[TLS] A (somewhat) comprehensive proposal for the handshake
Watson Ladd <watsonbladd@gmail.com> Mon, 23 June 2014 00:05 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E2D41B2796 for <tls@ietfa.amsl.com>; Sun, 22 Jun 2014 17:05:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rMi5B_a-p8rP for <tls@ietfa.amsl.com>; Sun, 22 Jun 2014 17:05:13 -0700 (PDT)
Received: from mail-yk0-x22f.google.com (mail-yk0-x22f.google.com [IPv6:2607:f8b0:4002:c07::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B691F1A083D for <tls@ietf.org>; Sun, 22 Jun 2014 17:05:13 -0700 (PDT)
Received: by mail-yk0-f175.google.com with SMTP id 9so4252519ykp.6 for <tls@ietf.org>; Sun, 22 Jun 2014 17:05:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=tIlExNE4sCmEAYobxN95SX/Oo3CR8xDVXXPvyfibUwE=; b=kvpgwsUnSx0VqhVaSwfPfEgQfmKwfU6g0HukaM4i6nPd+rOadHNtkcnL5OyhDb+zjK EJnFoqJzQ8tTgIYMKXidaZqmG0Ona1OWW/hqGM4J2hyw8FvygIN+giNobbw04RGnpT+W YBqTzB03YeHXVcGqzdo8P4DoiYpYF+xE559voiZhXAJJ2voiIo6qo/UgYyhz+ms8+baG c9MZLp+mNb493y8G/kMSqqkperAXPPRWpb0BBJ0+H0BQ9jW4+KivcVL7qBFXYrAv0b5p 6GIlDNdgVyCRMn0IxFMHZHd2wLc7HjcSW9efQSRs+uggXF0f0RAKKYxsBuaI+ycH7kaN 1m1g==
MIME-Version: 1.0
X-Received: by 10.236.207.33 with SMTP id m21mr29424957yho.71.1403481912963; Sun, 22 Jun 2014 17:05:12 -0700 (PDT)
Received: by 10.170.39.136 with HTTP; Sun, 22 Jun 2014 17:05:12 -0700 (PDT)
Date: Sun, 22 Jun 2014 17:05:12 -0700
Message-ID: <CACsn0ckPfJ+mq+1ZazbzJadAK8LCSpMvuDht44RzS4V9moTAEA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/-7Kts_iX452Dy593BoMF5XoXKMI
Subject: [TLS] A (somewhat) comprehensive proposal for the handshake
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jun 2014 00:05:16 -0000
Dear all, I'm writing this to put forward a (somewhat) comprehensive view of how we can deliver on the promises in the charter, while making sure we don't have the sort of security problems as before, and making it easy to support TLS 1.3 in clients and servers that already support TLS 1.2. My view is the best way forward is to have TLS 1.3 consist of two extensions to TLS 1.2: one signalling a change to the key derivation and Finished Messages, the second signaling a guess as to the ciphersuite and curve to be negotiated, along with the ClientKeyExchange. The guess is conceptually easier to describe: it contains the ciphersuite, the curve that will be picked, and a "point on the curve" (aka DH value). If the server accepts the guess it sends back this extension, if it doesn't accept the guess (because it wants a different ciphersuite or curve) it doesn't send back the extension. The changes signalled by the first extension are as follows: The ciphersuite contains a PRF I will call H. At each message we have H(script), a hash of the transcript of sent messages. We set the master key at the earliest possible point, namely after the DH values have been exchanged to H( hlen || H(script) || hlen || H(g^a, g^b, g^ab) || opt_in_len || opt_in). (Server random and client random are in the script, opt_in is optional data for channel binding purposes like renegotation_info or handshake obfuscation). (Yes, I would have prefered going from {{0,1}*}*->{0,1}^n) H(script) is used to salt the server signature of its group element. If we want to protect against clients with bad random number generators from being fooled we might need to add server_random also. >From this channel keys are derived as usual. (This might go badly with resumption: maybe this needs to be rethought) The Finished message contains a confirmation key H( master_key_len || master_key || "client confirm") for the client or "server confirm" for the server. It's not sent encrypted: the ChangeCipherSpec comes immediately afterwards. (Yes, you can have a half-encrypted channel at some stages during the handshake) Why is this secure? Go to the ROM, and we see that the key derived from the handshake is a function of the handshake values that is injective. With a bit more work we see active intervention earns the attacker nothing, so what is left reduces to DH security. Assume server_random is unique, and you get anti-replay. I've not formalized this intuition. Client authentication has to come after the finished message, but this is easy: sign a value extracted from the master_secret. Resumption tickets need to be set in a message after the key is derived. This proposal is orthogonal to handshake obfuscation. For the ZRT transport I have no idea. Sincerely, Watson Ladd