The privacy of the TLS 1.3 protocol

Open access


TLS (Transport Layer Security) is a widely deployed protocol that plays a vital role in securing Internet traffic. Given the numerous known attacks for TLS 1.2, it was imperative to change and even redesign the protocol in order to address them. In August 2018, a new version of the protocol, TLS 1.3, was standardized by the IETF (Internet Engineering Task Force). TLS 1.3 not only benefits from stronger security guarantees, but aims to protect the identities of the server and client by encrypting messages as soon as possible during the authentication. In this paper, we model the privacy guarantees of TLS 1.3 when parties execute a full handshake or use a session resumption, covering all the handshake modes of TLS. We build our privacy models on top of the one defined by Hermans et al. for RFIDs (Radio Frequency Identification Devices) that mostly targets authentication protocols. The enhanced models share similarities to the Bellare-Rogaway AKE (Authenticated Key Exchange) security model and consider adversaries that can compromise both types of participants in the protocol. In particular, modeling session resumption is non-trivial, given that session resumption tickets are essentially a state transmitted from one session to another and such link reveals information on the parties. On the positive side, we prove that TLS 1.3 protects the privacy of its users at least against passive adversaries, contrary to TLS 1.2, and against more powerful ones.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] David Adrian Kartihkeyan Bhargavan Zakir Durumeric Pierrick Gaudry Matthew Green J. Alex Halderman Nadia Heninger Drew Springall Emmanuel Thomé Benjamin VanderSloot Eric Wustrow Santiago Zanella Béguelin and Paul Zimmermann. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In Proceedings of ACM CCS 2015 pages 5–17. IEEE 2015.

  • [2] Nadhem J. AlFardan Daniel J. Bernstein Kenneth G. Paterson Bertram Poettering and Jacob C. N. Schuldt. On the security of RC4 in TLS and WPA. In USENIX Security Symposium 2013.

  • [3] Nadhem J. AlFardan and Kenneth G. Paterson. Lucky thirteen: Breaking the TLS and DTLS record protocols. In IEEE Symposium on Security and Privacy (SP’13) 2013.

  • [4] Antoine Delignat-Lavaud and Kartihkeyan Bhargavan. Network-based origin confusion attacks against HTTPS virtual hosting. In Proceedings of WWW’15 pages 227–237. Springer 2015.

  • [5] Ghada Arfaoui Xavier Bultel Pierre-Alain Fouque Adina Nedelcu and Cristina Onete. The privacy of the tls 1.3 protocol. Cryptology ePrint Archive Report 2019/749 2019.

  • [6] Nimrod Aviram Sebastian Schinzel Juraj Somorovsky Nadia Heninger Maik Dankel Jens Steube Luke Valenta David Adrian J. Alex Halderman Viktor Dukhovni Emilia Käsper Shaanan Cohney Susanne Engels Christof Paar and Yuval Shavitt. Drown: Breaking TLS using SSLv2. 2016.

  • [7] Michael Backes Aniket Kate Praveen Manoharan Sebastian Meiser and Esfandiar Mohammadi. Anoa: A framework for analyzing anonymous communication protocols. In Proceedings of CSF. IEEE 2013.

  • [8] Mihir Bellare and Phillip Rogaway. Entity authentication and key distribution. In CRYPTO pages 232–249 1993.

  • [9] Benjamin Berdouche Kartikeyan Bhargavan Antoine Delignat-Lavaud Cédric Fournet Markulf Kohlweiss Alfredo Pironti Pierre Yves Strub and Jean Karim Zinzindohoue. A messy state of the union: Taming the composite state machines of TLS. In Proceedings of IEEE S&P 2015 pages 535–552. IEEE 2015.

  • [10] Benjamin Beurdouche Karthikeyan Bhargavan Antoine Delignat-Lavaud Cédric Fournet Markulf Kohlweiss Alfredo Pironti Pierre-Yves Strub and Jean Karim Zinzindohoue. A messy state of the union: Taming the composite state machines of TLS. In Proceedings of IEEE S&P 2015 pages 535–552. IEEE 2015.

  • [11] Karthikeyan Bhargavan Antoine Delignat-Lavaud Cédric Fournet Alfredo Pironti and Pierre-Yves Strub. Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In Proceedings of IEEE S&P 2014 pages 98–113. IEEE 2014.

  • [12] Karthikeyan Bhargavan and Gaetan Leurent. Transcript collision attacks: Breaking authentication in TLS IKE and SSH. In Accepted at NDSS 2016 to appear 2016.

  • [13] Daniel Bleichenbacher. Chosen ciphertext attacks against protocols based on the RSA encryption standard pkcs #1. In Proceedings of (CRYPTO’98) volume 1462 of LNCS pages 1–12 1998.

  • [14] Tim Dierks and Eric Rescorla. The transport layer security (TLS) protocol version 1.2. RFC 5246 August 2008.

  • [15] Benjamin Dowling Marc Fischlin Felix Günther and Douglas Stebila. A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In ACM CCS pages 1197–1210 2015.

  • [16] Nir Drucker and Shay Gueron. Selfie: reflections on tls 1.3 with psk. Cryptology ePrint Archive Report 2019/347 2019.

  • [17] EU. General Data Protection Regulation - GDPR.

  • [18] EU. Regulation on Privacy and Electronic Communications.

  • [19] Marc Fischlin and Felix Günther. Multi-stage key exchange and the case of google’s QUIC protocol. In ACM CCS pages 1193–1204 2014.

  • [20] Pierre-Alain Fouque Cristina Onete and Benjamin Richard. Achieving better privacy for the 3gpp aka protocol. In Proceedings of PETS (PoPETS) volume 4 2016.

  • [21] Christina Garman Kenneth G. Paterson and Thyla Van der Merwe. Attacks only get better: Password recovery attacks against RC4 in TLS. In Proceedings of USENIX 2015 pages 113–128. USENIX Association 2015.

  • [22] Alejandro Hevia and Daniele Micciancio. An indistinguishability-based characterization of anonymous channels. In Proceedings of PETS volume 5134 of LNCS pages 24–43. Springer 2008.

  • [23] Jens Hermans and Andreas Pashalidis and Frederik Vercauteren and Bart Preneel. A New RFID Privacy Model. In Computer Security - ESORICS 2011 - 16th European Symposium on Research in Computer Security Leuven Belgium September 12-14 2011. Proceedings 2011.

  • [24] Markulf Kohlweiss Ueli Maurer Cristina Onete Björn Tackmann and Daniele Venturi. (de-)constructing TLS 1.3. In Progress in Cryptology - INDOCRYPT 2015 - 16th International Conference on Cryptology in India Bangalore India December 6-9 2015 Proceedings pages 85–102 2015.

  • [25] Hugo Krawczyk. SIGMA: the ‘sign-and-mac’ approach to authenticated diffie-hellman and its use in the ike-protocols. In Advances in Cryptology - CRYPTO 2003 23rd Annual International Cryptology Conference Santa Barbara California USA August 17-21 2003 Proceedings pages 400–425 2003.

  • [26] Hugo Krawczyk. Cryptographic extraction and key derivation: The HKDF scheme. In Advances in Cryptology — CRYPTO 2010 volume 6223 of LNCS. Springer 2010.

  • [27] Kenneth G. Paterson Thomas Ristenpart and Thomas Shrimpton. Tag size does matter: Attacks and proofs for the TLS record protocol. In Advances in Cryptology — ASIACRYPT 2011 volume 7073 of LNCS pages 372–389. Springer-Verlag 2011.

  • [28] Angelo Prado Neal Harris and Yoel Gluck. SSL gone in 30 seconds: A BREACH beyond CRIME. Black Hat 2013 2013.

  • [29] Eric Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446 August 2018.

  • [30] Juliano Rizzo and Thai Duong. The CRIME attack. Ekoparty 2012 2012.

  • [31] J. Rosenberg H. Schulzrinne G. Camarillo A. Johnston J. Peterson R. Sparks M. Handley and E. Schooler. SIP: Session Initiation Protocol. RFC 3261 June 2002.

  • [32] Serge Vaudenay. Security flaws induced by CBC padding – applications to SSL IPSEC WTLS. In Proceedings of EUROCRYPT 2002 volume 2332 of LNCS pages 534–545 2002.

  • [33] Serge Vaudenay. On privacy models for RFID. In Advances in cryptology – ASIACRYPT volume 4833 of LNCS pages 68–87. Springer 2007.

  • [34] Wikipedia. Global surveillance disclosures (2013–present).

Journal information
All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 75 75 60
PDF Downloads 41 41 27