Towards a Provably Secure Implementation of TLS 1.3

We report ongoing work towards a verified reference
implementation of TLS 1.3 in the F* programming language. Our
code supports selected ciphersuites for all versions of TLS from
1.0 to 1.3. It is being developed on http://github.com/mitls as the
next version of MITLS, written in F? instead of F#. We intend to
prove a strong, joint cryptographic security theorem for TLS 1.3
clients and servers, even when they run alongside older versions
of the protocol with weaker security. Our verification approach
adapts and extends that of MITLS in several ways: (1) we adopt
an idiomatic stateful style that promises higher performance than
the pure functional style of MITLS; (2) we seek to prove stronger
security properties with fewer ad hoc assumptions; (3) we rely on
advanced F? type inference to substantially reduce both the code
base and the typed proof annotations. This paper describes our
implementation architecture, our new composite state machine
for TLS 1.0–1.3, and our target security theorem. By the time of
the TRON workshop, we will present concrete verification results
for our implementation. As far as we are aware, these will be
the first cryptographic proofs for an implementation of TLS 1.3,
and a fortiori for an implementation that is backward compatible
with older versions of the protocol. We anticipate that our effort
will identify early problems and offer implementation guidelines
for other TLS libraries.