Re: [Cfrg] When TLS is an overkill...

"Dr. Pala" <> Mon, 25 February 2019 16:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 75F261277CC for <>; Mon, 25 Feb 2019 08:37:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_HK_NAME_DR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sdlC4tVPqZOY for <>; Mon, 25 Feb 2019 08:37:22 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id AB5F2130E7B for <>; Mon, 25 Feb 2019 08:37:22 -0800 (PST)
Received: from localhost (unknown []) by (Postfix) with ESMTP id 54E023741061; Mon, 25 Feb 2019 16:37:22 +0000 (UTC)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with LMTP id pBcdqp00VgF7; Mon, 25 Feb 2019 11:37:16 -0500 (EST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 7AFCD37407FD; Mon, 25 Feb 2019 11:37:16 -0500 (EST)
To: "Stanislav V. Smyshlyaev" <>
References: <> <>
From: "Dr. Pala" <>
Organization: OpenCA Labs
Message-ID: <>
Date: Mon, 25 Feb 2019 09:37:15 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------22E41C90F7AA87F69F3D8648"
Content-Language: en-US
Archived-At: <>
Subject: Re: [Cfrg] When TLS is an overkill...
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 25 Feb 2019 16:37:25 -0000

Hi Stanislav,

I have not read it yet - from the abstract it seems it provides the 
solution for CBOR/COSE for ECDHE. It is definitely relevant - thanks for 
the pointer. From what I see, it seems that this is another example of 
the need for having such BCP (?) that can be implemented in different 
environments and can use different encodings (e.g., JSON, ASN.1, Binary, 
XML, etc.)

The specific I-D seems to be a bit too restrictive for a generic 
protocol - i.e., does not supports certificates, only intended for 
CBOR/COSE, and does only one algorithm for key exchange: I am thinking 
more in the direction of an "algorithm-independent" approach that would 
not require updating when new algorithms for key-exchange, for example, 
are standardized and deployed (e.g., hash-based signatures) and can 
support traditional, post-quantum, and future algorithms (as long as no 
"new paradigm" is introduced). However, besides all these 
"ecosystem-specific" limitations, the work goes in the same direction as 
what I am saying here: establish an encryption algorithm and a key by 
using 3 messages only.

Thanks for the pointer, I will look more closely into that document to 
see what they include in those messages and why.


On 2/25/19 9:03 AM, Stanislav V. Smyshlyaev wrote:
> Dear Max,
> Just a quick comment: have you had a chance to have a look at the 
> protocol (also a SIGMA-based one) described in
> It may 
> not be the silver bullet but is definitely worth considering when 
> thinking about such questions.
> Best regards,
> Stanislav
> пн, 25 февр. 2019 г. в 18:56, Dr. Pala < 
> <>>:
>     Hi CFRG,
>     I am working on some aspects about provisioning credentials and
>     authenticating devices and I noticed that sometimes people use TLS
>     to establish a secure channel with a server even when all they
>     want to do (i.e., no extra features/checks/etc.) could potentially
>     be achieved in just 2/3 messages. An example of this is EAP -
>     whenever a secure channel needs to be established, EAP-TLS,
>     EAP-TTLS, EAP-TEAP, etc. must be supported to tunnel the 2nd
>     method that will be used for authentication.
>     My question for the group is: if we were to use a "simple" way to
>     establish the secure channel, are there recommendations for what
>     should be in those messages ? What would be the minimum set of
>     required data that MUST be included in the exchange ?
>     A rough example of such messages could be (A = Client, B = Server):
>       * [A] { Supported Encryption Algorithms List,
>                Supported Key-Exchange Algorithms List,
>                Encryption Initialization Data,
>                MSG Authentication } -> [B]
>       * [B] { Selected Encryption Algorithm and Params,
>                Selected Key-Exchange Algorithm and Params,
>                Key-Exchange Params (e.g., ECDHE),
>                (Optional) Credentials (e.g., Certificate Chain),
>                Encryption Initialization Data,
>                MSG Authentication } -> [A]
>       * [A] { Selected Encryption Algorithm and Params,
>                Selected Key-Exchange Params (e.g., ECDHE),
>                Key-Exchange Params (e.g., ECDHE),
>                (Optional) My Credentials Encrypted (e.g., Certificate
>         Chain),
>                MSG Authentication } -> [B]
>     From now on, the two parties end up with a shared secret key and
>     agreed-upon encryption algorithm.
>     In environments where the number of exchanged messages matter -
>     EAP is a great example of that - having a standardized method that
>     provides the possibility of establishing a secure communication
>     channel very easily would be great. After that, I think that
>     either the TLS layer can kick in and manage the encryption or
>     other options might be used for the encryption of the data itself
>     (e.g., directly encrypting the data record by record).
>     Looking forward to hearing from you,
>     Cheers,
>     Max
>     -- 
>     Best Regards,
>     Massimiliano Pala, Ph.D.
>     OpenCA Labs Director
>     OpenCA Logo
>     _______________________________________________
>     Cfrg mailing list
> <>
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo