Re: [TLS] What would make TLS cryptographically better for TLS 1.3

Robert Ransom <rransom.8774@gmail.com> Sun, 03 November 2013 20:30 UTC

Return-Path: <rransom.8774@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F6F021E8104 for <tls@ietfa.amsl.com>; Sun, 3 Nov 2013 12:30:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XU0GuQqn1sYt for <tls@ietfa.amsl.com>; Sun, 3 Nov 2013 12:30:28 -0800 (PST)
Received: from mail-qc0-x22a.google.com (mail-qc0-x22a.google.com [IPv6:2607:f8b0:400d:c01::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 406D621E80E8 for <tls@ietf.org>; Sun, 3 Nov 2013 12:30:26 -0800 (PST)
Received: by mail-qc0-f170.google.com with SMTP id n9so3556957qcw.15 for <tls@ietf.org>; Sun, 03 Nov 2013 12:30:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=JkpAin37B4na/GRl6ZpqMt6fFUl1T4yxViw+8SLAf7g=; b=hqNaD17ogMUrJK+sr5i1JDKlR3XzSxxydQ4vK5buxBSbGDt+XsLcetoByNDmlmfagT 1SuRYOul1dokXlO2Apgh/jaiQ4yi1JwEddTf6rEUhkiOGG6YyMv/oSaz1Z+Gs2IvuaNj mEJMZJXxGRx2RuzlGGsR5ZCY7LRHUzMyPQrBTOWeWvWiUN0D+9dE1flalt7aK8UvANzX UK2DAgOmQKyaltRJ+ReLGThhbJy0KLfO6z1MgdhGMQX9UP29kHmcYnUEwH7uqsZbhmHN VVSi+87Hf0g6wyQF7RUJXiWanmRUKRe9i8O+jw3R44AKUrdUuxwlTY7EIcyBGM6Jdq2B Z0lQ==
MIME-Version: 1.0
X-Received: by 10.229.106.131 with SMTP id x3mr18080151qco.1.1383510625665; Sun, 03 Nov 2013 12:30:25 -0800 (PST)
Received: by 10.229.12.198 with HTTP; Sun, 3 Nov 2013 12:30:25 -0800 (PST)
In-Reply-To: <CA+BZK2pD-=PCEfe2mHKEmu8W_bWkZ+dzt=9iQaVsJ7ug8-tQ6A@mail.gmail.com>
References: <CACsn0cnS7LWo+AN1maw-KYGhWXY1BLNPNOjiL-Y3UU3zG-Je_Q@mail.gmail.com> <CABqy+soTKjtU69mf9F6um8FsNNaztv2hXS6iPJe6P=D-A_6b0w@mail.gmail.com> <CA+BZK2pD-=PCEfe2mHKEmu8W_bWkZ+dzt=9iQaVsJ7ug8-tQ6A@mail.gmail.com>
Date: Sun, 3 Nov 2013 12:30:25 -0800
Message-ID: <CABqy+sre3V5eZXotTYGj=dg4774B4TYQB3jpnQ_8JFg-N0W4Bw@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Ralf Skyper Kaiser <skyper@thc.org>
Content-Type: text/plain; charset=UTF-8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] What would make TLS cryptographically better for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Nov 2013 20:30:29 -0000

On 11/3/13, Ralf Skyper Kaiser <skyper@thc.org> wrote:

>> * Applications can also use renegotiation-based rekeying to improve
>> forward secrecy; for example, the Mixminion specification
>> (<
>> https://github.com/nmathewson/mixminion-doc/blob/a661212831d2afc3200339b2634ca16452e3aeec/spec/minion-spec.txt
>> >,
>> section 4, line 1040) requires that relay-to-relay TLS connections be
>> rekeyed using renegotiation every 15 minutes for this purpose.
>>
>
> Mixminion falsely assume  that the security degrades if a connection is
> live for more than 15 minutes. That's security wise not true. In today's
> security design (TLS) the negotiated session key material is secure for
> years (if not decades). Gone are the times when DES was used and DES could
> be cracked in 24h and it was desirable to use a new DES key every 24 hours.
> Gone. Gone Gone.
>
> If you negotiate session keys that could be cracked within a year you
> should not have negotiated those sessions keys in the first place.

Mixminion correctly assumes that anyone who obtains a session key by
compromising a server can use that key to decrypt all traffic
protected by it, no matter how long brute-force search would have
taken to find the key.


Robert Ransom