Karthikeyan Bhargavan
ABSTRACT
TLS 1.3, the newest version of the Transport Layer Security (TLS) protocol, provides strong authentication and confidentiality guarantees that have been comprehensively analyzed in a variety of formal models. However, despite its controversial use of handshake meta-data encryption, the privacy guarantees of TLS 1.3 remain weak and poorly understood. For example, the protocol reveals the identity of the target server to network attackers, allowing the passive surveillance and active censorship of TLS connections. To close this gap, the IETF TLS working group is standardizing a new privacy extension called Encrypted Client Hello (ECH, previously called ESNI), but the absence of a formal privacy model makes it hard to verify that this extension works. Indeed, several early drafts of ECH were found to be vulnerable to active network attacks.
In this paper, we present the first mechanized formal analysis of privacy properties for the TLS 1.3 handshake. We study all standard modes of TLS 1.3, with and without ECH, using the symbolic protocol analyzer ProVerif. We discuss attacks on ECH, some found during the course of this study, and show how they are accounted for in the latest version. Our analysis has helped guide the standardization process for ECH and we provide concrete privacy recommendations for TLS implementors. We also contribute the most comprehensive model of TLS 1.3 to date, which can be used by designers experimenting with new extensions to the protocol. Ours is one of the largest privacy proofs attempted using an automated verification tool and may be of general interest to protocol analysts.
- 2022. TLS ECH open source reposiory. https/gitlab.inra.fr/chevalvi/echo_tls.Google Scholar
- Martín Abadi and Phillip Rogaway. 2000. Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption).. In IFIP TCS (Lecture Notes in Computer Science, Vol. 1872). Springer, 3--22.Google Scholar
- David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, et al. 2015. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In ACM SIGSAC Conference on Computer and Communications Security (CCS). 5--17.Google ScholarDigital Library
- Nadhem J. AlFardan and Kenneth G. Paterson. 2013. Lucky Thirteen: Breaking the TLS and DTLS Record Protocols. In 2013 IEEE Symposium on Security and Privacy (SP 2013). 526--540.Google Scholar
- Ghada Arfaoui, Xavier Bultel, Pierre-Alain Fouque, Adina Nedelcu, and Cristina Onete. 2019. The privacy of the TLS 1.3 protocol. Proceedings on Privacy Enhancing Technologies, Vol. 2019, 4 (2019), 190--210.Google ScholarCross Ref
- Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar, and Yuval Shavitt. 2016. DROWN: Breaking TLS Using SSLv2. In USENIX Security Symposium. 689--706.Google ScholarDigital Library
- David Baelde, Stéphanie Delaune, and Solène Moreau. 2020. A Method for Proving Unlinkability of Stateful Protocols. In Proceedings of the 33rd IEEE Computer Security Foundations Symposium (CSF'20). IEEE Computer Society Press, Virtual conference, 169--183.Google ScholarCross Ref
- Manuel Barbosa, Gilles Barthe, Karthik Bhargavan, Bruno Blanchet, Cas Cremers, Kevin Liao, and Bryan Parno. 2021. SoK: Computer-Aided Cryptography. In 42nd IEEE Symposium on Security and Privacy, SP 2021, San Francisco, CA, USA, 24-27 May 2021. IEEE, 777--795.Google Scholar
- Richard Barnes, Benjamin Beurdouche, Raphael Robert, Jon Millican, Emad Omara, and Katriel Cohn-Gordon. 2021a. The Messaging Layer Security (MLS) Protocol. Internet-Draft draft-ietf-mls-protocol-12. Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/draft-ietf-mls-protocol-12 Work in Progress.Google Scholar
- Richard Barnes, Karthikeyan Bhargavan, Benjamin Lipp, and Christopher A. Wood. 2021b. Hybrid Public Key Encryption. Internet-Draft draft-irtf-cfrg-hpke-12. Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hpke-12Google Scholar
- Richard Barnes, Bruce Schneier, Cullen Jennings, Ted Hardie, Brian Trammell, Christian Huitema, and Daniel Borkmann. 2015. Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement. RFC 7624. https://doi.org/10.17487/RFC7624Google ScholarDigital Library
- David A. Basin, Jannik Dreier, and Ralf Sasse. 2015. Automated Symbolic Proofs of Observational Equivalence. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-16, 2015, Indrajit Ray, Ninghui Li, and Christopher Kruegel (Eds.). ACM, 1144--1155. https://doi.org/10.1145/2810103.2813662Google ScholarDigital Library
- Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre-Yves Strub, and Jean Karim Zinzindohoue. 2015. A Messy State of the Union: taming the Composite State Machines of TLS. In IEEE Symposium on Security & Privacy (Oakland).Google ScholarDigital Library
- Karthikeyan Bhargavan, Bruno Blanchet, and Nadim Kobeissi. 2017a. Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate. In 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, May 22-26, 2017. 483--502.Google ScholarCross Ref
- Karthikeyan Bhargavan, Christina Brzuska, Cédric Fournet, Matthew Green, Markulf Kohlweiss, and Santiago Zanella Béguelin. 2016. Downgrade Resilience in Key-Exchange Protocols. In IEEE Symposium on Security and Privacy (Oakland). 506--525.Google Scholar
- Karthikeyan Bhargavan, Vincent Cheval, and Christopher Wood. 2022. Handshake Privacy for TLS 1.3 - Technical report. Technical report. https://gitlab.inria.fr/chevalvi/echo_tls/-/raw/master/Technical%20Report.pdfGoogle Scholar
- Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Markulf Kohlweiss, Jianyang Pan, Jonathan Protzenko, Aseem Rastogi, Nikhil Swamy, Santiago Zanella-Béguelin, and Jean Zinzindohoué. 2017b. Implementing and proving the TLS 1.3 record layer. In SP 2017-38th IEEE Symposium on Security and Privacy. 463--482.Google Scholar
- Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Alfredo Pironti, and Pierre-Yves Strub. 2014. Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS. In IEEE Symposium on Security & Privacy (Oakland). 98--113.Google ScholarDigital Library
- Karthikeyan Bhargavan and Gaëtan Leurent. 2016a. On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN. In ACM SIGSAC Conference on Computer and Communications Security (CCS). 456--467.Google ScholarDigital Library
- Karthikeyan Bhargavan and Gaetan Leurent. 2016b. Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSH. In ISOC Network and Distributed System Security Symposium (NDSS).Google ScholarCross Ref
- Bruno Blanchet. 2018. Composition Theorems for CryptoVerif and Application to TLS 1.3. In IEEE Computer Security Foundations Symposium (CSF). 16--30.Google ScholarCross Ref
- Bruno Blanchet, Vincent Cheval, and Véronique Cortier. 2022. ProVerif with lemmas, induction, fast subsumption, and much more. In IEEE Symposium on Security and Privacy (S&P'22). IEEE Computer Society. To appear.Google ScholarCross Ref
- Jacqueline Brendel, Marc Fischlin, and Felix Günther. 2019. Breakdown Resilience of Key Exchange Protocols: NewHope, TLS 1.3, and Hybrids. In Computer Security - ESORICS 2019 - 24th European Symposium on Research in Computer Security, Luxembourg, September 23-27, 2019, Proceedings, Part II (Lecture Notes in Computer Science, Vol. 11736), Kazue Sako, Steve A. Schneider, and Peter Y. A. Ryan (Eds.). Springer, 521--541.Google ScholarDigital Library
- Zimo Chai, Amirhossein Ghafari, and Amir Houmansadr. 2019. On the importance of encrypted-SNI ({ESNI}) to censorship circumvention. In 9th {USENIX} Workshop on Free and Open Communications on the Internet ({FOCI} 19).Google Scholar
- Vincent Cheval, Steve Kremer, and Itsaka Rakotonirina. 2018. DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice. In 2018 IEEE Symposium on Security and Privacy, SP 2018, Proceedings, 21-23 May 2018, San Francisco, California, USA. IEEE Computer Society, 529--546. https://doi.org/10.1109/SP.2018.00033Google Scholar
- Véronique Cortier, Antoine Dallon, and Sté phanie Delaune. 2017. SAT-Equiv: An Efficient Tool for Equivalence Properties. In 30th IEEE Computer Security Foundations Symposium, CSF 2017, Santa Barbara, CA, USA, August 21-25, 2017. IEEE Computer Society, 481--494. https://doi.org/10.1109/CSF.2017.15Google Scholar
- Vé ronique Cortier, David Galindo, and Mathieu Turuani. 2018. A Formal Analysis of the Neuchatel e-Voting Protocol. In 2018 IEEE European Symposium on Security and Privacy, EuroS&P 2018, London, United Kingdom, April 24--26, 2018. IEEE, 430--442. https://doi.org/10.1109/EuroSP.2018.00037Google ScholarCross Ref
- Véronique Cortier, Steve Kremer, and Bogdan Warinschi. 2011. A Survey of Symbolic Methods in Computational Analysis of Cryptographic Systems. J. Autom. Reason., Vol. 46, 3-4 (apr 2011), 225--259.Google ScholarDigital Library
- Vé ronique Cortier and Cyrille Wiedling. 2017. A formal analysis of the Norwegian E-voting protocol. J. Comput. Secur., Vol. 25, 1 (2017), 21--57. https://doi.org/10.3233/JCS-15777Google ScholarCross Ref
- Cas Cremers, Marko Horvat, Jonathan Hoyland, Sam Scott, and Thyla van der Merwe. 2017. A comprehensive symbolic analysis of TLS 1.3. In ACM SIGSAC Conference on Computer and Communications Security (CCS). 1773--1788.Google Scholar
- Cas Cremers, Marko Horvat, Sam Scott, and Thyla van der Merwe. 2016. Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication. In IEEE Symposium on Security and Privacy (Oakland). 470--485.Google Scholar
- Özgür Dagdelen, Marc Fischlin, Tommaso Gagliardoni, Giorgia Azzurra Marson, Arno Mittelbach, and Cristina Onete. 2013. A cryptographic analysis of OPACITY. In European Symposium on Research in Computer Security. Springer, 345--362.Google ScholarCross Ref
- David Peters. 2019. Breaking Bad -- Are You Ready to Lawfully Intercept TLS 1.3? https://www.infosecurity-magazine.com/opinions/intercept-tls-13/.Google Scholar
- Antoine Delignat-Lavaud, Cédric Fournet, Markulf Kohlweiss, Jonathan Protzenko, Aseem Rastogi, Nikhil Swamy, Santiago Zanella Bé guelin, Karthikeyan Bhargavan, Jianyang Pan, and Jean Karim Zinzindohoue. 2017. Implementing and Proving the TLS 1.3 Record Layer. In 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, May 22-26, 2017. 463--482.Google ScholarCross Ref
- Antoine Delignat-Lavaud, Cé dric Fournet, Bryan Parno, Jonathan Protzenko, Tahina Ramananandro, Jay Bosamiya, Joseph Lallemand, Itsaka Rakotonirina, and Yi Zhou. 2021. A Security Model and Fully Verified Implementation for the IETF QUIC Record Layer. In IEEE Symposium on Security and Privacy (Oakland). 1162--1178.Google ScholarCross Ref
- D. Dolev and A. Yao. 2006. On the Security of Public Key Protocols. In IEEE Trans. Inf. Theor., Vol. 29. 198--208.Google ScholarDigital Library
- Jason A. Donenfeld. 2017. WireGuard: Next Generation Kernel Network Tunnel. In 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, February 26 - March 1, 2017. The Internet Society.Google Scholar
- Benjamin Dowling, Marc Fischlin, Felix Günther, and Douglas Stebila. 2015. A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates. In ACM Conference on Computer and Communications Security (CCS). 1197--1210.Google ScholarDigital Library
- Benjamin Dowling, Marc Fischlin, Felix Gü nther, and Douglas Stebila. 2021. A Cryptographic Analysis of the TLS 1.3 Handshake Protocol. J. Cryptol., Vol. 34, 4 (2021), 37.Google ScholarDigital Library
- Nir Drucker and Shay Gueron. 2019. Selfie: reflections on TLS 1.3 with PSK. IACR Cryptol. ePrint Arch., Vol. 2019 (2019), 347. https://eprint.iacr.org/2019/347Google Scholar
- Marc Fischlin and Felix Günther. 2017. Replay Attacks on Zero Round-Trip Time: The Case of the TLS 1.3 Handshake Candidates. In 2017 IEEE European Symposium on Security and Privacy, EuroS&P 2017, Paris, France, April 26-28, 2017. IEEE, 60--75.Google ScholarCross Ref
- Pierre-Alain Fouque, Cristina Onete, and Benjamin Richard. 2016. Achieving Better Privacy for the 3GPP AKA Protocol. Proc. Priv. Enhancing Technol., Vol. 2016, 4 (2016), 255--275.Google ScholarCross Ref
- Lucca Hirschi, David Baelde, and Stéphanie Delaune. 2016. A method for verifying privacy-type properties: the unbounded case. In Proceedings of the 37th IEEE Symposium on Security and Privacy (S&P'16),, Michael Locasto, Vitaly Shmatikov, and Úlfar Erlingsson (Eds.). IEEE Computer Society Press, San Jose, California, USA.Google ScholarCross Ref
- Ian Levy. 2018. TLS 1.3: better for individuals - harder for enterprises. https://www.ncsc.gov.uk/blog-post/tls-13-better-individuals-harder-enterprises.Google Scholar
- Charlie Kaufman, Paul E. Hoffman, Yoav Nir, Pasi Eronen, and Tero Kivinen. 2014. Internet Key Exchange Protocol Version 2 (IKEv2). RFC 7296. https://doi.org/10.17487/RFC7296Google ScholarDigital Library
- Eric Kinnear, Patrick McManus, Tommy Pauly, Tanya Verma, and Christopher A. Wood. 2022. Oblivious DNS Over HTTPS. Internet-Draft draft-pauly-dprive-oblivious-doh-09. Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/draft-pauly-dprive-oblivious-doh-09 Work in Progress.Google ScholarDigital Library
- Markulf Kohlweiss, Ueli Maurer, Cristina Onete, Björn Tackmann, and Daniele Venturi. 2015. (De-)Constructing TLS 1.3. In Progress in Cryptology - INDOCRYPT 2015 - 16th International Conference on Cryptology in India, Bangalore, India, December 6-9, 2015, Proceedings (Lecture Notes in Computer Science, Vol. 9462),, Alex Biryukov and Vipul Goyal (Eds.). 85--102.Google Scholar
- Hugo Krawczyk. 2003. SIGMA: The ?SIGn-and-MAc'approach to authenticated Diffie-Hellman and its use in the IKE protocols. In Annual International Cryptology Conference. Springer, 400--425.Google ScholarCross Ref
- Hugo Krawczyk and Hoeteck Wee. 2016. The OPTLS Protocol and TLS 1.3. In IEEE European Symposium on Security & Privacy (Euro S&P). Cryptology ePrint Archive, Report 2015/978.Google ScholarCross Ref
- X. Li, J. Xu, Z. Zhang, D. Feng, and H. Hu. 2016. Multiple Handshakes Security of TLS 1.3 Candidates. In IEEE Symposium on Security and Privacy (Oakland). 486--505.Google Scholar
- Benjamin Lipp, Bruno Blanchet, and Karthikeyan Bhargavan. 2019. A Mechanised Cryptographic Proof of the WireGuard Virtual Private Network Protocol. In IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 231--246.Google ScholarCross Ref
- Bodo Möller, Thai Duong, and Krzysztof Kotowicz. 2014. This POODLE bites: exploiting the SSL 3.0 fallback. https://www.openssl.org/bodo/ssl-poodle.pdf.Google Scholar
- Simran Patil and Nikita Borisov. 2019. What can you learn from an IP?. In Proceedings of the Applied Networking Research Workshop. 45--51.Google ScholarDigital Library
- Trevor Perrin. 2018. The Noise Protocol Framework. http://noiseprotocol.org/noise.html.Google Scholar
- Sebastian Ramacher, Daniel Slamanig, and Andreas Weninger. 2021. Privacy-Preserving Authenticated Key Exchange: Stronger Privacy and Generic Constructions. In European Symposium on Research in Computer Security. Springer, 676--696.Google Scholar
- Eric Rescorla. 2018. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446. https://doi.org/10.17487/RFC8446Google ScholarDigital Library
- Eric Rescorla, Kazuho Oku, Nick Sullivan, and Christopher A. Wood. 2021. TLS Encrypted Client Hello. Internet-Draft draft-ietf-tls-esni-13. Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-10 Work in Progress.Google Scholar
- The SSL Store. 2018. TLS 1.3: Banking Industry Working to Undermine Encryption. https://medium.com/@thesslstore/tls-1-3-banking-industry-working-to-undermine-encryption-752838cf828c.Google Scholar
- Mathy Vanhoef and Frank Piessens. 2015. All your biases belong to us: Breaking RC4 in WPA-TKIP and TLS. In USENIX Security Symposium. 97--112.Google Scholar
- Yunlei Zhao. 2016. Identity-concealed authenticated encryption and key exchange. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 1464--1479.Google ScholarDigital Library
Index Terms
- A Symbolic Analysis of Privacy for TLS 1.3 with Encrypted Client Hello
Recommendations
A Comprehensive Symbolic Analysis of TLS 1.3
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityThe TLS protocol is intended to enable secure end-to-end communication over insecure networks, including the Internet. Unfortunately, this goal has been thwarted a number of times throughout the protocol's tumultuous lifetime, resulting in the need for ...
Secure Communication Channel Establishment: TLS 1.3 (over TCP Fast Open) versus QUIC
AbstractSecure channel establishment protocols such as Transport Layer Security (TLS) are some of the most important cryptographic protocols, enabling the encryption of Internet traffic. Reducing latency (the number of interactions between parties before ...
Secure Communication Channel Establishment: TLS 1.3 (over TCP Fast Open) vs. QUIC
Computer Security – ESORICS 2019AbstractSecure channel establishment protocols such as TLS are some of the most important cryptographic protocols, enabling the encryption of Internet traffic. Reducing the latency (the number of interactions between parties) in such protocols has become ...
Comments