Security of alternative handshakes
Watson Ladd <watsonbladd@gmail.com> Thu, 22 April 2021 04:11 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62D0C3A08A7 for <quic@ietfa.amsl.com>; Wed, 21 Apr 2021 21:11:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RaP5h-Rx-BmI for <quic@ietfa.amsl.com>; Wed, 21 Apr 2021 21:11:41 -0700 (PDT)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E9813A08B0 for <quic@ietf.org>; Wed, 21 Apr 2021 21:11:40 -0700 (PDT)
Received: by mail-ej1-x62a.google.com with SMTP id v6so65339548ejo.6 for <quic@ietf.org>; Wed, 21 Apr 2021 21:11:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=5r7x2CDL0ESYa2hO6w/5dmKKOnawuf/8cAOSGtgQWbs=; b=ASLG+7fVVy7dB/UK/2RRnpWx0Vnyay0eqIFCa+olTo79NVnXQRSMAfiuh+PMNEjyAM nMEZGWAzMFDfuEQ4+gXd/mIW/Fx6oTh0jIz6vuM/ZaxqxnqUF5W16fvrtA5aPe8RKkBy id3z7MgewJUg6AZ85Fy2VgnQC6UCJZN7lenapZABIlItYoIMNZLYaGVduM1XeD9ZcE+1 leraX6ooV+HiaKByeFgE9jXvRZB4Gg8p0w7aPbCEmxXKkbiuBemQqicezsNIseNerCWR s1cp6DZsMDUEmEEJrfLG2cYau4mCgT1iLvrW5fJoOpe/NU6fbMUrGFcxRBTgaAS1dEBh gZFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=5r7x2CDL0ESYa2hO6w/5dmKKOnawuf/8cAOSGtgQWbs=; b=GYER62hlqYpAJgG1im4JfSyzVNHQHvt6fCecffVCQB3a3uBc7MD3RljYT3v7/1CUXd EOpSBWsIBqjM8FEpamORKE0Qw5BNeiyAG3y6wglb7bP4gtxyfmbLBnP9bO2rZUcg8sQQ LoJAPP12FIPL7cJy2YP/SZH6DD24419cKMyQOUJPnxepciKcP54B1WSQBV54uXuHnBFa gIihLXaxmwBF7hVxji+rfzFDzAvgVQP5tJ9QwCGPB6+xKxUKnU0MuTsl/4IDlQvw/BhP iHBExz9i5CBfwKnxzWph/nV72F516iHKoINrecxBgevR/9NoCszRXebJDmB1wjyg6ZWZ 5+5A==
X-Gm-Message-State: AOAM530k51mfTapVe6+HfLvJWB3zXFuNY8+Fsf3iD4mk4tzMkfT317rN tt7YvbAekUcC5S9mKHOrTPfothjwPDe47SXW3eaQoJQGNPk=
X-Google-Smtp-Source: ABdhPJx3Y4o4D6GpMwaITAS9dDwyNsR9w1Wp5kEp+pmvx8Sg/qKHNTQOFGGVhAZEPNQYI0lAcQt5Rrxg3GW1zogpdyw=
X-Received: by 2002:a17:906:5619:: with SMTP id f25mr1116147ejq.393.1619064697520; Wed, 21 Apr 2021 21:11:37 -0700 (PDT)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Wed, 21 Apr 2021 21:11:26 -0700
Message-ID: <CACsn0cnNk=pVsgc2MjFoHct3qbSVT7MVWRLOMA_YPoSbJTVoCg@mail.gmail.com>
Subject: Security of alternative handshakes
To: IETF QUIC WG <quic@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/WzGhUnPgNwkIyb5hUfkd69GJu4I>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2021 04:11:46 -0000
Dear WG, After the meeting I was thinking through the security of version negotiation and I realized that there is a wrinkle with the way TLS and QUIC are layered, and proposals such as noise-QUIC. And that wrinkle is that while TLS is secure, and noise-QUIC is secure, nothing says that they are secure together when using the same PKI information or negotiate well together. With TLS 1.3 we finally added domain separation to what is signed, but one hopes protocol X does the same but different. The other wrinkle is that so far with TLS we've had a pretty uniform idea of how transport parameters feed into the handshake, and thus assurance that they are actually implicitly authenticated by the finished messages and agreed upon. With an alternate handshake that goes away. Sincerely, Watson Ladd -- Astra mortemque praestare gradatim
- Security of alternative handshakes Watson Ladd
- Re: Security of alternative handshakes Martin Thomson