[TLS] A (somewhat) comprehensive proposal for the handshake
Watson Ladd <watsonbladd@gmail.com> Mon, 23 June 2014 00:05 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E2D41B2796 for <tls@ietfa.amsl.com>; Sun, 22 Jun 2014 17:05:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rMi5B_a-p8rP for <tls@ietfa.amsl.com>; Sun, 22 Jun 2014 17:05:13 -0700 (PDT)
Received: from mail-yk0-x22f.google.com (mail-yk0-x22f.google.com [IPv6:2607:f8b0:4002:c07::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B691F1A083D for <tls@ietf.org>; Sun, 22 Jun 2014 17:05:13 -0700 (PDT)
Received: by mail-yk0-f175.google.com with SMTP id 9so4252519ykp.6 for <tls@ietf.org>; Sun, 22 Jun 2014 17:05:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=tIlExNE4sCmEAYobxN95SX/Oo3CR8xDVXXPvyfibUwE=; b=kvpgwsUnSx0VqhVaSwfPfEgQfmKwfU6g0HukaM4i6nPd+rOadHNtkcnL5OyhDb+zjK EJnFoqJzQ8tTgIYMKXidaZqmG0Ona1OWW/hqGM4J2hyw8FvygIN+giNobbw04RGnpT+W YBqTzB03YeHXVcGqzdo8P4DoiYpYF+xE559voiZhXAJJ2voiIo6qo/UgYyhz+ms8+baG c9MZLp+mNb493y8G/kMSqqkperAXPPRWpb0BBJ0+H0BQ9jW4+KivcVL7qBFXYrAv0b5p 6GIlDNdgVyCRMn0IxFMHZHd2wLc7HjcSW9efQSRs+uggXF0f0RAKKYxsBuaI+ycH7kaN 1m1g==
MIME-Version: 1.0
X-Received: by 10.236.207.33 with SMTP id m21mr29424957yho.71.1403481912963; Sun, 22 Jun 2014 17:05:12 -0700 (PDT)
Received: by 10.170.39.136 with HTTP; Sun, 22 Jun 2014 17:05:12 -0700 (PDT)
Date: Sun, 22 Jun 2014 17:05:12 -0700
Message-ID: <CACsn0ckPfJ+mq+1ZazbzJadAK8LCSpMvuDht44RzS4V9moTAEA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/-7Kts_iX452Dy593BoMF5XoXKMI
Subject: [TLS] A (somewhat) comprehensive proposal for the handshake
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jun 2014 00:05:16 -0000
Dear all,
I'm writing this to put forward a (somewhat) comprehensive view of how
we can deliver on the promises in the charter, while making sure we
don't have the sort of security problems as before, and making it easy
to support TLS 1.3 in clients and servers that already support TLS
1.2.
My view is the best way forward is to have TLS 1.3 consist of two
extensions to TLS 1.2: one signalling a change to the key derivation
and Finished Messages, the second signaling a guess as to the
ciphersuite and curve to be negotiated, along with the
ClientKeyExchange.
The guess is conceptually easier to describe: it contains the
ciphersuite, the curve that will be picked, and a "point on the curve"
(aka DH value). If the server accepts the guess it sends back this
extension, if it doesn't accept the guess (because it wants a
different ciphersuite or curve) it doesn't send back the extension.
The changes signalled by the first extension are as follows: The
ciphersuite contains a PRF I will call H. At each message we have
H(script), a hash of the transcript of sent messages. We set the
master key at the earliest possible point, namely after the DH values
have been exchanged to H( hlen || H(script) || hlen || H(g^a, g^b,
g^ab) || opt_in_len || opt_in). (Server random and client random are
in the script, opt_in is optional data for channel binding purposes
like renegotation_info or handshake obfuscation). (Yes, I would have
prefered going from {{0,1}*}*->{0,1}^n)
H(script) is used to salt the server signature of its group element.
If we want to protect against clients with bad random number
generators from being fooled we might need to add server_random also.
>From this channel keys are derived as usual. (This might go badly with
resumption: maybe this needs to be rethought)
The Finished message contains a confirmation key H( master_key_len ||
master_key || "client confirm") for the client or "server confirm" for
the server. It's not sent encrypted: the ChangeCipherSpec comes
immediately afterwards. (Yes, you can have a half-encrypted channel at
some stages during the handshake)
Why is this secure? Go to the ROM, and we see that the key derived
from the handshake is a function of the handshake values that is
injective. With a bit more work we see active intervention earns the
attacker nothing, so what is left reduces to DH security. Assume
server_random is unique, and you get anti-replay. I've not formalized
this intuition.
Client authentication has to come after the finished message, but this
is easy: sign a value extracted from the master_secret. Resumption
tickets need to be set in a message after the key is derived. This
proposal is orthogonal to handshake obfuscation.
For the ZRT transport I have no idea.
Sincerely,
Watson Ladd