[Cfrg] Key establishment advice (say, for TLS): How about MQV?
Dan Brown <dbrown@certicom.com> Tue, 04 March 2014 17:10 UTC
Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 006931A01F1 for <cfrg@ietfa.amsl.com>; Tue, 4 Mar 2014 09:10:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RkIaPs2hqBzu for <cfrg@ietfa.amsl.com>; Tue, 4 Mar 2014 09:10:36 -0800 (PST)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) by ietfa.amsl.com (Postfix) with ESMTP id 2A88A1A00BB for <cfrg@irtf.org>; Tue, 4 Mar 2014 09:10:34 -0800 (PST)
Received: from xct106cnc.rim.net ([10.65.161.206]) by mhs211cnc.rim.net with ESMTP/TLS/AES128-SHA; 04 Mar 2014 12:10:26 -0500
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT106CNC.rim.net ([fe80::d824:6c98:60dc:3918%16]) with mapi id 14.03.0158.001; Tue, 4 Mar 2014 12:10:25 -0500
From: Dan Brown <dbrown@certicom.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: Key establishment advice (say, for TLS): How about MQV?
Thread-Index: Ac83y/XzDQiu/1FDQ1CkcoITbwYX2w==
Date: Tue, 04 Mar 2014 17:10:24 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5C46AB5@XMB116CNC.rim.net>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.252]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_00C4_01CF37A2.B8D6FAC0"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/UWjYPnFwfV5wurwXEtDqUwJskVE
Subject: [Cfrg] Key establishment advice (say, for TLS): How about MQV?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2014 17:10:41 -0000
Dear CFRG list, If I understand correctly, the TLS WG plans a protocol revision which will modify the underlying key establishment scheme. Should CFRG advise TLS on key establishment? Naturally, TLS may have some specific requirements, directed towards the nature of the client and server in the transport layer, whereas CFRG might have expertise on a more generic security level. So, perhaps, TLS could convey its requirements to CFRG, and CFRG could return a set of key establishment schemes that meet those requirements, in particular, those which have been extensively researched. (Well, that's a bit formal, and probably requires a few more iterations than I described, but seems sensible to me.) More likely, TLS will pick their own key establishment scheme, and ask for CFRG's blessing. I haven't followed the TLS list too closely, but I'd summarize two main possible approaches as: (1) patch and (2) overhaul. On the overhaul side, I've seen Watson Ladd's suggestion of signed ephemeral DH: which is something TLS already has, with the core of the proposal being to narrow the options drastically. I've also seen a couple of IACR eprints analyzing the security of certain TLS ciphersuites. (Maybe these would go on the patch side?) If I recall those papers correctly, they define some special security models just for TLS, but I forget if these models were chosen just to make the proofs work for the protocols used in the ciphersuites, or for something more fundamental like the nature of the transport layer. *** I'd like to suggest a key establishment scheme for CFRG consideration: MQV (or one of its successors, maybe), with an eye to perhaps recommend to IETF WGs such as TLS. *** Some generic (non-TLS-specific) issues for MQV: Two benefits of MQV over signed ephemeral DH, as I see it, would be efficiency (though I'm no expert) and better plausible deniability (due to the lack of signatures). I wonder what CFRG thinks of these benefits. Existing standards that specify versions of MQV include ANSI X9.{44,63,98}, NIST SP 800-56A, IEEE P1363, and SEC1. Therefore, it may be redundant for CFRG to draft on RFC for MQV, although CFRG may wish to write an RFC to profile the version that they like best. These standards go towards the maturity of MQV, in the sense that they received scrutiny from the committees that drafted them, and have been public for a long time, and have served as an incentive to cryptanalytic research, being fairly high profile targets. The HMQV paper by Krawczyk critiques MQV, but these critiques did not seem terribly serious to me, at least when I last read them years ago. Also, I'm not sure how other key establishment schemes fare under these more stringent requirements (session-state reveal attacks, and so on). The version of the MQV from NIST requires identifiers in the KDF, which helps prevent UKS attacks. (I'm not sure if TLS needs to resist UKS attacks, but a recent thread on the TLS reminds of UKS attacks.) I recently released a (rather theoretical and very incomplete) IACR eprint on MQV. It only covers a modest, but essential, level of security for key agreement schemes. I think other people on the CFRG list are much more up to speed on the key establishment schemes. *** Some TLS-specific issues for MQV, but at a high level for CFRG consideration: Past proposals to integrate MQV into TLS a few times include: https://datatracker.ietf.org/doc/search/?name=mqv <https://datatracker.ietf.org/doc/search/?name=mqv&rfcs=on&activedrafts=on&o lddrafts=on&sort> &rfcs=on&activedrafts=on&olddrafts=on&sort= Perhaps these could be improved, given current knowledge on key agreement. A major issue is that MQV usually presumes mutual authentication, but TLS accommodates anonymous clients. Leaving the MQV client "static" key unauthenticated seems, at least intuitively, to reduce MQV to DH, on the client side, which is not much of a loss. It may be possible to have stateful TLS client retain a static MQV key, but still unauthenticated. This could be used for the weaker TOFU model of trust, so may still have some security benefit. If I understand correctly, TLS may now want to add some kind of anonymity, e.g. encryption of certificates and other identifiers. Since MQV involves sending ephemeral key, these could, at the cost of an extra shared key computation, protect the static (certified or trusted) keys against passive adversaries. I'm not sure if the resulting double use of the ephemeral keys would undermine the security of MQV. Best regards, - Dan
- [Cfrg] Key establishment advice (say, for TLS): H… Dan Brown
- Re: [Cfrg] Key establishment advice (say, for TLS… Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Key establishment advice (say, for TLS… Watson Ladd
- Re: [Cfrg] Key establishment advice (say, for TLS… Feng Hao
- Re: [Cfrg] Key establishment advice (say, for TLS… Hugo Krawczyk
- Re: [Cfrg] Key establishment advice (say, for TLS… Feng Hao
- Re: [Cfrg] Key establishment advice (say, for TLS… Hugo Krawczyk
- Re: [Cfrg] Key establishment advice (say, for TLS… Watson Ladd
- Re: [Cfrg] Key establishment advice (say, for TLS… Dan Brown
- Re: [Cfrg] Key establishment advice (say, for TLS… Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Key establishment advice (say, for TLS… Peter Gutmann
- Re: [Cfrg] Key establishment advice (say, for TLS… Watson Ladd