Felix Günther




TLS Crypto Seminar (Winter 2019 Quarter @ UCSD)

Jan 14 – Mar 15, 2019
DatesThursday 1:00–2:30pm
RoomCSE 4217
TypeSeminar (informal)


This seminar is a partial-lecture, partial–reading-group endeavor to learn about the TLS (Transport Layer Security) protocol crypto. It encompasses two parts:

  1. TLS <= 1.2: In the first part, I will provide a general introduction to the TLS protocol and background on the cryptographic definitions (for key exchange and secure channels) involved. We will then read three papers on analyses and attacks on TLS, diving deeper into the protocol and understanding some of the many security weaknesses in versions up to 1.2.
  2. TLS 1.3: For the second part, we will look into the new and completely overhauled TLS version 1.3 standardized in August 2018. I will again provide an introduction, including insights from within the 4-year standardization process, and discuss some provable-security analysis results I was involved in. We will then read three further papers, learning about different analysis approaches (esp. formal methods) and discussing how TLS 1.3 overcomes previous design flaws and what might be newly introduced attack vectors.
The latter part will lead us to the "research frontier" in the area, as TLS 1.3 still demands further understanding, e.g., in terms of security models or underlying cryptographic assumptions, but also regarding more secure constructions or future designs of quantum-secure components.


DateTopicPresented by
Jan 10 no seminar (RWC 2019) -
TLS <= 1.2
Jan 17 TLS introduction [TLS1.2] & cryptographic backround [BR93,BKN02] (ca. 90min) Felix [slides]
Jan 24 Lucky 13 [AP13] Nicholas
Jan 31 no seminar -
Feb 7 The ACCE model [JKSS12,KPW13] Joseph
Feb 14 Logjam [ABD+15] Mark
TLS 1.3
Feb 21 The road to TLS 1.3 [TLS1.3] & provable-security analyses [FG17,GM17] (ca. 90min) Felix
Feb 28 Multiplexing channels [PS18] Vivek
Mar 7 Symbolic analysis of [CHH+17] Baiyu
Mar 14 Downgrade resilience [BBF+16] Ruth


[ABD+15] David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella Béguelin, and Paul Zimmermann. Imperfect forward secrecy: How Diffie-Hellman fails in practice. ACM CCS 2015
[AP13] Nadhem J. AlFardan and Kenneth G. Paterson. Lucky thirteen: Breaking the TLS and DTLS record protocols. IEEE S&P 2013
[BBF+16] Karthikeyan Bhargavan, Christina Brzuska, Cédric Fournet, Matthew Green, Markulf Kohlweiss, and Santiago Zanella Béguelin. Downgrade resilience in key-exchange protocols. IEEE S&P 2016
[BBK17] Karthikeyan Bhargavan, Bruno Blanchet, and Nadim Kobeissi. Verified models and reference implementations for the TLS 1.3 standard candidate. IEEE S&P 2017
[BL16] Karthikeyan Bhargavan and Gaëtan Leurent. Transcript collision attacks: Breaking authentication in TLS, IKE and SSH. NDSS 2016
[BNK02] Mihir Bellare, Tadayoshi Kohno, and Chanathip Namprempre. Authenticated encryption in SSH: Provably fixing the SSH binary packet protocol. ACM CCS 2002
[BR93] Mihir Bellare and Phillip Rogaway. Entity authentication and key distribution. CRYPTO 1993
[CHH+17] Cas Cremers, Marko Horvat, Jonathan Hoyland, Sam Scott, and Thyla van der Merwe. A comprehensive symbolic analysis of TLS 1.3. ACM CCS 2017
[DLFK+17] Antoine Delignat-Lavaud, Cédric Fournet, Markulf Kohlweiss, Jonathan Protzenko, Aseem Rastogi, Nikhil Swamy, Santiago Zanella Béguelin, Karthikeyan Bhargavan, Jianyang Pan, and Jean Karim Zinzindohoue. Implementing and proving the TLS 1.3 record layer. IEEE S&P 2017
[FG17] Marc Fischlin and Felix Günther. Replay Attacks on Zero Round-Trip Time: The Case of the TLS 1.3 Handshake Candidates. IEEE EuroS&P 2017
[GM17] Felix Günther and Sogol Mazaheri. A Formal Treatment of Multi-key Channels. CRYPTO 2017
[JKSS12] Tibor Jager, Florian Kohlar, Sven Schäge, and Jörg Schwenk. On the security of TLS-DHE in the standard model. CRYPTO 2012
[JSS15] Tibor Jager, Jörg Schwenk, and Juraj Somorovsky. On the security of TLS 1.3 and QUIC against weaknesses in PKCS#1 v1.5 encryption. ACM CCS 2015
[KPW13] Hugo Krawczyk, Kenneth G. Paterson, and Hoeteck Wee. On the security of the TLS protocol: A systematic analysis. CRYPTO 2013
[PS18] Christopher Patton, Thomas Shrimpton: Partially Specified Channels: The TLS 1.3 Record Layer without Elision. ACM CCS 2018
[TLS1.2] Tim Dierks and Eric Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard), August 2008
[TLS1.3] Eric Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446 (Proposed Standard), August 2018

Copyright notice
The documents contained in these directories are included by the contributing authors as a means to ensure timely dissemination of scholarly and technical work on a non-commercial basis. Copyright and all rights therein are maintained by the authors or by other copyright holders, notwithstanding that they have offered their works here electronically. It is understood that all persons copying this information will adhere to the terms and constraints invoked by each author's copyright. These works may not be reposted without the explicit permission of the copyright holder.

Data Protection Declaration / Privacy Policy