IETF Logo Mail Archive

Re: [TLS] Re-thinking OPTLS

Hoeteck Wee <hoeteck@alum.mit.edu> Tue, 25 November 2014 23:54 UTC

Return-Path: <prvs=84062dfc82=hoeteck@alum.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00DFA1A899B for <tls@ietfa.amsl.com>; Tue, 25 Nov 2014 15:54:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.589
X-Spam-Level:
X-Spam-Status: No, score=-3.589 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O8y8iRrxviTi for <tls@ietfa.amsl.com>; Tue, 25 Nov 2014 15:54:10 -0800 (PST)
Received: from alum-mailsec-scanner-5.mit.edu (alum-mailsec-scanner-5.mit.edu [18.7.68.17]) by ietfa.amsl.com (Postfix) with ESMTP id 4098E1A87C3 for <tls@ietf.org>; Tue, 25 Nov 2014 15:54:10 -0800 (PST)
X-AuditID: 12074411-f79fa6d000006b8a-73-547516a1de63
Received: from outgoing-alum.mit.edu (OUTGOING-ALUM.MIT.EDU [18.7.68.33]) by alum-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 98.0C.27530.1A615745; Tue, 25 Nov 2014 18:54:09 -0500 (EST)
Received: from mail-lb0-f170.google.com (mail-lb0-f170.google.com [209.85.217.170]) (authenticated bits=0) (User authenticated as hoeteck@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.13.8/8.12.4) with ESMTP id sAPNs7FV004946 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <tls@ietf.org>; Tue, 25 Nov 2014 18:54:09 -0500
Received: by mail-lb0-f170.google.com with SMTP id w7so1567260lbi.1 for <tls@ietf.org>; Tue, 25 Nov 2014 15:54:07 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.112.235.196 with SMTP id uo4mr30613760lbc.66.1416959647540; Tue, 25 Nov 2014 15:54:07 -0800 (PST)
Received: by 10.152.42.202 with HTTP; Tue, 25 Nov 2014 15:54:07 -0800 (PST)
In-Reply-To: <20141125034915.GT3200@localhost>
References: <CADi0yUMCGuYbqrJWa-KXNmgNvc19xOWwpx2DCLOvgv62haedCQ@mail.gmail.com> <20141124063304.GA3200@localhost> <CADi0yUMvj7k1JXpa_9H3brUizr4QsLh6gsjzXaRJo79Vv0dqnQ@mail.gmail.com> <20141125034915.GT3200@localhost>
Date: Wed, 26 Nov 2014 00:54:07 +0100
Message-ID: <CAJND9y4uoiaJs9X+t7nJ0T2Jj_mcTGqoSP7DuFYF550BDqtv4g@mail.gmail.com>
From: Hoeteck Wee <hoeteck@alum.mit.edu>
To: Nico Williams <nico@cryptonector.com>
Content-Type: text/plain; charset="UTF-8"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrMKsWRmVeSWpSXmKPExsUixO6iqLtQrDTEoHevtMWn812MDoweS5b8 ZApgjOK2SUosKQvOTM/Tt0vgzvjWNZm5oIetYseh2ewNjN9Zuhg5OSQETCQO/rnCBGGLSVy4 t56ti5GLQ0jgMqPE9ZVrGCGc20wSV7etY4dw2hglHv+YwQzSwisgKHFy5hOoUaUSGy+sZQSx hQTkJK7snc0GYXtLbN11G8zmFNCT2DlhLgvEoPuMEr3L29hBEiwCqhInXj1mgRgaIDFjyVmw BcICKhIvVm0Au49NQENi7/eLYDUiApoS1+ctBRvKLOApMWXqOaAaDiBbXWL9PKEJjEKzkJw3 CyGzgJFpFaNcYk5prm5uYmZOcWqybnFyYl5eapGuqV5uZoleakrpJkZIwAruYJxxUu4QowAH oxIPb8Ox4hAh1sSy4srcQ4ySHExKoryOwqUhQnxJ+SmVGYnFGfFFpTmpxYcYJTiYlUR4JRiA crwpiZVVqUX5MClpDhYlcV6+Jep+QgLpiSWp2ampBalFMFkZDg4lCd5QUaBGwaLU9NSKtMyc EoQ0EwcnyHAuKZHi1LyU1KLE0pKMeFAMxxcDoxgkxQO0dwpIO29xQWIuUBSi9RSjJceivpe9 TBwtTW+B5JvD73qZhFjy8vNSpcR5/UAaBEAaMkrz4NbB0tYrRnGg74V5b4BU8QBTHtzUV0AL mYAWxs0sBFlYkoiQkmpgVLe+Fzjf1fXQO4lHksvNbLZsSt/lIFuRsf/LnkZFb5WSPgsrw8vH TyUdD74jVnR+3aSvThZbZj7TuiBlX2Hgfvit9H1J8Xl+xx5FWCrZJs3TzUpIvPlAavmclxMl c28e2/bFfuZ/19kN1bGZBw94ScWzmh7YenGbT0qaIdd+9bd8xzje7q9/pMRSnJFoqMVcVJwI ANlE8ls2AwAA
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/4b4IKOcuuFo9FY8qTCinYQxVMcs
X-Mailman-Approved-At: Wed, 26 Nov 2014 09:34:01 -0800
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Re-thinking OPTLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: hoeteck@alum.mit.edu
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Nov 2014 08:52:47 -0000

> Hmm, a client that can't keep a shared secret around probably can't keep
> a server sub-cert either...

I don't think that is correct. If an adversary learns the shared
secret held by the client in resumption, then the session gets
compromised and the adversary can decrypt all of the data that gets
sent later. If an adversary learns the server sub-cert g^s held by the
client, no security is lost.

A sub-cert g^s is essentially like a public key in a public-key
encryption scheme, whereas the shared secret in resumption is like a
secret key in a secret-key encryption scheme. Learning the public key
in public-key encryption does not compromise the security of the
encryption scheme; learning the secret key in a secret-key encryption
scheme does.

Hoeteck

v2.23.0 | Report a Bug | By Email