|
|
|
| e-Pub |
Previous | 
Home
Section: New Results
miTLS: A Verified TLS Implementation
Participants : Karthikeyan Bhargavan, Antoine Delignat-Lavaud [Microsoft Research] , Cédric Fournet [Microsoft Research] , Markulf Kohlweiss [Microsoft Research] , Jianyang Pan, Jonathan Protzenko [Microsoft Research] , Aseem Rastogi [Microsoft Research] , Nikhil Swamy [Microsoft Research] , Santiago Zanella-Béguelin [Microsoft Research] , Jean Karim Zinzindohoue.
The record layer is the main bridge between TLS applications and internal sub-protocols. Its core functionality is an elaborate authenticated encryption: streams of messages for each sub-protocol (handshake, alert, and application data) are fragmented, multiplexed, and encrypted with optional padding to hide their lengths. Conversely, the sub-protocols may provide fresh keys or signal stream termination to the record layer.
Compared to prior versions, TLS 1.3 discards obsolete schemes in favor of a common construction for Authenticated Encryption with Associated Data (AEAD), instantiated with algorithms such as AES-GCM and ChaCha20-Poly1305. It differs from TLS 1.2 in its use of padding, associated data and nonces. It encrypts the content-type used to multiplex between sub-protocols. New protocol features such as early application data (0-RTT and 0.5-RTT) and late handshake messages require additional keys and a more general model of stateful encryption.
As part of the miTLS project, we built and verified a reference implementation of the TLS record layer and its cryptographic algorithms in F*. We reduced the high-level security of the record layer to cryptographic assumptions on its ciphers. Each step in the reduction is verified by typing an F* module; when the step incurs a security loss, this module precisely captures the corresponding game-based security assumption.
We computed concrete security bounds for the AES-GCM and ChaCha20-Poly1305 ciphersuites, and derived recommended limits on sent data before re-keying. Combining our functional correctness and security results, we obtained the first verified implementation of the main TLS 1.3 record ciphers. We plugged our implementation into an existing TLS library and confirmed that the combination interoperates with Chrome and Firefox, and thus that experimentally the new TLS record layer (as described in RFCs and cryptographic standards) is provably secure.
This work appeared at IEEE S&P 2017 [26] and our verified software is publicly available and actively developed on GitHub.