key exchange stated for a computational protocol verification tool, and also the first to allow such flexibility. As a case study, we apply our composition theorems to a proof of TLS 1.3 Draft-18. This work fills a gap in a previous paper that informally claims a compositional proof of TLS 1.3, without formally justifying it.

show abstract

Section: Introductionmentioning

confidence: 89%

“…Our proof of TLS 1.3 relies on a previous analysis of the pieces that we compose [9,10]. Figure 1 summarizes the structure of the composition.…”

Section: A Short Reminder On Cryptoverifmentioning

confidence: 99%

Composition Theorems for CryptoVerif and Application to TLS 1.3

Blanchet

2018

2018 IEEE 31st Computer Security Foundations Symposium (CSF)

Self Cite

View full text Add to dashboard Cite

show abstract

“…When the long-term key d U of an aircraft is compromised, we naturally expect that the adversary can impersonate the aircraft to any ground entity. However, ProVerif finds out that the adversary can also impersonate any ground entity to the compromised aircraft: it finds an attack against the correspondence (13). This is a key compromise impersonation (KCI) attack.…”

Section: ) Message Authentication This Property Is Formalized By Thmentioning

confidence: 99%

“…The non-injective authentication of V to U is modeled by a non-injective variant of (13). A sharedkey protocol cannot provide forward-secrecy nor protect against key compromise impersonation: the compromise of K U,V allows the adversary to compute all keys, decrypt all messages, and impersonate participants from both sides.…”

Section: Security Analysismentioning

confidence: 99%

“…Many other cases studies have been conducted using ProVerif (see [16] for references), a few using CryptoVerif [1], [14], [20], [23], [25], [46]. This study is one of the rare that combine both tools [13], [36]: [36] studies the Signal messaging protocol and [13] studies TLS 1.3 Draft-18. Those two studies generate ProVerif scripts from JavaScript code for symbolic verification, and additionally use manually written CryptoVerif scripts to obtain computational guarantees.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Symbolic and Computational Mechanized Verification of the ARINC823 Avionic Protocols

Blanchet

2017

2017 IEEE 30th Computer Security Foundations Symposium (CSF)

Self Cite

View full text Add to dashboard Cite

Abstract-We present the first formal analysis of two avionic protocols that aim to secure air-ground communications, the ARINC823 public-key and shared-key protocols. We verify these protocols both in the symbolic model of cryptography, using ProVerif, and in the computational model, using CryptoVerif. While we confirm many security properties of these protocols, we also find several weaknesses, attacks, and imprecisions in the standard. We propose fixes for these problems. This case study required the specification of new cryptographic primitives in CryptoVerif. It also illustrates the complementarity between symbolic and computational verification. I. INTRODUCTIONSecuring electronic communications between aircrafts and ground entities (control towers, airlines) becomes more and more important. Indeed, such electronic communications convey more and more important information and aircrafts are prominent targets for attacks, such as terrorist attacks. So, even if most air-ground communications are currently sent in the clear, the adoption of secured communications seems unavoidable.Several [34]) in order to secure these communications. In this paper, we study the ARINC823 standard [2]. This standard aims to secure ACARS (Aircraft Communications Addressing and Reporting System) messages. These messages are short text messages, which include air traffic control messages, such as clearance messages, flight plans, weather information, as well as maintenance messages, so that needed maintenance operations can be planed at the next airport.In addition to security (authentication and secrecy of the messages), other goals are apparent in the design of the standard:• Bandwidth: the available bandwidth is limited and the ACARS messages are relatively short, so the protocol is designed to minimize the additional bandwidth required for security.• Resistance to failures: the messages are conveyed even in case of failure of the security system. • Flexibility: the protocol is designed to provide different levels of security: authentication and secrecy, authentication only, and no security, on a message-per-message basis. These additional goals justify the design of specific protocols. The ARINC823 standard provides two such protocols:

show abstract