Implementing and Proving the TLS 1.3 Record Layer

2017 IEEE Symposium on Security and Privacy (SP) Pub Date : 2017-05-22 DOI:10.1109/SP.2017.58

K. Bhargavan, Antoine Delignat-Lavaud, C. Fournet, Markulf Kohlweiss, J. Pan, Jonathan Protzenko, Aseem Rastogi, N. Swamy, Santiago Zanella Béguelin, J. Zinzindohoué

{"title":"Implementing and Proving the TLS 1.3 Record Layer","authors":"K. Bhargavan, Antoine Delignat-Lavaud, C. Fournet, Markulf Kohlweiss, J. Pan, Jonathan Protzenko, Aseem Rastogi, N. Swamy, Santiago Zanella Béguelin, J. Zinzindohoué","doi":"10.1109/SP.2017.58","DOIUrl":null,"url":null,"abstract":"The record layer is the main bridge between TLS applications and internal sub-protocols. Its core functionality is an elaborate form of authenticated encryption: streams of messages for each sub-protocol (handshake, alert, and application data) are fragmented, multiplexed, and encrypted with optional padding to hide their lengths. Conversely, the sub-protocols may provide fresh keys or signal stream termination to the record layer. Compared to prior versions, TLS 1.3 discards obsolete schemes in favor of a common construction for Authenticated Encryption with Associated Data (AEAD), instantiated with algorithms such as AES-GCM and ChaCha20-Poly1305. It differs from TLS 1.2 in its use of padding, associated data and nonces. It also encrypts the content-type used to multiplex between sub-protocols. New protocol features such as early application data (0-RTT and 0.5-RTT) and late handshake messages require additional keys and a more general model of stateful encryption. We build and verify a reference implementation of the TLS record layer and its cryptographic algorithms in F*, a dependently typed language where security and functional guarantees can be specified as pre-and post-conditions. We reduce the high-level security of the record layer to cryptographic assumptions on its ciphers. Each step in the reduction is verified by typing an F* module, for each step that involves a cryptographic assumption, this module precisely captures the corresponding game. We first verify the functional correctness and injectivity properties of our implementations of one-time MAC algorithms (Poly1305 and GHASH) and provide a generic proof of their security given these two properties. We show the security of a generic AEAD construction built from any secure one-time MAC and PRF. We extend AEAD, first to stream encryption, then to length-hiding, multiplexed encryption. Finally, we build a security model of the record layer against an adversary that controls the TLS sub-protocols. We compute concrete security bounds for the AES_128_GCM, AES_256_GCM, and CHACHA20_POLY1305 ciphersuites, and derive recommended limits on sent data before re-keying. We plug our implementation of the record layer into the miTLS library, confirm that they interoperate with Chrome and Firefox, and report initial performance results. Combining our functional correctness, security, and experimental results, we conclude that the new TLS record layer (as described in RFCs and cryptographic standards) is provably secure, and we provide its first verified implementation.","PeriodicalId":6502,"journal":{"name":"2017 IEEE Symposium on Security and Privacy (SP)","volume":"49 1","pages":"463-482"},"PeriodicalIF":0.0000,"publicationDate":"2017-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"98","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2017.58","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 98

Abstract

The record layer is the main bridge between TLS applications and internal sub-protocols. Its core functionality is an elaborate form of authenticated encryption: streams of messages for each sub-protocol (handshake, alert, and application data) are fragmented, multiplexed, and encrypted with optional padding to hide their lengths. Conversely, the sub-protocols may provide fresh keys or signal stream termination to the record layer. Compared to prior versions, TLS 1.3 discards obsolete schemes in favor of a common construction for Authenticated Encryption with Associated Data (AEAD), instantiated with algorithms such as AES-GCM and ChaCha20-Poly1305. It differs from TLS 1.2 in its use of padding, associated data and nonces. It also encrypts the content-type used to multiplex between sub-protocols. New protocol features such as early application data (0-RTT and 0.5-RTT) and late handshake messages require additional keys and a more general model of stateful encryption. We build and verify a reference implementation of the TLS record layer and its cryptographic algorithms in F*, a dependently typed language where security and functional guarantees can be specified as pre-and post-conditions. We reduce the high-level security of the record layer to cryptographic assumptions on its ciphers. Each step in the reduction is verified by typing an F* module, for each step that involves a cryptographic assumption, this module precisely captures the corresponding game. We first verify the functional correctness and injectivity properties of our implementations of one-time MAC algorithms (Poly1305 and GHASH) and provide a generic proof of their security given these two properties. We show the security of a generic AEAD construction built from any secure one-time MAC and PRF. We extend AEAD, first to stream encryption, then to length-hiding, multiplexed encryption. Finally, we build a security model of the record layer against an adversary that controls the TLS sub-protocols. We compute concrete security bounds for the AES_128_GCM, AES_256_GCM, and CHACHA20_POLY1305 ciphersuites, and derive recommended limits on sent data before re-keying. We plug our implementation of the record layer into the miTLS library, confirm that they interoperate with Chrome and Firefox, and report initial performance results. Combining our functional correctness, security, and experimental results, we conclude that the new TLS record layer (as described in RFCs and cryptographic standards) is provably secure, and we provide its first verified implementation.

查看原文本刊更多论文

TLS 1.3记录层的实现与验证

记录层是TLS应用程序和内部子协议之间的主要桥梁。它的核心功能是一种精心设计的身份验证加密形式:每个子协议(握手、警报和应用程序数据)的消息流是分段的、多路复用的，并使用可选填充进行加密，以隐藏其长度。相反，子协议可以向记录层提供新的密钥或信号流终止。与以前的版本相比，TLS 1.3抛弃了过时的方案，支持使用AES-GCM和ChaCha20-Poly1305等算法实例化的关联数据身份验证加密(AEAD)的通用结构。它与TLS 1.2的不同之处在于它使用填充、关联数据和随机数。它还对用于在子协议之间复用的内容类型进行加密。新的协议特性，如早期应用程序数据(0-RTT和0.5-RTT)和后期握手消息，需要额外的密钥和更通用的有状态加密模型。我们在F*中构建并验证了TLS记录层及其加密算法的参考实现，F*是一种依赖类型的语言，其安全性和功能保证可以指定为前置和后置条件。我们将记录层的高级安全性降低为对其密码的加密假设。约简中的每一步都是通过输入F*模块来验证的，对于每一步都涉及到一个加密假设，这个模块精确地捕获相应的游戏。我们首先验证了一次性MAC算法(Poly1305和GHASH)实现的功能正确性和注入性属性，并在给定这两个属性的情况下提供了其安全性的一般证明。我们展示了由任何安全的一次性MAC和PRF构建的通用AEAD结构的安全性。我们首先将AEAD扩展到流加密，然后扩展到长度隐藏、多路加密。最后，我们针对控制TLS子协议的对手建立了记录层的安全模型。我们计算了AES_128_GCM、AES_256_GCM和chachha20_poly1305密码套件的具体安全边界，并在重新密钥之前推导了对发送数据的推荐限制。我们将记录层的实现插入到miTLS库中，确认它们与Chrome和Firefox互操作，并报告初始性能结果。结合我们的功能正确性、安全性和实验结果，我们得出结论，新的TLS记录层(如rfc和加密标准中所述)是可证明安全的，并且我们提供了其第一个经过验证的实现。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2017 IEEE Symposium on Security and Privacy (SP)

自引率

0.00%

发文量