Re: [TLS] Fwd: New Version Notification for draft-whyte-qsh-tls13-01.txt

Brian Smith <brian@briansmith.org> Mon, 21 September 2015 04:53 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AADA1A878B for <tls@ietfa.amsl.com>; Sun, 20 Sep 2015 21:53:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1NNbgabEVzlf for <tls@ietfa.amsl.com>; Sun, 20 Sep 2015 21:53:50 -0700 (PDT)
Received: from mail-ig0-f169.google.com (mail-ig0-f169.google.com [209.85.213.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7264D1A8787 for <tls@ietf.org>; Sun, 20 Sep 2015 21:53:50 -0700 (PDT)
Received: by igxx6 with SMTP id x6so50715724igx.1 for <tls@ietf.org>; Sun, 20 Sep 2015 21:53:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Y67c+JNkZ8pO8CVrttPklijNpScaabLsN8TF6xbTo8g=; b=ZXXkM/nnskg8JvBKJm3sFMHOJ46IA0wLJKPSMZmTSClg6z3eemHU/rVHcnUjdxE/tY BUZA4NNDdnqhNggmhMBn21BJAjgpNfNPMWXEJ5fffA8LOv3EHbjGflYF8lTmR7couico LJv3ToKOmDCpIWnXjYCq0n2FGEW0MqqDmN+RGs26T9la0fIxWiP65Zh02yWBXNxStFK9 J/fW6MIMPdFktaUN0zyKmvja0Qp/gXn3s4qCiFEjmcP3j8FH+vjXAxqK5MD4fnH/Ro7E lv+7TxjpIaNZGOy0xLRfMB8qGTF2eQwTzW63xiWWU5LM1JDaEIsjtW+J1ezIdErqVvv0 acLg==
X-Gm-Message-State: ALoCoQn50Kg6JOa2+n+uS3P/KI46p0Jgn87gO68F6hDS3P/qtkLf35x9ubzH+Wi3JdDaQ72KWTCz
MIME-Version: 1.0
X-Received: by 10.50.30.232 with SMTP id v8mr1061688igh.35.1442811229773; Sun, 20 Sep 2015 21:53:49 -0700 (PDT)
Received: by 10.79.107.204 with HTTP; Sun, 20 Sep 2015 21:53:49 -0700 (PDT)
In-Reply-To: <CACz1E9orLfuemj+gdJOW3=37WBHJxrYkxLidGkhY4+jo3G=p8w@mail.gmail.com>
References: <20150921023216.17159.38513.idtracker@ietfa.amsl.com> <CACz1E9orLfuemj+gdJOW3=37WBHJxrYkxLidGkhY4+jo3G=p8w@mail.gmail.com>
Date: Sun, 20 Sep 2015 21:53:49 -0700
Message-ID: <CAFewVt6OHV4j9q5Sd1U8mxppztzscMbDUc57NQjv2Uc-A6myKQ@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: William Whyte <wwhyte@securityinnovation.com>
Content-Type: multipart/alternative; boundary=047d7bdc0a2ad43f1d05203aaa38
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/2Pcc6QWuYiL_oqNKBKEKimI66uY>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Fwd: New Version Notification for draft-whyte-qsh-tls13-01.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Sep 2015 04:53:52 -0000

On Sun, Sep 20, 2015 at 7:59 PM, William Whyte <
wwhyte@securityinnovation.com> wrote:

> Hi all,
>
> We've updated the TLS 1.3 Quantum Safe Handshake draft to use extensions
> as suggested by DKG in Prague. All comments welcome.
>
> There's an interesting issue here: McEliece keys, which should be
> permissible, are larger in size (about 2^20 bytes) than the maximum
> permissible extension size (2^16-1). In order to support McEliece keys it
> might be worth increasing the maximum extension size to 2^24-1 for TLS 1.3.
> Is there a strong reason for keeping the maximum size at 2^24-1, other than
> saving one byte on all the relevant length fields?
>

William, I suggest you first do an experiment:

Create a TLS client that contains all the stuff a browser puts in its TLS
handshake. Then, add your new a maximally-sized (2^16-1 bytes) extension,
but don't otherwise change the client. What percentage of handshakes fail?

I suspect that a huge percentage of the handshakes will fail. First, some
implementations won't accept a ClientHello larger than 1KB (IIRC) due to
artificial limit imposed presumably as a DoS measure. Secondly, I suspect
many implementation will fail to handle a ClientHello that is split across
multiple records. Keep in mind that since the maximum record size is less
than the maximum extension size, a ClientHello with a maximally-sized
extension must require more than one record to be encoded.

In general, I would expect most implementations don't want to receive a 1MB
message of any sort unless they've advertised that they want such messages.
So, a different design that doesn't require including a huge extension in
the initial ClientHello would probably be better.

Cheers,
Brian
-- 
https://briansmith.org/