Re: [TLS] What would make TLS cryptographically better for TLS 1.3

Robert Ransom <rransom.8774@gmail.com> Sat, 02 November 2013 00:26 UTC

Return-Path: <rransom.8774@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6879911E810C for <tls@ietfa.amsl.com>; Fri, 1 Nov 2013 17:26:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L1w-xGPrK2Fi for <tls@ietfa.amsl.com>; Fri, 1 Nov 2013 17:26:31 -0700 (PDT)
Received: from mail-qa0-x235.google.com (mail-qa0-x235.google.com [IPv6:2607:f8b0:400d:c00::235]) by ietfa.amsl.com (Postfix) with ESMTP id 2334F11E814C for <tls@ietf.org>; Fri, 1 Nov 2013 17:26:29 -0700 (PDT)
Received: by mail-qa0-f53.google.com with SMTP id k15so973550qaq.19 for <tls@ietf.org>; Fri, 01 Nov 2013 17:26:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=FVWhfqWhUrGKSSErDzVelbtFA/0pd96lxzBM9sVyyfE=; b=I7ABP6r48W264Df9F6nFYpIlTknTavxMQJHWy2Kv4g1Wmjb5Ql8Dvp1Cg4OItfh/js smQTFeuVG1WPRIptyJZAHqSWx4aUSeiBByqLfrUctSiGZ4DiW3ZRLe6Vfn2Chs4Wrg9x nAW4vK/0G+4tx9XsuRkmABepXqdpJN04HvSj75jCGMwpQfYt3uZS9iZW/uAG8z+o0ZKS yyYzyQGVTxmR+RXI09n/nYtazMjDwZk8m+KjzLIzO7qu156ezcRXsOq6/8zGfQzokweW xBZA9aVFMdM/KoJkc5P5WlUHoH0X+AdoNNMy47JFYuqZWTy3JiEx3lZAPSxQM4sgPF94 COFA==
MIME-Version: 1.0
X-Received: by 10.49.61.9 with SMTP id l9mr7460207qer.64.1383351988709; Fri, 01 Nov 2013 17:26:28 -0700 (PDT)
Received: by 10.229.12.198 with HTTP; Fri, 1 Nov 2013 17:26:28 -0700 (PDT)
In-Reply-To: <CACsn0ck94Gmyr3d6BsaM-Mwf4Qh6zFRv1qAS3bkitrFkFwVOFw@mail.gmail.com>
References: <CACsn0cnS7LWo+AN1maw-KYGhWXY1BLNPNOjiL-Y3UU3zG-Je_Q@mail.gmail.com> <CABqy+soTKjtU69mf9F6um8FsNNaztv2hXS6iPJe6P=D-A_6b0w@mail.gmail.com> <CACsn0ck94Gmyr3d6BsaM-Mwf4Qh6zFRv1qAS3bkitrFkFwVOFw@mail.gmail.com>
Date: Fri, 01 Nov 2013 17:26:28 -0700
Message-ID: <CABqy+sqck9S_7za4C++XLUcQHc5X2DSDdrp8M4bKAA-q+gcdwQ@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Cc: tls@ietf.org
Subject: Re: [TLS] What would make TLS cryptographically better for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Nov 2013 00:26:32 -0000

On 11/1/13, Watson Ladd <watsonbladd@gmail.com> wrote:
> On Nov 1, 2013 2:21 PM, "Robert Ransom" <rransom.8774@gmail.com> wrote:
>>
>> On 10/31/13, Watson Ladd <watsonbladd@gmail.com> wrote:
>>
>> > TLS 1.3 should significantly reduce the number of round trips
>> > required. To this end I propose the following obviously secure scheme:
>> > the client sends a point on a curve in ClientHello and the server
>> > responds with certificates (or some other authentication thing) and a
>> > point on a curve, so that when the client speaks again, it is with a
>> > negotiated, authenticated shared secret. Before everyone screams about
>> > needing one signature per connection, note the server can use a time
>> > based secret key, so only has to do one exponentiation per client.
>>
>> This protocol should be designed to allow future extension to use
>> post-quantum encryption and/or key encapsulation cryptosystems.  (I
>> don't believe that quantum computers will become a threat, but some PQ
>> cryptosystems may be faster than ECDH.)
>>
> The PQ transition involves reworking the PKI as well. We also don't know if
> NTRU or something else will win. A proffered version byte to avoid
> downgrades could work, but I would not want to commit to the future.

If I believed that a 'PQ transition' would be needed, I would argue
for implementing it *now*.  This is purely for performance purposes,
if PQ cryptosystems turn out to be faster than ECDH in at least some
implementations.

>> It also needs to either allow session resumption without the
>> possibility of reusing any key used to encrypt or authenticate
>> application-level data, or explicitly forbid session resumption.
>>
>>
>> > Renegotiation should be killed: it serves no purpose.
>>
>> Renegotiation is a critical feature of TLS, which serves multiple
> purposes.
>>
>> * Renegotiation allows rekeying of a session.  This is absolutely
>> required for any ciphersuite based on a block cipher with a 128-bit or
>> smaller block, because block cipher modes' security properties degrade
>> after they are used for more than some number of blocks.
> After one zettabyte according to a simple calculation.

For counter mode with a non-GCM-like MAC, yes.  Other modes have other
security bounds.

>> * Applications can also use renegotiation-based rekeying to improve
>> forward secrecy; for example, the Mixminion specification
>> (<
> https://github.com/nmathewson/mixminion-doc/blob/a661212831d2afc3200339b2634ca16452e3aeec/spec/minion-spec.txt
>>,
>> section 4, line 1040) requires that relay-to-relay TLS connections be
>> rekeyed using renegotiation every 15 minutes for this purpose.
> If reconnecting is cheap enough that works. Designers need to deal with
> connection death anyway.

Reconnecting allows relatively simple network eavesdropping logs (e.g.
logs which contain connection endpoint addresses, start and end time,
and amount of data transferred) to record more information about the
application's behaviour.

Apart from that, applications should not need to cause connection
death in order to obtain forward secrecy.

>> * A TLS connection can be established by a fully trusted device which
>> knows a password or other application-layer authorization credential,
>> authorized to perform some operations using messages within the TLS
>> connection, and then transferred with the help of renegotiation to a
>> less trusted device to actually perform those operations.  This is
>> similar to the preceding use, but to provide 'sideways secrecy' rather
>> than forward secrecy.
> What does renegotiation get here?

Renegotiation can be used to prevent the untrusted device from
decrypting the user's password in order to use it to authorize a later
TLS connection.

> The untrusted device can do everything unless it is being monitored by a
> trusted device.

The untrusted device cannot do anything after the TLS connection is closed.

>> * One version of the Tor 'link protocol' (Tor's term for its outer
>> TLS-based connection protocol) uses renegotiation to provide secrecy
>> for the server's certification chain against purely passive attackers.
>>  The purposes above could be served by applying a one-way function to
>> the originally derived key material, then discarding the old keys;
>> this purpose cannot.
> TOR could send a temporary outer signature and an inner proof.

It's "Tor", not "TOR".

That's what it does now, using a custom authentication protocol with a
custom channel-binding  at the application layer, because the TLS
renegotiation mechanisms available at the time were too problematic.

> I agree this
> is a weakness, but CurveCP like mechanisms only work thanks to some known
> key.

Or the server could send the blob authenticating its (EC)DH public key
inside the (EC)DH secure channel.  (I mentioned this as an application
of renegotiation because you did not specify that server credentials
would be concealed, not because there is no special-purpose hack to
get around the lack of renegotiation.)


I agree that some of the problems that I know renegotiation can solve
can be addressed using other mechanisms.  I don't see the attraction
of designing and implementing a different protocol feature to solve
each problem when a single secure, well-designed renegotiation
protocol would solve all of them at once.


Robert Ransom