IETF Logo Mail Archive

Re: [TLS] Inclusion of OCB mode in TLS 1.3

Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 22 January 2015 22:07 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 561551A87E4 for <tls@ietfa.amsl.com>; Thu, 22 Jan 2015 14:07:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cT4vyV7reY7J for <tls@ietfa.amsl.com>; Thu, 22 Jan 2015 14:07:55 -0800 (PST)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 319451A87A5 for <tls@ietf.org>; Thu, 22 Jan 2015 14:07:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1421964476; x=1453500476; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=lehG/TvYUiRZCVY1rEy6Ip0PA7IYGcXCEqF2Rozb73I=; b=ugIIr8s7Brv1bZC6b1jv4NYBkAqs7Lyy8hrSGq1uN+qf7/2aJSHRbn3v +O78hBO+q2wK5W3F+/cxgBj8ze2blDwMTqIpdfQQVde4rFXKsjoQIsFju zMzPW/t5x2eBPbjCA84Vf2xVvqmeQIbi85NWgfFVH0i6P5gyL9U4r4oA1 w=;
X-IronPort-AV: E=Sophos;i="5.04,630,1406548800"; d="scan'208";a="303155665"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing
Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 23 Jan 2015 11:07:53 +1300
Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.148]) by uxchange10-fe1.UoA.auckland.ac.nz ([130.216.4.112]) with mapi id 14.03.0174.001; Fri, 23 Jan 2015 11:07:52 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Inclusion of OCB mode in TLS 1.3
Thread-Index: AdA2j92obButSWp5QhmD2iJJC2WYEQ==
Date: Thu, 22 Jan 2015 22:07:52 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73AAF626ED@uxcn10-tdc05.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/08rQ7joVWLB9p_hkcoCr--W809s>
Subject: Re: [TLS] Inclusion of OCB mode in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jan 2015 22:07:59 -0000

Aaron Zauner <azet@azet.org> writes:

>The issue I see is that confined/embedded might not have DHE as fallback in
>any case, because they probably opt to not support it because if plattform
>constraints. And as far as I understand PSK is exactly there for these use-
>cases.

Not necessarily.  When I did my PSK draft I added the discussion of embedded
systems use mostly as a red herring to deal with the people who complained
that since we already have PKI in all its infinite wonder and perfection to
secure TLS, there's no need for anything involving shared secrets.  The
mention of use in embedded systems was to deal with the PKI zombies, not
embedded systems.  RFC 4279 doesn't mention embedded systems at all.

>It would be really good to have someone doing TLS crypto in the embedded
>world comment on this topic.

I've got lots of TLS running in embedded systems.  I'm not aware of anything
currently using pure PSK, it's always DHE with PSK.  To deal with lower-power
CPUs, you use smaller DH parameters.  Even for older stuff from before it was
ARM everywhere (with a side order of MIPS, PPC, NIOS, and whatnot everywhere),
the standard approach was still to use smaller RSA/DH values rather than pure
PSK.  I support non-PFS PSK, but only after all of the PFS PSK suites, so I
doubt that ever gets used.

At a pinch you can even do DHE-RSA in an embedded device, you just memcpy()
out a pre-encoded certificate chain that's generated on install so you don't
have to have any certificate-processing code present.  Problem is that (a)
this doesn't give you mutual auth and (b) more importantly certificates
inherently don't work with embedded devices which can't be identified or
provisioned in any manner that's expected for certificates.  At best you can
hardcode in a fixed certificate with a meaningless identifier and infinite
lifetime at system build time, but that's just going through the motions of
using certs.

Peter.

v2.15.0 | Report a Bug | By Email