{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,25]],"date-time":"2026-01-25T00:09:13Z","timestamp":1769299753247,"version":"3.49.0"},"publisher-location":"Cham","reference-count":88,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783319490991","type":"print"},{"value":"9783319491004","type":"electronic"}],"license":[{"start":{"date-parts":[[2016,1,1]],"date-time":"2016-01-01T00:00:00Z","timestamp":1451606400000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2016]]},"DOI":"10.1007\/978-3-319-49100-4_7","type":"book-chapter","created":{"date-parts":[[2016,11,1]],"date-time":"2016-11-01T14:41:42Z","timestamp":1478011302000},"page":"160-186","source":"Crossref","is-referenced-by-count":32,"title":["Reactive and Proactive Standardisation of TLS"],"prefix":"10.1007","author":[{"given":"Kenneth G.","family":"Paterson","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Thyla","family":"van der Merwe","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2016,11,2]]},"reference":[{"key":"7_CR1","unstructured":"FlexTLS: A Tool for Testing TLS Implementations. https:\/\/mitls.org\/pages\/flextls"},{"key":"7_CR2","unstructured":"Getting Started in the IETF. https:\/\/www.ietf.org\/newcomers.html . Accessed 06 Aug 2016"},{"key":"7_CR3","unstructured":"miTLS: A Verified Reference Implementation of TLS. https:\/\/mitls.org\/"},{"key":"7_CR4","unstructured":"ProVerif: Cryptographic protocol verifier in the formal model. http:\/\/prosecco.gforge.inria.fr\/personal\/bblanche\/proverif\/"},{"key":"7_CR5","unstructured":"TLS 1.3 Security Properties. https:\/\/github.com\/tls13properties\/tls13-properties"},{"key":"7_CR6","doi-asserted-by":"crossref","unstructured":"Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J.A., Heninger, N., Springall, D., Thom\u00e9, E., Valenta, L., VanderSloot, B., Wustrow, E., B\u00e9guelin, S.Z., Zimmermann, P.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In Ray et al. [76], pp. 5\u201317","DOI":"10.1145\/2810103.2813707"},{"key":"7_CR7","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"622","DOI":"10.1007\/978-3-662-49890-3_24","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2016","author":"MR Albrecht","year":"2016","unstructured":"Albrecht, M.R., Paterson, K.G.: Lucky Microseconds: A timing attack on amazon\u2019s s2n implementation of TLS. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 622\u2013643. Springer, Heidelberg (2016). doi: 10.1007\/978-3-662-49890-3_24"},{"key":"7_CR8","doi-asserted-by":"crossref","unstructured":"AlFardan, N., Paterson, K.G.: Lucky thirteen: breaking the TLS and DTLS record protocols. In: Sommer, R. (ed.) Proceedings of the 2013 IEEE Symposium on Security and Privacy (S&P 2013) (2013)","DOI":"10.1109\/SP.2013.42"},{"key":"7_CR9","doi-asserted-by":"crossref","unstructured":"AlFardan, N.J., Bernstein, D.J., Paterson, K.G., Poettering, B., Schuldt, J.C.N.: On the security of RC4 in TLS. In: King, S.T. (ed.) Proceedings of the 22nd USENIX Security Symposium, Washington D.C., August 2013, pp. 305\u2013320. USENIX (2013)","DOI":"10.1109\/MPRV.2013.43"},{"key":"7_CR10","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"163","DOI":"10.1007\/978-3-662-52993-5_9","volume-title":"Fast Software Encryption","author":"JB Almeida","year":"2016","unstructured":"Almeida, J.B., Barbosa, M., Barthe, G., Dupressoir, F.: Verifiable side-channel security of cryptographic implementations: constant-time MEE-CBC. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 163\u2013184. Springer, Heidelberg (2016). doi: 10.1007\/978-3-662-52993-5_9"},{"key":"7_CR11","doi-asserted-by":"crossref","unstructured":"Apecechea, G.I., Inci, M.S., Eisenbarth, T., Sunar, B.: Lucky 13 strikes back. In: Bao, F., Miller, S., Zhou, J., Ahn, G.-J. (eds.) Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2015, Singapore, 14\u201317 April 2015, pp. 85\u201396. ACM (2015)","DOI":"10.1145\/2714576.2714625"},{"key":"7_CR12","unstructured":"Arai, K.: Formal Verification of TLS 1.3 Full Handshake Protocol Using Proverif. Technical report, Cryptographic protocol Evaluation toward Long-Lived Outstanding Security Consortium (CELLOS), February 2016. https:\/\/www.cellos-consortium.org\/studygroup\/TLS1.3-fullhandshake-draft11.pv"},{"key":"7_CR13","unstructured":"Aviram, N., Schinzel, S., Somorovsky, J., Heninger, N., Dankel, M., Steube, J., Valenta, L., Adrian, D., Halderman, J.A., Dukhovni, V., K\u00e4sper, E., Cohney, S., Engels, S., Paar, C., Shavitt, Y.: DROWN: breaking TLS using SSLv2. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 16, Austin, 10\u201312 August 2016, pp. 689\u2013706. USENIX Association (2016)"},{"key":"7_CR14","doi-asserted-by":"crossref","unstructured":"Bard, G.V.: A challenging but feasible blockwise-adaptive chosen-plaintext attack on SSL. In: Malek, M., Fern\u00e1ndez-Medina, E., Hernando, J. (eds.) SECRYPT, pp. 99\u2013109. INSTICC Press (2006)","DOI":"10.5220\/0002104100990109"},{"key":"7_CR15","doi-asserted-by":"crossref","unstructured":"Berners-Lee, T., Fielding, R., Frystyk, H.: The Hypertext Transfer Protocol HTTP\/1.0. RFC 1945 (Informational), May 1996","DOI":"10.17487\/rfc1945"},{"key":"7_CR16","unstructured":"Beurdouche, B., Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Ishtiaq, S., Kohlweiss, M., Protzenko, J., Swamy, N., Zanella-Bguelin, S., Zinzindohou, J.K.: Towards a Provably Secure Implementation of TLS 1.3. Presented at TRON 1.0, San Diego, 21 February 2016"},{"key":"7_CR17","doi-asserted-by":"crossref","unstructured":"Beurdouche, B., Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zinzindohoue, J.K.: A messy state of the union: taming the composite state machines of TLS. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, 17\u201321 May 2015, pp. 535\u2013552. IEEE Computer Society (2015)","DOI":"10.1109\/SP.2015.39"},{"key":"7_CR18","unstructured":"Bhargavan, K., Kobeissi, N., Blanchet, B.: ProScript T.L.S.: Building a TLS 1.3 Implementation with a Verifiable Protocol Model. Presented at TRON 1.0, San Diego, 21 February 2016"},{"key":"7_CR19","doi-asserted-by":"crossref","unstructured":"Bhargavan, K., Brzuska, C., Fournet, C., Green, M., Kohlweiss, M., Zanella-B\u00e8guellin, S.: Downgrade resilience in key-exchange protocols. In: 2016 IEEE Symposium on Security and Privacy, SP 2016, San Jose, 23\u201325 May 2016","DOI":"10.1109\/SP.2016.37"},{"key":"7_CR20","doi-asserted-by":"crossref","unstructured":"Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., Strub, P.-Y.: Triple handshakes, cookie cutters: breaking and fixing authentication over TLS. In: 2014 IEEE Symposium on Security and Privacy, SP 2014, Berkeley, 18\u201321 May 2014, pp. 98\u2013113. IEEE Computer Society (2014)","DOI":"10.1109\/SP.2014.14"},{"key":"7_CR21","doi-asserted-by":"crossref","unstructured":"Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., Strub, P.-Y., Handshakes, T., Cutters, C.: Breaking and fixing authentication over TLS. In: 2014 IEEE Symposium on Security and Privacy, SP 2014, Berkeley, 18\u201321 May 2014, pp. 98\u2013113 (2014)","DOI":"10.1109\/SP.2014.14"},{"key":"7_CR22","doi-asserted-by":"crossref","unstructured":"Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y.: Implementing TLS with verified cryptographic security. In: 2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, 19\u201322 May 2013, pp. 445\u2013459. IEEE Computer Society (2013)","DOI":"10.1109\/SP.2013.37"},{"key":"7_CR23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"235","DOI":"10.1007\/978-3-662-44381-1_14","volume-title":"Advances in Cryptology \u2013 CRYPTO 2014","author":"K Bhargavan","year":"2014","unstructured":"Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zanella-B\u00e9guelin, S.: Proving the TLS handshake secure (as it is). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 235\u2013255. Springer, Heidelberg (2014). doi: 10.1007\/978-3-662-44381-1_14"},{"key":"7_CR24","doi-asserted-by":"crossref","unstructured":"Bhargavan, K., Leurent, G.: Transcript collision attacks: breaking authentication in TLS, IKE, and SSH. In: 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, 21\u201324 February 2016","DOI":"10.14722\/ndss.2016.23418"},{"key":"7_CR25","doi-asserted-by":"crossref","unstructured":"Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: 14th IEEE Computer Security Foundations Workshop (CSFW-14 2001), 11\u201313 June 2001, Cape Breton, pp. 82\u201396 (2001)","DOI":"10.1109\/CSFW.2001.930138"},{"key":"7_CR26","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/BFb0055716","volume-title":"Advances in Cryptology \u2014 CRYPTO \u201998","author":"D Bleichenbacher","year":"1998","unstructured":"Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1\u201312. Springer, Heidelberg (1998). doi: 10.1007\/BFb0055716"},{"key":"7_CR27","doi-asserted-by":"crossref","unstructured":"Bricout, R., Murphy, S., Paterson, K.G., Van der Merwe, T.: Analysing and exploiting the Mantin biases in RC4. IACR Cryptology ePrint Archive, 2016:63 (2016)","DOI":"10.1007\/s10623-017-0355-3"},{"key":"7_CR28","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"583","DOI":"10.1007\/978-3-540-45146-4_34","volume-title":"Advances in Cryptology - CRYPTO 2003","author":"B Canvel","year":"2003","unstructured":"Canvel, B., Hiltgen, A., Vaudenay, S., Vuagnoux, M.: Password interception in a SSL\/TLS channel. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 583\u2013599. Springer, Heidelberg (2003). doi: 10.1007\/978-3-540-45146-4_34"},{"key":"7_CR29","first-page":"149","volume":"5","author":"S Chauhan","year":"2013","unstructured":"Chauhan, S., Sobti, R., Geetha, G., Anand, S.: Cryptanalysis of SHA-3 candidates: a survey. Res. J. Inf. Technol. 5, 149\u2013159 (2013)","journal-title":"Res. J. Inf. Technol."},{"key":"7_CR30","unstructured":"Chen, L., Mitchell, C. (eds.): SSR 2014. Security and Cryptology. LNCS, vol. 8893. Springer (2014)"},{"key":"7_CR31","doi-asserted-by":"crossref","unstructured":"Cremers, C., Horvat, M., Scott, S., van der Merwe, T.: Automated analysis and verification of TLS 1.3: 0-RTT, resumption and delayed authentication. In: 2016 IEEE Symposium on Security and Privacy, SP 2016, San Jose, 23\u201325 May 2016","DOI":"10.1109\/SP.2016.35"},{"key":"7_CR32","doi-asserted-by":"crossref","unstructured":"Dierks, T., Allen, C.: The TLS Protocol Version 1.0. RFC 2246, Internet Engineering Task Force, January 1999","DOI":"10.17487\/rfc2246"},{"key":"7_CR33","doi-asserted-by":"crossref","unstructured":"Dierks, T., Allen, C.: The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346, Internet Engineering Task Force, April 2006","DOI":"10.17487\/rfc4346"},{"key":"7_CR34","doi-asserted-by":"crossref","unstructured":"Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, Internet Engineering Task Force, August 2008","DOI":"10.17487\/rfc5246"},{"key":"7_CR35","doi-asserted-by":"crossref","unstructured":"Dowling, B., Fischlin, M., G\u00fcnther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In Ray et al. [76], pp. 1197\u20131210","DOI":"10.1145\/2810103.2813653"},{"key":"7_CR36","unstructured":"Dowling, B., Fischlin, M., G\u00fcnther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 draft-10 full and pre-shared key handshake protocol. Cryptology ePrint Archive, Report 2016\/081 (2016). http:\/\/eprint.iacr.org\/"},{"key":"7_CR37","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"270","DOI":"10.1007\/978-3-319-19962-7_16","volume-title":"Information Security and Privacy","author":"B Dowling","year":"2015","unstructured":"Dowling, B., Stebila, D.: Modelling ciphersuite and version negotiation in the TLS protocol. In: Foo, E., Stebila, D. (eds.) ACISP 2015. LNCS, vol. 9144, pp. 270\u2013288. Springer, Heidelberg (2015). doi: 10.1007\/978-3-319-19962-7_16"},{"key":"7_CR38","unstructured":"Duong, T., Rizzo, J.: Here come the $$\\oplus $$ \u2295 Ninjas. Unpublished manuscript (2011)"},{"key":"7_CR39","doi-asserted-by":"crossref","unstructured":"Dworkin, M.J.: SHA-3 Standard: permutation-based hash and extendable-output functions. FIPS 202, August 2015","DOI":"10.6028\/NIST.FIPS.202"},{"key":"7_CR40","unstructured":"Dworkin, M.J., Barker, E.B., Nechvatal, J.R., Foti, J., Bassham, L.E., Roback, E., Dray, Jr., J.F.: Announcing the Advanced Encryption Standard (AES). FIPS PUB 197, November 2001"},{"key":"7_CR41","doi-asserted-by":"crossref","unstructured":"Fischlin, M., G\u00fcnther, F.: Multi-stage key exchange and the case of Google\u2019s QUIC protocol. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, pp. 1193\u20131204, 3\u20137 November 2014","DOI":"10.1145\/2660267.2660308"},{"key":"7_CR42","doi-asserted-by":"crossref","unstructured":"Fischlin, M., G\u00fcnther, F., Schmidt, B., Warinschi, B.: Key confirmation in key exchange: a formal treatment and implications for TLS 1.3. In: 2016 IEEE Symposium on Security and Privacy, SP 2016, San Jose, 23\u201325 May 2016","DOI":"10.1109\/SP.2016.34"},{"key":"7_CR43","doi-asserted-by":"crossref","unstructured":"Freier, A., Karlton, P.: The Secure Sockets Layer (SSL) Protocol Version 3.0. RFC 6101 (Historic Document), August 2011","DOI":"10.17487\/rfc6101"},{"key":"7_CR44","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"313","DOI":"10.1007\/978-3-540-88733-1_22","volume-title":"Provable Security","author":"S Gajek","year":"2008","unstructured":"Gajek, S., Manulis, M., Pereira, O., Sadeghi, A.-R., Schwenk, J.: Universally composable security analysis of TLS. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 313\u2013327. Springer, Heidelberg (2008). doi: 10.1007\/978-3-540-88733-1_22"},{"key":"7_CR45","unstructured":"Garman, C., Paterson, K.G., Van der Merwe, T.: Attacks only get better: password recovery attacks against RC4 in TLS. In Jung and Holz [53], pp. 113\u2013128"},{"key":"7_CR46","unstructured":"Garret, D.: Banning SHA-1 in TLS 1.3, a new attempt. TLS mailing list post, October 2015. http:\/\/www.ietf.org\/mail-archive\/web\/tls\/current\/msg17956.html"},{"key":"7_CR47","unstructured":"Garret, D.: MD5 diediedie (was Re: Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms). TLS mailing list post, January 2016. http:\/\/www.ietf.org\/mail-archive\/web\/tls\/current\/msg18977.html"},{"key":"7_CR48","doi-asserted-by":"crossref","unstructured":"Giesen, F., Kohlar, F., Stebila, D.: On the security of TLS renegotiation. In: Sadeghi, A.-R., Gligor, V.D., Yung, M. (eds.) 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, Berlin, 4\u20138 November 2013, pp. 387\u2013398. ACM (2013)","DOI":"10.1145\/2508859.2516694"},{"key":"7_CR49","doi-asserted-by":"crossref","unstructured":"Griffin, P.H.: Standardization transparency - an out of body experience. In: Chen and Mitchell [30], pp. 57\u201368","DOI":"10.1007\/978-3-319-14054-4_4"},{"key":"7_CR50","doi-asserted-by":"crossref","unstructured":"Guttman, J.D., Liskov, M.D., Rowe, P.D.: Security goals and evolving standards. In: Chen and Mitchell [30], pp. 93\u2013110","DOI":"10.1007\/978-3-319-14054-4_7"},{"key":"7_CR51","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"273","DOI":"10.1007\/978-3-642-32009-5_17","volume-title":"Advances in Cryptology \u2013 CRYPTO 2012","author":"T Jager","year":"2012","unstructured":"Jager, T., Kohlar, F., Sch\u00e4ge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273\u2013293. Springer, Heidelberg (2012). doi: 10.1007\/978-3-642-32009-5_17"},{"key":"7_CR52","doi-asserted-by":"crossref","unstructured":"Jager, T., Schwenk, J., Somorovsky, J.: On the security of TLS 1.3 and QUIC against weaknesses in PKCS#1 v1.5 encryption. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, 12\u201316 October 2015, pp. 1185\u20131196 (2015)","DOI":"10.1145\/2810103.2813657"},{"key":"7_CR53","unstructured":"Jung, J., Holz, T., (eds.): 24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., 12\u201314 August 2015. USENIX Association (2015)"},{"key":"7_CR54","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"263","DOI":"10.1007\/3-540-45661-9_21","volume-title":"Fast Software Encryption","author":"J Kelsey","year":"2002","unstructured":"Kelsey, J.: Compression and information leakage of plaintext. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 263\u2013276. Springer, Heidelberg (2002). doi: 10.1007\/3-540-45661-9_21"},{"key":"7_CR55","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"426","DOI":"10.1007\/978-3-540-45238-6_33","volume-title":"Cryptographic Hardware and Embedded Systems - CHES 2003","author":"V Kl\u00edma","year":"2003","unstructured":"Kl\u00edma, V., Pokorn\u00fd, O., Rosa, T.: Attacking RSA-based sessions in SSL\/TLS. In: Walter, C.D., Ko\u00e7, \u00c7.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 426\u2013440. Springer, Heidelberg (2003). doi: 10.1007\/978-3-540-45238-6_33"},{"key":"7_CR56","unstructured":"Kohlar, F., Sch\u00e4ge, S., Schwenk, J.: On the security of TLS-DH and TLS-RSA in the standard model. IACR Cryptology ePrint Archive, 2013:367 (2013)"},{"key":"7_CR57","unstructured":"Kohlweiss, M., Maurer, U., Onete, C., Tackmann, B., Venturi, D.: (De-)constructing TLS. IACR Cryptology ePrint Archive, 2014:20 (2014)"},{"key":"7_CR58","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"310","DOI":"10.1007\/3-540-44647-8_19","volume-title":"Advances in Cryptology \u2014 CRYPTO 2001","author":"H Krawczyk","year":"2001","unstructured":"Krawczyk, H.: The order of encryption and authentication for protecting communications (or: how secure is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310\u2013331. Springer, Heidelberg (2001). doi: 10.1007\/3-540-44647-8_19"},{"key":"7_CR59","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"631","DOI":"10.1007\/978-3-642-14623-7_34","volume-title":"Advances in Cryptology \u2013 CRYPTO 2010","author":"H Krawczyk","year":"2010","unstructured":"Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631\u2013648. Springer, Heidelberg (2010). doi: 10.1007\/978-3-642-14623-7_34"},{"key":"7_CR60","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"429","DOI":"10.1007\/978-3-642-40041-4_24","volume-title":"Advances in Cryptology \u2013 CRYPTO 2013","author":"H Krawczyk","year":"2013","unstructured":"Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 429\u2013448. Springer, Heidelberg (2013). doi: 10.1007\/978-3-642-40041-4_24"},{"key":"7_CR61","doi-asserted-by":"crossref","unstructured":"Krawczyk, H., Wee, H.: The OPTLS protocol and TLS 1.3. IACR Cryptology ePrint Archive, 2015:978 (2015)","DOI":"10.1109\/EuroSP.2016.18"},{"key":"7_CR62","doi-asserted-by":"crossref","unstructured":"Krawczyk, H., Wee, H.: The OPTLS protocol and TLS 1.3. In: IEEE European Symposium on Security and Privacy, EuroS&P 2016, Saarbr\u00fccken, 21\u201324 March 2016, pp. 81\u201396. IEEE (2016)","DOI":"10.1109\/EuroSP.2016.18"},{"key":"7_CR63","unstructured":"Langley, A., Chang, W.: QUIC Crypto, June 2013. https:\/\/docs.google.com\/document\/d\/1g5nIXAIkN_Y-7XJW5K45IblHd_L2f5LTaDUDwvZ5L6g\/"},{"key":"7_CR64","doi-asserted-by":"crossref","unstructured":"Li, X., Xu, J., Zhang, Z., Feng, D., Hu, H.: Multiple handshakes security of TLS 1.3 candidates. In: 2016 IEEE Symposium on Security and Privacy, SP 2016, San Jose, 23\u201325 May 2016","DOI":"10.1109\/SP.2016.36"},{"key":"7_CR65","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"669","DOI":"10.1007\/978-3-642-54631-0_38","volume-title":"Public-Key Cryptography \u2013 PKC 2014","author":"Y Li","year":"2014","unstructured":"Li, Y., Sch\u00e4ge, S., Yang, Z., Kohlar, F., Schwenk, J.: On the security of the pre-shared key ciphersuites of TLS. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 669\u2013684. Springer, Heidelberg (2014). doi: 10.1007\/978-3-642-54631-0_38"},{"key":"7_CR66","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"152","DOI":"10.1007\/3-540-45473-X_13","volume-title":"Fast Software Encryption","author":"I Mantin","year":"2002","unstructured":"Mantin, I., Shamir, A.: A practical attack on broadcast RC4. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 152\u2013164. Springer, Heidelberg (2002). doi: 10.1007\/3-540-45473-X_13"},{"key":"7_CR67","unstructured":"Matsuo, S.: Formal verification of TLS 1.3 full handshake protocol using ProVerif (Draft-11). TLS mailing list post, February 2016. https:\/\/www.ietf.org\/mail-archive\/web\/tls\/current\/msg19339.html"},{"key":"7_CR68","doi-asserted-by":"crossref","unstructured":"Mavrogiannopoulos, N., Vercauteren, F., Velichkov, V., Preneela, B.: A cross-protocol attack on the TLS protocol. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS 2012), Raleigh, pp. 62\u201372. ACM Press, October 2012","DOI":"10.1145\/2382196.2382206"},{"key":"7_CR69","unstructured":"Meyer, C., Somorovsky, J., Weiss, E., Schwenk, J., Schinzel, S., Tews, E.: Revisiting, SSL\/TLS implementations: new Bleichenbacher side channels and attacks. In: Fu, K., Jung, J., (eds.) Proceedings of the 23rd USENIX Security Symposium, San Diego, 20\u201322 August 2014, pp. 733\u2013748. USENIX Association (2014)"},{"key":"7_CR70","unstructured":"Moeller, B.: Security of CBC ciphersuites in SSL\/TLS: problems andcountermeasures. Unpublished manuscript, May 2004. http:\/\/www.openssl.org\/~bodo\/tls-cbc.txt"},{"key":"7_CR71","unstructured":"M\u00f6ller, B., Duong, T., Kotowicz, K.: This POODLE bites: exploiting the SSL 3.0 fallback, September 2014"},{"issue":"2","key":"7_CR72","doi-asserted-by":"crossref","first-page":"187","DOI":"10.1007\/s00145-009-9052-3","volume":"23","author":"P Morrissey","year":"2010","unstructured":"Morrissey, P., Smart, N.P., Warinschi, B.: The TLS handshake protocol: a modular analysis. J. Cryptol. 23(2), 187\u2013223 (2010)","journal-title":"J. Cryptol."},{"key":"7_CR73","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"372","DOI":"10.1007\/978-3-642-25385-0_20","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2011","author":"KG Paterson","year":"2011","unstructured":"Paterson, K.G., Ristenpart, T., Shrimpton, T.: Tag size Does matter: attacks and proofs for the TLS record protocol. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 372\u2013389. Springer, Heidelberg (2011). doi: 10.1007\/978-3-642-25385-0_20"},{"key":"7_CR74","doi-asserted-by":"crossref","unstructured":"Popov, A.: Prohibiting RC4 Cipher Suites. RFC 7465 (Proposed Standard), February 2015","DOI":"10.17487\/rfc7465"},{"key":"7_CR75","doi-asserted-by":"crossref","unstructured":"Postel, J.: Internet Protocol. RFC 791, Internet Engineering Task Force, September 1981","DOI":"10.17487\/rfc0791"},{"key":"7_CR76","unstructured":"Ray, I., Li, N., Kruegel, C., (eds.) Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, 12\u20136 October 2015. ACM (2015)"},{"key":"7_CR77","unstructured":"Federal Register. Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA 3) Family. Federal Register, November 2007"},{"key":"7_CR78","unstructured":"Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3, Draft 15. Internet draft, Internet Engineering Task Force, August 2016"},{"key":"7_CR79","doi-asserted-by":"crossref","unstructured":"Rescorla, E., Ray, M., Dispensa, S., Oskov, N.: Transport Layer Security (TLS) Renegotiation Indication Extension. RFC 5746 (Proposed Standard), February 2010","DOI":"10.17487\/rfc5746"},{"key":"7_CR80","unstructured":"Rogaway, P.: Problems with proposed IP cryptography. Unpublished manuscript (1995). http:\/\/www.cs.ucdavis.edu\/~rogaway\/papers\/draft-rogaway-ipsec-comments-00.txt"},{"key":"7_CR81","unstructured":"Roskind, J.: QUIC: Quick UDP Internet Connections, April 2012. https:\/\/docs.google.com\/document\/d\/1RNHkx_VvKWyWg6Lr8SZ-saqsQx7rFV-ev2jRFUoVD34\/edit?pref=2&pli=1"},{"key":"7_CR82","unstructured":"Sarkar, P.G., Fitzgerald, S.: Attacks on SSL - a comprehensive study of BEAST, CRIME, TIME, BREACH, Lucky 13 and RC4 biases, August 2013"},{"key":"7_CR83","unstructured":"Tamarin prover GitHub repository (develop branch) (2015). https:\/\/github.com\/tamarin-prover\/tamarin-prover"},{"key":"7_CR84","doi-asserted-by":"crossref","unstructured":"Turner, S., Polk, T.: Prohibiting Secure Sockets Layer (SSL) Version 2.0. RFC 6176 (Proposed Standard), March 2011","DOI":"10.17487\/rfc6176"},{"key":"7_CR85","unstructured":"Vanhoef, M., Piessens, F.: All your biases belong to us: breaking RC4 in WPA-TKIP and TLS. In Jung and Holz [53], pp. 97\u2013112"},{"key":"7_CR86","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"534","DOI":"10.1007\/3-540-46035-7_35","volume-title":"Advances in Cryptology \u2014 EUROCRYPT 2002","author":"S Vaudenay","year":"2002","unstructured":"Vaudenay, S.: Security flaws induced by CBC padding \u2014 applications to SSL, IPSEC, WTLS. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534\u2013545. Springer, Heidelberg (2002). doi: 10.1007\/3-540-46035-7_35"},{"key":"7_CR87","unstructured":"Wagner, D., Schneier, B.: Analysis of the SSL 3.0 protocol. In: USENIX Electronic Commerce (1996)"},{"key":"7_CR88","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"19","DOI":"10.1007\/11426639_2","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2005","author":"X Wang","year":"2005","unstructured":"Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19\u201335. Springer, Heidelberg (2005). doi: 10.1007\/11426639_2"}],"container-title":["Lecture Notes in Computer Science","Security Standardisation Research"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-49100-4_7","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,11]],"date-time":"2025-06-11T23:04:07Z","timestamp":1749683047000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-319-49100-4_7"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016]]},"ISBN":["9783319490991","9783319491004"],"references-count":88,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-49100-4_7","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2016]]}}}