Re: [TLS] COSIC's look on TLS 1.3
Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 08 November 2016 22:34 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 284EF1294E4 for <tls@ietfa.amsl.com>; Tue, 8 Nov 2016 14:34:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.397
X-Spam-Level:
X-Spam-Status: No, score=-3.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.497] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P-8COYRm6EfA for <tls@ietfa.amsl.com>; Tue, 8 Nov 2016 14:33:57 -0800 (PST)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) by ietfa.amsl.com (Postfix) with ESMTP id AF9BD1294BC for <tls@ietf.org>; Tue, 8 Nov 2016 14:33:57 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id D3DE616402; Wed, 9 Nov 2016 00:33:55 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id LjxxY2wrKVre; Wed, 9 Nov 2016 00:33:55 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 4AE2F289; Wed, 9 Nov 2016 00:33:55 +0200 (EET)
Date: Wed, 09 Nov 2016 00:33:52 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Roel Peeters <roel.peeters@esat.kuleuven.be>
Message-ID: <20161108223352.GA9878@LK-Perkele-V2.elisa-laajakaista.fi>
References: <2d2ba626-0b5d-590f-efb7-e4ad30b5608b@esat.kuleuven.be>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <2d2ba626-0b5d-590f-efb7-e4ad30b5608b@esat.kuleuven.be>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-6V9X5L6h7LbrRu-tN-B6BjZwD8>
Cc: Jens Hermans <Jens.Hermans@esat.kuleuven.be>, tls@ietf.org
Subject: Re: [TLS] COSIC's look on TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2016 22:34:00 -0000
On Tue, Nov 08, 2016 at 03:55:36PM +0100, Roel Peeters wrote: > Dear all, > > just to let you know that we have written a blog post on the current TLS > 1.3 draft, with our remarks that might be of use in your upcoming meeting. > > https://securewww.esat.kuleuven.be/cosic/?p=6624 Some comments: - I would expect ClientHello to identify the TLS library client uses, by fingerprinting ClientHello. E.g. btls has very characteristic ClientHello (Elliptic curve 30 and signature 0x0808 are very rare). - Outside statically provisioned PSKs, the PSK identifiers are supposed to be use-once (or at most use few times tightly spaced). - Speed matters, therefore TLS 1.3 has been designed with the greatest speed -> 2 client flights and 1 server flight till data transport is fully up. Which is theoretical minimum for any protocol with key confirmation. - Checks have bad tendency of being omitted, so I personally prefer more complex key schedule that can force the properies. - The state machine complexity mostly comes from all the messages in the handshake, none really seems removable/mergeable without introducing more problems. - The obfustication is meant for one purpose only: Prventing attackers from correlating dynamic PSK connection with its parent. Note that masking is additive, so even multiple-use of the same PSK does not allow correlation of parent session. The child sessions would be correlated, but those are easily correlated by the identifiers anyway. - Yes,the correct way is to invalidate tickets on use. The reason the mechanism is done this way is to support stateful and stateless as good as possible (obviously, stateless mechanisms have inherit problems). - Regarding 0-RTT data, yes it scares me... If just for the fact that it appears to be much more difficult to analyze than just about anything else (another scary feature is post-handshake auth, given the possiblities for applications to seriously shoot themselves to the foot with it, in non-obvious ways). - Receiving the same PSK twice is only possible within the same connection: Because associated PSK master key will be different on every connection attempt, and forcing it to be the same would require breaking the PRF hash (which already causes severe issues). - Even if client reuses PSKs, unless the ClientHellos are exactly the same (including Random field, which is supposed to be 256 random bits), the keys will almost certainly be forced different (if PRF hash is strong). This also holds for 0-RTT keys. - Yeah, there have been complaints about lack of state diagram, stating that the present ladder diagram is not sufficient. -Ilari
- [TLS] COSIC's look on TLS 1.3 Roel Peeters
- Re: [TLS] COSIC's look on TLS 1.3 Sean Turner
- Re: [TLS] COSIC's look on TLS 1.3 Dave Garrett
- Re: [TLS] COSIC's look on TLS 1.3 Ilari Liusvaara
- Re: [TLS] COSIC's look on TLS 1.3 Eric Rescorla
- Re: [TLS] COSIC's look on TLS 1.3 Roel Peeters
- Re: [TLS] COSIC's look on TLS 1.3 Eric Rescorla