The privacy of the TLS 1.3 protocol

Open access


TLS (Transport Layer Security) is a widely deployed protocol that plays a vital role in securing Internet traffic. Given the numerous known attacks for TLS 1.2, it was imperative to change and even redesign the protocol in order to address them. In August 2018, a new version of the protocol, TLS 1.3, was standardized by the IETF (Internet Engineering Task Force). TLS 1.3 not only benefits from stronger security guarantees, but aims to protect the identities of the server and client by encrypting messages as soon as possible during the authentication. In this paper, we model the privacy guarantees of TLS 1.3 when parties execute a full handshake or use a session resumption, covering all the handshake modes of TLS. We build our privacy models on top of the one defined by Hermans et al. for RFIDs (Radio Frequency Identification Devices) that mostly targets authentication protocols. The enhanced models share similarities to the Bellare-Rogaway AKE (Authenticated Key Exchange) security model and consider adversaries that can compromise both types of participants in the protocol. In particular, modeling session resumption is non-trivial, given that session resumption tickets are essentially a state transmitted from one session to another and such link reveals information on the parties. On the positive side, we prove that TLS 1.3 protects the privacy of its users at least against passive adversaries, contrary to TLS 1.2, and against more powerful ones.

[1] David Adrian, Kartihkeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella Béguelin, and Paul Zimmermann. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In Proceedings of ACM CCS 2015, pages 5–17. IEEE, 2015.

[2] Nadhem J. AlFardan, Daniel J. Bernstein, Kenneth G. Paterson, Bertram Poettering, and Jacob C. N. Schuldt. On the security of RC4 in TLS and WPA. In USENIX Security Symposium, 2013.

[3] Nadhem J. AlFardan and Kenneth G. Paterson. Lucky thirteen: Breaking the TLS and DTLS record protocols. In IEEE Symposium on Security and Privacy (SP’13), 2013.

[4] Antoine Delignat-Lavaud and Kartihkeyan Bhargavan. Network-based origin confusion attacks against HTTPS virtual hosting. In Proceedings of WWW’15, pages 227–237. Springer, 2015.

[5] Ghada Arfaoui, Xavier Bultel, Pierre-Alain Fouque, Adina Nedelcu, and Cristina Onete. The privacy of the tls 1.3 protocol. Cryptology ePrint Archive, Report 2019/749, 2019.

[6] Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar, and Yuval Shavitt. Drown: Breaking TLS using SSLv2., 2016.

[7] Michael Backes, Aniket Kate, Praveen Manoharan, Sebastian Meiser, and Esfandiar Mohammadi. Anoa: A framework for analyzing anonymous communication protocols. In Proceedings of CSF. IEEE, 2013.

[8] Mihir Bellare and Phillip Rogaway. Entity authentication and key distribution. In CRYPTO, pages 232–249, 1993.

[9] Benjamin Berdouche, Kartikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre Yves Strub, and Jean Karim Zinzindohoue. A messy state of the union: Taming the composite state machines of TLS. In Proceedings of IEEE S&P 2015, pages 535–552. IEEE, 2015.

[10] Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre-Yves Strub, and Jean Karim Zinzindohoue. A messy state of the union: Taming the composite state machines of TLS. In Proceedings of IEEE S&P 2015, pages 535–552. IEEE, 2015.

[11] Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Alfredo Pironti, and Pierre-Yves Strub. Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In Proceedings of IEEE S&P 2014, pages 98–113. IEEE, 2014.

[12] Karthikeyan Bhargavan and Gaetan Leurent. Transcript collision attacks: Breaking authentication in TLS, IKE, and SSH. In Accepted at NDSS 2016, to appear, 2016.

[13] Daniel Bleichenbacher. Chosen ciphertext attacks against protocols based on the RSA encryption standard pkcs #1. In Proceedings of (CRYPTO’98), volume 1462 of LNCS, pages 1–12, 1998.

[14] Tim Dierks and Eric Rescorla. The transport layer security (TLS) protocol version 1.2. RFC 5246, August 2008.

[15] Benjamin Dowling, Marc Fischlin, Felix Günther, and Douglas Stebila. A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In ACM CCS, pages 1197–1210, 2015.

[16] Nir Drucker and Shay Gueron. Selfie: reflections on tls 1.3 with psk. Cryptology ePrint Archive, Report 2019/347, 2019.

[17] EU. General Data Protection Regulation - GDPR.

[18] EU. Regulation on Privacy and Electronic Communications.

[19] Marc Fischlin and Felix Günther. Multi-stage key exchange and the case of google’s QUIC protocol. In ACM CCS, pages 1193–1204, 2014.

[20] Pierre-Alain Fouque, Cristina Onete, and Benjamin Richard. Achieving better privacy for the 3gpp aka protocol. In Proceedings of PETS (PoPETS), volume 4, 2016.

[21] Christina Garman, Kenneth G. Paterson, and Thyla Van der Merwe. Attacks only get better: Password recovery attacks against RC4 in TLS. In Proceedings of USENIX 2015, pages 113–128. USENIX Association, 2015.

[22] Alejandro Hevia and Daniele Micciancio. An indistinguishability-based characterization of anonymous channels. In Proceedings of PETS, volume 5134 of LNCS, pages 24–43. Springer, 2008.

[23] Jens Hermans and Andreas Pashalidis and Frederik Vercauteren and Bart Preneel. A New RFID Privacy Model. In Computer Security - ESORICS 2011 - 16th European Symposium on Research in Computer Security, Leuven, Belgium, September 12-14, 2011. Proceedings, 2011.

[24] Markulf Kohlweiss, Ueli Maurer, Cristina Onete, Björn Tackmann, and Daniele Venturi. (de-)constructing TLS 1.3. In Progress in Cryptology - INDOCRYPT 2015 - 16th International Conference on Cryptology in India, Bangalore, India, December 6-9, 2015, Proceedings, pages 85–102, 2015.

[25] Hugo Krawczyk. SIGMA: the ‘sign-and-mac’ approach to authenticated diffie-hellman and its use in the ike-protocols. In Advances in Cryptology - CRYPTO 2003, 23rd Annual International Cryptology Conference, Santa Barbara, California, USA, August 17-21, 2003, Proceedings, pages 400–425, 2003.

[26] Hugo Krawczyk. Cryptographic extraction and key derivation: The HKDF scheme. In Advances in Cryptology — CRYPTO 2010, volume 6223 of LNCS. Springer, 2010.

[27] Kenneth G. Paterson, Thomas Ristenpart, and Thomas Shrimpton. Tag size does matter: Attacks and proofs for the TLS record protocol. In Advances in Cryptology — ASIACRYPT 2011, volume 7073 of LNCS, pages 372–389. Springer-Verlag, 2011.

[28] Angelo Prado, Neal Harris, and Yoel Gluck. SSL, gone in 30 seconds: A BREACH beyond CRIME. Black Hat 2013, 2013.

[29] Eric Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, August 2018.

[30] Juliano Rizzo and Thai Duong. The CRIME attack. Ekoparty 2012, 2012.

[31] J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks, M. Handley, and E. Schooler. SIP: Session Initiation Protocol. RFC 3261, June 2002.

[32] Serge Vaudenay. Security flaws induced by CBC padding – applications to SSL, IPSEC, WTLS. In Proceedings of EUROCRYPT 2002, volume 2332 of LNCS, pages 534–545, 2002.

[33] Serge Vaudenay. On privacy models for RFID. In Advances in cryptology – ASIACRYPT, volume 4833 of LNCS, pages 68–87. Springer, 2007.

[34] Wikipedia. Global surveillance disclosures (2013–present).

Journal Information


All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 20 20 20
PDF Downloads 16 16 16