IETF Logo Mail Archive

Re: [Cfrg] When TLS is an overkill...

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 26 February 2019 00:14 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D751E12E036 for <cfrg@ietfa.amsl.com>; Mon, 25 Feb 2019 16:14:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zHYI9tRTCTEU for <cfrg@ietfa.amsl.com>; Mon, 25 Feb 2019 16:14:57 -0800 (PST)
Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 897E4127598 for <cfrg@irtf.org>; Mon, 25 Feb 2019 16:14:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1551140096; x=1582676096; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=oG7LARq7SSYGf3raG5E/pcrLyOpFyZCnffYp3izBADM=; b=CgzvnnUwbp8t9SxHXJHFE/5el1toYYbdUNfCk40N0oTqTBUCw1KpzF5A +EpHUnOX1KXWF+HwB1QsGavJG9KPebTr4XN/Tuw/fEEVQpE1zL61MRt6d J/v4J9iorvcQfSlSEiIxn/ycTGsA6M9Z9b5aVym784i9WMd+yHDHgYt7W KuoFdhflPVTkl87FfI06aPZUa5LiEUw5+QAKmlBGWtY059J4hH0Cz0JBL hGnG37y1i+EA9Tdg0VuACNouvfQ2z2kyru/q4+eZ3eqrZaDB8bxF+eJF4 mCN41xjCl33WgyaTydhNXTmLXfOumeNdm8fUbuOh0ll308UNg3oFCQkoz A==;
X-IronPort-AV: E=Sophos;i="5.58,413,1544439600"; d="scan'208";a="49578394"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.5 - Outgoing - Outgoing
Received: from uxcn13-ogg-d.uoa.auckland.ac.nz ([10.6.2.5]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 26 Feb 2019 13:14:34 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 26 Feb 2019 13:14:34 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) with mapi id 15.00.1395.000; Tue, 26 Feb 2019 13:14:34 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "Dr. Pala" <director@openca.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] When TLS is an overkill...
Thread-Index: AQHUzSKukiG8dhm0/EGRP1ORKkdCfqXxNfX5
Date: Tue, 26 Feb 2019 00:14:33 +0000
Message-ID: <1551140056245.65505@cs.auckland.ac.nz>
References: <307807bf-09eb-96c7-028f-df9573463b11@openca.org>
In-Reply-To: <307807bf-09eb-96c7-028f-df9573463b11@openca.org>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/N-qdq7ukQaeUOF-Iot7hbXXjM68>
Subject: Re: [Cfrg] When TLS is an overkill...
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Feb 2019 00:15:00 -0000

Dr. Pala <director@openca.org>​

>I noticed that sometimes people use TLS to establish a secure channel with a
>server even when all they want to do (i.e., no extra features/checks/etc.)
>could potentially be achieved in just 2/3 messages. An example of this is EAP
>- whenever a secure channel needs to be established, EAP-TLS, EAP-TTLS, EAP-
>TEAP, etc. must be supported to tunnel the 2nd method that will be used for
>authentication.

That's because it's required for EAP, which in the form of EAP / RADIUS is the
universal standard for device authentication.  There are (at least) tens of
billions of devices that use this somewhere.  It's not used because it's a
technically good solution (running EAP over DIAMETER over EAP-TLS over EAP
over RADIUS over UDP is probably close to insane), but because there's a vast
global infrastructure that supports it.

>My question for the group is: if we were to use a "simple" way to establish
>the secure channel, are there recommendations for what should be in those
>messages ? What would be the minimum set of required data that MUST be
>included in the exchange ?

Also, what colour should the various pieces be painted, and should it be
gloss, satin, or matt?

You're asking the wrong question(s).  What problem are you trying to solve?
Without that frame of reference, it's not possible to answer any of the
questions you're asking.

If you want an example of some designs that do a good job of solving a
particular problem, look at LoRaWAN security or WireGuard.  They solve a
specific, widely-encountered problem, and they do a pretty good job of it
without adding a ton of unnecessary bloat.

Peter.

v2.23.0 | Report a Bug | By Email