Re: [TLS] TLS 1.2 Long-term Support Profile draft posted
Watson Ladd <watsonbladd@gmail.com> Wed, 16 March 2016 15:03 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 261F212D9E2 for <tls@ietfa.amsl.com>; Wed, 16 Mar 2016 08:03:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Zoxhh-aOm2Y for <tls@ietfa.amsl.com>; Wed, 16 Mar 2016 08:03:38 -0700 (PDT)
Received: from mail-vk0-x22a.google.com (mail-vk0-x22a.google.com [IPv6:2607:f8b0:400c:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5357312D9BD for <tls@ietf.org>; Wed, 16 Mar 2016 08:02:43 -0700 (PDT)
Received: by mail-vk0-x22a.google.com with SMTP id c3so65044182vkb.3 for <tls@ietf.org>; Wed, 16 Mar 2016 08:02:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=bk8AgswCsn09juTCLwB1t9oeg9cHrH3JJFZPSahIpZ0=; b=yWn5K8kUJHjphkZ7nXw3mUOUz46fedieB+x9L19+TFa5yyDniRpySN0H/HbUS5lFru v6PYUB8SpVCb+rqveWNOhu6xFfFaY1/rgBA5dJ0vMAfCB2HS+XF+bktO7CMJshs2EykT tsFpfeeiDO3xzQc7MbyhQzqxwNjO48tB7XC9QL9jp7nRTIicvB2LAUgmxqnaZZlo1BGY 5nA0vNGIgUdzEr80a2TzyZBKlb5pbRzLFSodSS+OgA8dPZJ6W1QQXtDDacgL1vzhr3py wAW+2I0cOxEJ9U2K4r+bvqarx9g6E1mff8Icf50BsI31vJW+Qm3UgFROdq885FJVpJdP jdZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=bk8AgswCsn09juTCLwB1t9oeg9cHrH3JJFZPSahIpZ0=; b=EQvRkOzlpzLTmmRKqt6xRm1dHd2cseC3Ww6aNtu8U15i3p0mOEpIfmkizGA2FbUvX+ 7fDGph3O1jEN1l7OkIeatHnYcQV+hTKrnfvIZ2T6bwb/Dd4qFdlsKBfTZ09fGdvweWPO HV32xr6kM0XX3bGNKr48F85YjAybpOUeL2iKRszLCTA5fwnkswPvdmnOUyd+lbxG6oNS 2Fxoj0fqjyqE45sDKWLr5phxWGb11Chmw4F/ej7Xv01x1NLBjlWP1ZcnF2bx6Y+3Ee+w ZVXfrhye5/83j78b0suhYA3oXjyaMiirzo44zu4ArQ1A5axuWCHFHU2oOh/9CHQ5+5xP q5Ww==
X-Gm-Message-State: AD7BkJKHIHpjJcdoInTOv5SL8nmSZ7AzAMsxhygTJgDQtZr5GTw9z6sk9x9f8iYCuX1wNV7Lc9hyXNxy96OP2w==
MIME-Version: 1.0
X-Received: by 10.31.173.18 with SMTP id w18mr4531567vke.31.1458140562341; Wed, 16 Mar 2016 08:02:42 -0700 (PDT)
Received: by 10.176.1.183 with HTTP; Wed, 16 Mar 2016 08:02:42 -0700 (PDT)
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4C2374E@uxcn10-tdc05.UoA.auckland.ac.nz>
References: <9A043F3CF02CD34C8E74AC1594475C73F4C2374E@uxcn10-tdc05.UoA.auckland.ac.nz>
Date: Wed, 16 Mar 2016 08:02:42 -0700
Message-ID: <CACsn0cks1tvdcYkVRj9r3TZe1GEcNA5f2x14PQntk3j1Ws+rPg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/2LJaQRkm_9-tXJKV_MoPpFDaM1g>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.2 Long-term Support Profile draft posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2016 15:03:41 -0000
On Wed, Mar 16, 2016 at 5:36 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote: > After a number of, uh, gentle reminders from people who have been waiting for > this, I've finally got around to posting the TLS-LTS draft I mentioned a while > back. It's now available as: > > http://www.ietf.org/id/draft-gutmann-tls-lts-00.txt > > Abstract: > > This document specifies a profile of TLS 1.2 for long-term support, > one that represents what's already deployed for TLS 1.2 but with the > security holes and bugs fixed. This represents a stable, known-good > profile that can be deployed now to systems that can't can't roll out > patches every month or two when the next attack on TLS is published. > > Several people have already commented on it off-list while it was being > written, it's now open for general comments... Several comments: As written supporting this draft requires adopting the encrypt-then-MAC extension. But there already is a widely implemented secure way to use MACs in TLS: AES-GCM. Likewise, this draft modifies the way the master secret is computed, despite a widely implemented different solution to the problem, namely the EMS triple handshake fix. I don't see why these other solutions should be adopted over the ones that already are there. The use of uncompressed points makes off-curve attacks much easier than with compressed points. Recommendations to not reuse randoms for ECDH and to use Curve25519 would actually solve the problems, instead of what the draft has right now. The analysis of TLS 1.3 is just wrong. TLS 1.3 has been far more extensively analyzed then TLS 1.2. It's almost like you don't believe cryptography exists: that is a body of knowledge that can demonstrate that protocols are secure, and which has been applied to the draft. The ladder diagram/state machine discussion ignores the real problem, which is not having either represented in the code. It doesn't direct readers to do anything that helps solve the problem, such as testing for the correct state transitions. > > Peter. > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- "Man is born free, but everywhere he is in chains". --Rousseau.
- [TLS] TLS 1.2 Long-term Support Profile draft pos… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Watson Ladd
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Wan-Teh Chang
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Paterson, Kenny
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Watson Ladd
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Paterson, Kenny
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Dave Garrett
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Hubert Kario
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Sven Schäge
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Dave Garrett
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Ilari Liusvaara
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Karthikeyan Bhargavan
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Karthikeyan Bhargavan
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Eric Rescorla
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… D. J. Bernstein
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Hubert Kario
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Joachim Strömbergson
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Salz, Rich
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Hubert Kario
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Dave Garrett
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Yoav Nir
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Tony Arcieri
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Tony Arcieri
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Dave Garrett
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Joachim Strömbergson
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Hubert Kario
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Hubert Kario
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Hubert Kario
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Henrick Hellström
- [TLS] TLS 1.2 Long-term Support Profile vs HTTP/2… Nikos Mavrogiannopoulos
- Re: [TLS] TLS 1.2 Long-term Support Profile vs HT… Dave Garrett
- Re: [TLS] TLS 1.2 Long-term Support Profile vs HT… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile vs HT… Martin Thomson
- Re: [TLS] TLS 1.2 Long-term Support Profile vs HT… Yoav Nir