On the Security of TLS Resumption and Renegotiation  

作　　者：Xinyu Li Jingy Xu Zhenfeng Zhang Dengguo Feng 

机构地区：[1]CAS Key Laboratory of Electromagnetic Space Information,University of Science and Technology of China [2]Trusted Computing and Information Assurance Laboratory,Institute of Software, Chinese Academy of Sciences

出　　处：《China Communications》2016年第12期176-188,共13页中国通信（英文版）

基　　金：supported by the National Grand Fundamental Research (973) Program of China under Grant 2013CB338003;the National Natural Science Foundation of China (NSFC) under Grants U1536205, 61170279 and 61572485

摘　　要：The Transport Layer Security(TLS) protocol is the most important standard on the Internet for key exchange. TLS standard supports many additional handshake modes such as resumption and renegotiation besides the full handshake. The interaction and dependence of different modes may lead to some practical attacks on TLS. In 2014, Bhargavan et al. described a triple handshake attack on TLS 1.2 by exploiting the sequential running of three different modes of TLS, which can lead to a client impersonation attack after the third handshake. Subsequently, TLS 1.2 was patched with the extended master secret extension of RFC 7627 to prevent this attack. In this paper we introduce a new definition of "uniqueness" and present a renegotiable & resumable ACCE security model. We identify the triple handshake attack within the new model, and furthermore show TLS with the proposed fix can be proven secure in our model.The Transport Layer Security（TLS） protocol is the most important standard on the Internet for key exchange. TLS standard supports many additional handshake modes such as resumption and renegotiation besides the full handshake. The interaction and dependence of different modes may lead to some practical attacks on TLS. In 2014, Bhargavan et al. described a triple handshake attack on TLS 1.2 by exploiting the sequential running of three different modes of TLS, which can lead to a client impersonation attack after the third handshake. Subsequently, TLS 1.2 was patched with the extended master secret extension of RFC 7627 to prevent this attack. In this paper we introduce a new definition of ＂uniqueness＂ and present a renegotiable ＆ resumable ACCE security model. We identify the triple handshake attack within the new model, and furthermore show TLS with the proposed fix can be proven secure in our model.

关 键 词：TLS 1.2 resumption RENEGOTIATION security model 

分 类 号：TN918.4[电子电信—通信与信息系统]