[Cfrg] Key establishment advice (say, for TLS): How about MQV?
Dan Brown <dbrown@certicom.com> Tue, 04 March 2014 17:10 UTC
Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 006931A01F1 for <cfrg@ietfa.amsl.com>; Tue, 4 Mar 2014 09:10:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RkIaPs2hqBzu for <cfrg@ietfa.amsl.com>; Tue, 4 Mar 2014 09:10:36 -0800 (PST)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) by ietfa.amsl.com (Postfix) with ESMTP id 2A88A1A00BB for <cfrg@irtf.org>; Tue, 4 Mar 2014 09:10:34 -0800 (PST)
Received: from xct106cnc.rim.net ([10.65.161.206]) by mhs211cnc.rim.net with ESMTP/TLS/AES128-SHA; 04 Mar 2014 12:10:26 -0500
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT106CNC.rim.net ([fe80::d824:6c98:60dc:3918%16]) with mapi id 14.03.0158.001; Tue, 4 Mar 2014 12:10:25 -0500
From: Dan Brown <dbrown@certicom.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: Key establishment advice (say, for TLS): How about MQV?
Thread-Index: Ac83y/XzDQiu/1FDQ1CkcoITbwYX2w==
Date: Tue, 04 Mar 2014 17:10:24 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5C46AB5@XMB116CNC.rim.net>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.252]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_00C4_01CF37A2.B8D6FAC0"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/UWjYPnFwfV5wurwXEtDqUwJskVE
Subject: [Cfrg] Key establishment advice (say, for TLS): How about MQV?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2014 17:10:41 -0000
Dear CFRG list,
If I understand correctly, the TLS WG plans a protocol revision which will
modify the underlying key establishment scheme. Should CFRG advise TLS on
key establishment?
Naturally, TLS may have some specific requirements, directed towards the
nature of the client and server in the transport layer, whereas CFRG might
have expertise on a more generic security level. So, perhaps, TLS could
convey its requirements to CFRG, and CFRG could return a set of key
establishment schemes that meet those requirements, in particular, those
which have been extensively researched. (Well, that's a bit formal, and
probably requires a few more iterations than I described, but seems sensible
to me.) More likely, TLS will pick their own key establishment scheme, and
ask for CFRG's blessing.
I haven't followed the TLS list too closely, but I'd summarize two main
possible approaches as: (1) patch and (2) overhaul. On the overhaul side,
I've seen Watson Ladd's suggestion of signed ephemeral DH: which is
something TLS already has, with the core of the proposal being to narrow the
options drastically. I've also seen a couple of IACR eprints analyzing the
security of certain TLS ciphersuites. (Maybe these would go on the patch
side?) If I recall those papers correctly, they define some special
security models just for TLS, but I forget if these models were chosen just
to make the proofs work for the protocols used in the ciphersuites, or for
something more fundamental like the nature of the transport layer.
***
I'd like to suggest a key establishment scheme for CFRG consideration: MQV
(or one of its successors, maybe), with an eye to perhaps recommend to IETF
WGs such as TLS.
***
Some generic (non-TLS-specific) issues for MQV:
Two benefits of MQV over signed ephemeral DH, as I see it, would be
efficiency (though I'm no expert) and better plausible deniability (due to
the lack of signatures). I wonder what CFRG thinks of these benefits.
Existing standards that specify versions of MQV include ANSI X9.{44,63,98},
NIST SP 800-56A, IEEE P1363, and SEC1. Therefore, it may be redundant for
CFRG to draft on RFC for MQV, although CFRG may wish to write an RFC to
profile the version that they like best.
These standards go towards the maturity of MQV, in the sense that they
received scrutiny from the committees that drafted them, and have been
public for a long time, and have served as an incentive to cryptanalytic
research, being fairly high profile targets.
The HMQV paper by Krawczyk critiques MQV, but these critiques did not seem
terribly serious to me, at least when I last read them years ago. Also, I'm
not sure how other key establishment schemes fare under these more stringent
requirements (session-state reveal attacks, and so on).
The version of the MQV from NIST requires identifiers in the KDF, which
helps prevent UKS attacks. (I'm not sure if TLS needs to resist UKS
attacks, but a recent thread on the TLS reminds of UKS attacks.)
I recently released a (rather theoretical and very incomplete) IACR eprint
on MQV. It only covers a modest, but essential, level of security for key
agreement schemes. I think other people on the CFRG list are much more up
to speed on the key establishment schemes.
***
Some TLS-specific issues for MQV, but at a high level for CFRG
consideration:
Past proposals to integrate MQV into TLS a few times include:
https://datatracker.ietf.org/doc/search/?name=mqv
<https://datatracker.ietf.org/doc/search/?name=mqv&rfcs=on&activedrafts=on&o
lddrafts=on&sort> &rfcs=on&activedrafts=on&olddrafts=on&sort=
Perhaps these could be improved, given current knowledge on key agreement.
A major issue is that MQV usually presumes mutual authentication, but TLS
accommodates anonymous clients. Leaving the MQV client "static" key
unauthenticated seems, at least intuitively, to reduce MQV to DH, on the
client side, which is not much of a loss. It may be possible to have
stateful TLS client retain a static MQV key, but still unauthenticated. This
could be used for the weaker TOFU model of trust, so may still have some
security benefit.
If I understand correctly, TLS may now want to add some kind of anonymity,
e.g. encryption of certificates and other identifiers. Since MQV involves
sending ephemeral key, these could, at the cost of an extra shared key
computation, protect the static (certified or trusted) keys against passive
adversaries. I'm not sure if the resulting double use of the ephemeral keys
would undermine the security of MQV.
Best regards,
- Dan
- [Cfrg] Key establishment advice (say, for TLS): H… Dan Brown
- Re: [Cfrg] Key establishment advice (say, for TLS… Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Key establishment advice (say, for TLS… Watson Ladd
- Re: [Cfrg] Key establishment advice (say, for TLS… Feng Hao
- Re: [Cfrg] Key establishment advice (say, for TLS… Hugo Krawczyk
- Re: [Cfrg] Key establishment advice (say, for TLS… Feng Hao
- Re: [Cfrg] Key establishment advice (say, for TLS… Hugo Krawczyk
- Re: [Cfrg] Key establishment advice (say, for TLS… Watson Ladd
- Re: [Cfrg] Key establishment advice (say, for TLS… Dan Brown
- Re: [Cfrg] Key establishment advice (say, for TLS… Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Key establishment advice (say, for TLS… Peter Gutmann
- Re: [Cfrg] Key establishment advice (say, for TLS… Watson Ladd