Section: New Results

A Verified Reference Implementation of Transport Layer Security

Participants : Benjamin Beurdouche [correspondant] , Karthikeyan Bhargavan [correspondant] , Antoine Delignat-Lavaud, Cedric Fournet [Microsoft Research] , Markulf Kohlweiss [Microsoft Research] , Alfredo Pironti, Pierre-Yves Strub [IMDEA] , Santiago Zanella-Béguelin [Microsoft Research] , Jean Karim Zinzindohoue.

Following on from previous work in the miTLS project, we published new versions of miTLS (http://mitls.org ) that implemented various protocol extensions including the new session hash extension.

At CRYPTO 2014 [55] , we published the first detailed cryptographic proof of an implementation of the TLS Handshake. The implementation consists of about 5000 lines of code and is equipped with about 2500 lines of security annotations written in F7, and a 3000 line EasyCrypt proof.

Currently, we are extending and improving this verified implementation to cover commonly used TLS extensions as well as TLS 1.3, the new version of TLS that we are actively involved in designing. We recently hosted a meeting of the TLS working group at Inria in Paris and are active members of the core working group.

In parallel, we have been analyzing other implementations of TLS and testing them against our implementation, both to ensure interoperability and to uncover bugs. Our analyses have led to the discovery of serious state machine vulnerabilities in many TLS implementations including Oracle JSSE, NSS, OpenSSL, SecureTransport, CyaSSL, Mono, and RSA BSAFE. On our recommendations, all these TLS libraries have issued important security updates in 2014.