IETF Logo Mail Archive

Re: [TLS] draft-urien-tls-dh-tripartite-00

Pascal Urien <pascal.urien@gmail.com> Wed, 07 July 2010 17:42 UTC

Return-Path: <pascal.urien@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1ED8B3A68A3 for <tls@core3.amsl.com>; Wed, 7 Jul 2010 10:42:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[AWL=-0.620, BAYES_00=-2.599, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sLs2bNvrhbtK for <tls@core3.amsl.com>; Wed, 7 Jul 2010 10:42:42 -0700 (PDT)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by core3.amsl.com (Postfix) with ESMTP id 929033A689B for <tls@ietf.org>; Wed, 7 Jul 2010 10:42:41 -0700 (PDT)
Received: by wwb24 with SMTP id 24so2605138wwb.13 for <tls@ietf.org>; Wed, 07 Jul 2010 10:42:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=9Mdm0fd5+xJKy+VMnBpLP0RKzuFocr3/uXMvFEMuv+Y=; b=EsphmYRlzh+SDQ8H+LcAAoU+s9PamhmWthC0SiP9Rnj5CObsOqaOD91skDdm3F3dt3 K6h1Pt46YPSnSvvKJZSxDamAKmN0iNUBDuzSGhaGY7C4cWr3kKTwDf6kIMC+8eRe3fdb V4ZpMRwZ+T+BEqlLtkbKU/i4euyDyYmT3BRIA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=qYU03ujHvTFIGuOTrPVGUPX5oSvQDdNvYpCaYvX7uwsjiDS+V+ZeGLk74x8KqFATGh 0MURTOn347+SfHXMQUnB+ycWTOKRdw/mzE1p/0c3IaQTtbo9SlXWQaY8qRS1ZCesNNSj QJv9dTRF5Do0mQNDWZFo4keLnbOaWhy62qM5k=
MIME-Version: 1.0
Received: by 10.216.160.202 with SMTP id u52mr1271092wek.32.1278524561181; Wed, 07 Jul 2010 10:42:41 -0700 (PDT)
Received: by 10.216.50.6 with HTTP; Wed, 7 Jul 2010 10:42:41 -0700 (PDT)
In-Reply-To: <201007071728.o67HSOUk000852@fs4113.wdf.sap.corp>
References: <AANLkTilJc03vI4-juQWyVnDErCeCfLo7osQNRx1IDIcN@mail.gmail.com> <201007071728.o67HSOUk000852@fs4113.wdf.sap.corp>
Date: Wed, 07 Jul 2010 19:42:41 +0200
Message-ID: <AANLkTinUI1zM3epk2NO9t1CGvYouYXhQQ3J66Jd6KfoQ@mail.gmail.com>
From: Pascal Urien <pascal.urien@gmail.com>
To: mrex@sap.com
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] draft-urien-tls-dh-tripartite-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jul 2010 17:42:43 -0000

Hi Martin,

  Trusted Third Party means you trust this entity.

  In bipartite exchange the client trust the server. He beleives  that
the server private key (DH or RSA) is only known by the server

  In tripartite exchange the trust is shared by three entities. In my
mind TTP is an authorized observer

Pascal

2010/7/7 Martin Rex <mrex@sap.com>:
> Pascal Urien wrote:
>>
>>    Most of privacy exchanges over the Internet rely on the TLS protocol.
>>    According to this protocol two entities the client and the server
>>    computes a master secret from which are deduced cryptographic keys
>>    used for data privacy and security. Digital transactions may deal
>>    with critical information (payments ...) that need to be recorded for
>>    traceability issues or for legal requirements. However messages are
>>    secured by the TLS protocol, so it is not possible for a third party
>>    that logs packets to perform decryption operations upon legitimate
>>    requests.
>>
>>    The goal of this draft is to support a Trusted Third Party (TTP) that
>>    could recover the protected information when needed. The proposed
>>    protocol uses the Tripartite Diffie-Hellman (tdh) algorithm based on
>>    bilinear pairings over elliptic curves.
>
>
> I'm sorry, but this approach appears to be built on severely flawed
> assumptions.
>
> The data integrity protection and data encryption in TLS is based
> purely on symmetric crypto using SHARED secrets.  This means that
> both communication peer can not only verify all application data
> received from the peer, each of them can also create perfect fakes.
> And if the master secret plus the randoms from the initial handshake
> are shared with a misleadingly called "Trusted Third Party" (TTP),
> then also that TTP can perfectly modify a communication between two
> peers.
>
> TLS cipher suites are not built to provide anything in the direction
> of non-repudiation for communication contents at the transport level.
>
> Personally, I think that the concept of "escrowing application data
> at the transport level" for any kind of evidence purposes to be an
> unconditionally bad idea.
>
> Early 2007 there was a proposal (draft-housley-evidence-extns-00)
> with a similar motivation, but technically correct architecture,
> posted on the TLS mailing list,  IIRC, it required the peers to apply
> digital signatures to application data, so that none of the parties
> involved (peer and TTP) woulde be able to perfectly modify the
> application data stream that was escrowed in full at the transport
> level.
>
> If there is a need to get proof/evidence for specific application-level
> information, that put exactly that data -- and nothing else -- into a
> digitally signed container, e.g. PKCS7,CMS or XMLdsig and have it
> signed at the application level.  In several jurisdictions, this is
> anyway one of the prerequisite for visualization to end users with a means
> of trusted hardware before legally binding digital signatures can
> be applied to data.
>
>
> Digital signatures over non-canonical application data that is
> arbitrarily fragmented over several different independent communication
> connections, with open/dangling external references (some of which
> may be filled by caches) with arbitrary amounts of intermediate
> protocol layer stuffing, codepage translations and transport encodings
> is an unconditionally bad idea.
>
> The idea of logging (let alone archiving) a complete application level
> datastream for other than very short term technical problem solving
> is completely incompatible with data protection laws in Europe based
> on the European data protection directive if any of the data that is
> exchanged is or can be related to human beings or legal entities.
>
>
> Trying to think about where this technology could be used, I can
> only think of scenarios that are either technically useless or
> illegal privacy violations und the data protection laws in Germany
> and likely most other countries of the European Union.
>
>
> -Martin
>

v2.23.0 | Report a Bug | By Email