skip to content

A long answer to the simple question, "Is TLS provably secure?"

Presented by: 
T Shrimpton [Portland State]
Tuesday 31st January 2012 - 14:45 to 15:30
INI Seminar Room 1
TLS is perhaps the Internet's most widely used security protocol, and at its heart is a subprotocol for providing data privacy and integrity, called the TLS Record Protocol. Is the TLS Record Protocol provably secure? A series of papers starting in 2000 delivered the answers (roughly): no, not for all possible underlying encryption schemes; yes, for some of the specific encryption schemes that TLS uses, but only under some impractical assumptions; yes, under less restrictive assumptions, but for a definition of "secure" that is hard to understand; yes, as long as your integrity-providing "tag" isn't too short. We'll explore this line of papers, as well as some interesting attacks that helped to guide the provable-security results. In the end, we'll argue that the answer is still "it depends on how you use it" by discussing new results on using secure authenticated encryption (e.g. TLS) as a tunnel between a user and a proxy, through which webpages are requested and downloaded. We'll see that it is surprisingly easy to determine which webpage was visited, even in the presence of some sophisticated efforts to fragment and pad the webpage data prior to entering the provably-secure encryption tunnel.
The video for this talk should appear here if JavaScript is enabled.
If it doesn't, something may have gone wrong with our embedded player.
We'll get it fixed as soon as possible.
University of Cambridge Research Councils UK
    Clay Mathematics Institute London Mathematical Society NM Rothschild and Sons