...
  • 主题
高级搜索  >
历史搜索 清空历史
首页> 外文期刊>Journal of Cryptology >On the Tight Security of TLS 1.3: Theoretically Sound Cryptographic Parameters for Real-World Deployments
【24h】

On the Tight Security of TLS 1.3: Theoretically Sound Cryptographic Parameters for Real-World Deployments

机译:关于TLS 1.3的紧密安全性:真实的逻辑加密参数,用于现实世界部署

获取原文
           
页面导航
  • 摘要
  • 著录项
  • 相似文献
  • 相关主题

摘要

We consider the theoretically sound selection of cryptographic parameters, such as the size of algebraic groups or RSA keys, for TLS 1.3 in practice. While prior works gave security proofs for TLS 1.3, their security loss is quadratic in the total number of sessions across all users, which due to the pervasive use of TLS is huge. Therefore, in order to deploy TLS 1.3 in a theoretically sound way, it would be necessary to compensate this loss with unreasonably large parameters that would be infeasible for practical use at large scale. Hence, while these previous works show that in principle the design of TLS 1.3 is secure in an asymptotic sense, they do not yet provide any useful concrete security guarantees for real-world parameters used in practice. In this work, we provide a new security proof for the cryptographic core of TLS 1.3 in the random oracle model, which reduces the security of TLS 1.3 tightly (that is, with constant security loss) to the (multi-user) security of its building blocks. For some building blocks, such as the symmetric record layer encryption scheme, we can then rely on prior work to establish tight security. For others, such as the RSA-PSS digital signature scheme currently used in TLS 1.3, we obtain at least a linear loss in the number of users, independent of the number of sessions, which is much easier to compensate with reasonable parameters. Our work also shows that by replacing the RSA-PSS scheme with a tightly secure scheme (e.g., in a future TLS version), one can obtain the first fully tightly secure TLS protocol. Our results enable a theoretically sound selection of parameters for TLS 1.3, even in large-scale settings with many users and sessions per user.
机译:我们考虑理论上的加密参数,例如代数组或RSA键的大小,在实践中为TLS 1.3。虽然先前的作品给出了TLS 1.3的安全证明,但他们的安全损失在所有用户的总会话中都是二次,这是由于TLS的普遍使用是巨大的。因此,为了以理论上的方式部署TLS 1.3,有必要通过不合理的大参数来补偿这种损失,这对于大规模的实际使用是不可行的。因此,虽然这些工作原理表明,原则上的TLS 1.3的设计是一种渐近感的安全性,但他们还没有提供任何有用的具体的安全保障,以便在实践中使用的真实参数。在这项工作中,我们在随机Oracle模型中为TLS 1.3的加密核心提供了新的安全证明,这会将TLS 1.3的安全性降低(即,具有恒定的安全丢失)到其(多用户)安全性建筑模块。对于某些构建块,例如对称记录层加密方案,我们可以依靠先前的工作来建立紧密的安全性。对于其他人,例如在TLS 1.3中使用的RSA-PSS数字签名方案,我们在用户数量中获得至少一个线性损耗,与会话数无关,这更容易补偿合理参数。我们的工作还表明,通过用紧密安全的方案替换RSA-PSS方案(例如,在未来的TLS版本中),可以获得第一个完全紧密的CTLS协议。我们的结果使TLS 1.3的理论上选择了参数,即使在具有每个用户的许多用户和会话的大规模设置中也是如此。

著录项

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有

  • 客服微信

  • 服务号