Implementing TLS with Verified Cryptographic Security
Open Access
- 1 May 2013
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE)
- p. 445-459
- https://doi.org/10.1109/sp.2013.37
Abstract
TLS is possibly the most used protocol for secure communications, with a 18-year history of flaws and fixes, ranging from its protocol logic to its cryptographic design, and from the Internet standard to its diverse implementations. We develop a verified reference implementation of TLS 1.2. Our code fully supports its wire formats, ciphersuites, sessions and connections, re-handshakes and resumptions, alerts and errors, and data fragmentation, as prescribed in the RFCs; it interoperates with mainstream web browsers and servers. At the same time, our code is carefully structured to enable its modular, automated verification, from its main API down to computational assumptions on its cryptographic algorithms. Our implementation is written in F# and specified in F7. We present security specifications for its main components, such as authenticated stream encryption for the record layer and key establishment for the handshake. We describe their verification using the F7 typechecker. To this end, we equip each cryptographic primitive and construction of TLS with a new typed interface that captures its security properties, and we gradually replace concrete implementations with ideal functionalities. We finally typecheck the protocol state machine, and obtain precise security theorems for TLS, as it is implemented and deployed. We also revisit classic attacks and report a few new ones.Keywords
This publication has 34 references indexed in Scilit:
- A Framework for the Cryptographic Verification of Java-Like ProgramsPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2012
- Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures FailPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2012
- Modular code-based cryptographic verificationPublished by Association for Computing Machinery (ACM) ,2011
- JavaSPIInternational Journal of Secure Software Engineering, 2011
- Universally Composable Symmetric EncryptionPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2009
- The Transport Layer Security (TLS) Protocol Version 1.22008
- HMAC is a randomness extractor and applications to TLSPublished by Association for Computing Machinery (ACM) ,2008
- The Transport Layer Security (TLS) Protocol Version 1.12006
- Security Analysis of Crypto-based Java Programs using Automated Theorem ProversPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2006
- On the Security of RSA Encryption in TLSLecture Notes in Computer Science, 2002