We analyze the handshake protocol of the Transport Layer Security (TLS) protocol, version 1.3. We address both the full TLS 1.3 handshake (the one round-trip time mode, with signatures for authentication and (elliptic curve) Diffie–Hellman ephemeral ((EC)DHE) key exchange), and the abbreviated resumption/“PSK” mode which uses a pre-shared key for authentication (with optional (EC)DHE key exchange and zero round-trip time key establishment). Our analysis in the reductionist security framework uses a multi-stage key exchange security model, where each of the many session keys derived in a single TLS 1.3 handshake is tagged with various properties (such as unauthenticated versus unilaterally authenticated versus mutually authenticated, whether it is intended to provide forward security, how it is used in the protocol, and whether the key is protected against replay attacks). We show that these TLS 1.3 handshake protocol modes establish session keys with their desired security properties under standard cryptographic assumptions.

我们分析了传输层安全 (TLS) 协议 1.3 版的握手协议。我们解决了完整的 TLS 1.3 握手（单次往返时间模式，带有身份验证签名和（椭圆曲线）Diffie-Hellman 临时（（EC）DHE）密钥交换）和缩写的恢复/“PSK”模式使用预共享密钥进行身份验证（具有可选的 (EC)DHE 密钥交换和零往返时间密钥建立）。我们在简化安全框架中的分析使用多阶段密钥交换安全模型，其中在单个 TLS 1.3 握手中派生的许多会话密钥中的每一个都标记有各种属性（例如未经身份验证与单方面身份验证与相互身份验证，无论是旨在提供前向安全性，如何在协议中使用它，以及密钥是否受到重放攻击保护）。我们展示了这些 TLS 1.3 握手协议模式在标准加密假设下建立了具有所需安全属性的会话密钥。