Re: [TLS] the idea of using multiple keys with multiple certificate authorities in a TLS session.
Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Sat, 07 February 2015 07:45 UTC
Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 501101A7028 for <tls@ietfa.amsl.com>; Fri, 6 Feb 2015 23:45:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.127
X-Spam-Level: **
X-Spam-Status: No, score=2.127 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DEAR_SOMETHING=1.973, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FRT_BELOW2=2.154, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iN81pxrzsDVl for <tls@ietfa.amsl.com>; Fri, 6 Feb 2015 23:45:13 -0800 (PST)
Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CFF91A7026 for <tls@ietf.org>; Fri, 6 Feb 2015 23:45:13 -0800 (PST)
Received: by mail-wi0-f174.google.com with SMTP id n3so7171969wiv.1 for <tls@ietf.org>; Fri, 06 Feb 2015 23:45:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=3qHGX/RwQaIY8szhyab6arwjfsB5ZsV8rGS3pESfbhA=; b=AdQg60WPAUX1yHUB5s+J944+Gf0sqGAE6LVdzVs35z8yIwYM+H9oAOs9hXo0rRpL8P AJwUYSLtKlHqDvp85S4KBubAHbyb/jgtlqeV5G/D0SgKWWwaTFiNGJeLkniEjBmPSCUA x/z3UZk4SPRCJheNkLkPrhvUVEg4pl9t6vGmhQ0OaH0BEbZPBd4oEd57uOGMEU5R/MHM w4xDPFDmFzLcKusoLqT5Qy0E3Z2+6/kAfjjEWy1sDXO30hPo77kB+v2hO07dvHQSYoFY 7MkpLGa54FAXUJ9O5r3WtGcVES4Q6XgBJ98iGIydL/TIa91pR43tv6cacZ3UWUOVUya5 on/Q==
X-Received: by 10.194.186.200 with SMTP id fm8mr16328957wjc.138.1423295112371; Fri, 06 Feb 2015 23:45:12 -0800 (PST)
Received: from [192.168.1.44] (41.92.69.86.rev.sfr.net. [86.69.92.41]) by mx.google.com with ESMTPSA id hd5sm4608138wib.21.2015.02.06.23.45.11 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 06 Feb 2015 23:45:11 -0800 (PST)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
In-Reply-To: <3FE6EA13-AF0F-4838-9F1F-CB0DEC158225@gmail.com>
Date: Sat, 07 Feb 2015 08:45:08 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <CA6569EF-931B-4787-85DC-8A39EA7EB8F0@gmail.com>
References: <CADrAmL6xOMOauSHuTR8BUK7i4NG2Zx3H90dA6k36YMu81pVW0A@mail.gmail.com> <3FE6EA13-AF0F-4838-9F1F-CB0DEC158225@gmail.com>
To: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/6A8bQ8BixrH_m9eT_2kFgOp-qNo>
Cc: abadi@cs.ucsc.edu, Shahin Noursalehi <mixoftix@gmail.com>, ChristopherA@alacritymanagement.com, tls@ietf.org
Subject: Re: [TLS] the idea of using multiple keys with multiple certificate authorities in a TLS session.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Feb 2015 07:45:15 -0000
To obtain your multi-certificate guarantee as an extension to the standard TLS 1.3 (EC)DHE exchanges, you do not need multiple pre-master secrets. The server could send multiple Certificate and CertificateVerify messages, all of which sign the same handshake, that is, the same client and server keyshares. So, unless all the signing keys were compromised, the attacker cannot hijack the connection (since he cannot tamper with the server’s keyshare). So a single PMS = KDF(g^xy + …..(handshake hash)….) but multiple server signatures over the handshake with different signing keys. However, I would be wary of changing the TLS state machine in so substantial a way without sufficient formal analysis. On 06 Feb 2015, at 18:07, Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> wrote: > This scheme seems to assume an RSA key exchange which no longer exists in TLS 1.3. > > To adapt the multiple PMS design to (EC)DHE would require more work, and it is not clear what the benefit would be. > > -Karthik > > On 05 Feb 2015, at 10:17, Shahin Noursalehi <mixoftix@gmail.com> wrote: > >> Dear Sir/Madam, >> >> Refer to discussions around TLS 1.3 in Linkedin group "Cryptographers >> and Cryptanalysts", contributor experts agree on the idea of using >> multiple keys with multiple certificate authorities in a TLS session. >> So if one certificate authority is compromised hopefully the others >> are not. The suggested solution would be like the process bellow: >> >> Refer to the way that TLS generates the *master_secret*: >> >> master_secret = PseudoRandomFunction(pre_master_secret, "master >> secret", ClientHello.random + ServerHello.random) >> >> We could generate multiple peer-to-peer pre_master_secret(s) for each >> public-key that we receive from the server and XOR them all together. >> So, our offered method of calculation of master_secret will convert >> to: >> >> master_secret = PseudoRandomFunction(multiple_pre_master_secret, >> "master secret", ClientHello.random + ServerHello.random) >> >> where: >> >> multiple_pre_master_secret = XOR(pre_master_secret_1, >> pre_master_secret_2, .. pre_master_secret_n) >> >> and aim at preventing basic attacks that are known against >> one-time-pad, we could add a circular-bit-rotation(m) to the >> calculation above - each time we do an XOR: >> >> multiple_pre_master_secret = ROT(XOR(pre_master_secret_1, >> pre_master_secret_2, .. pre_master_secret_n), m) >> >> Please let us know about your point of views, then we could continue >> discussing the TLS. >> >> With best regards >> >> Shahin Noursalehi >> >> >> Reference: >> >> https://www.linkedin.com/groups/what-are-new-methods-attack-3901854.S.5958888203401314306 >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] the idea of using multiple keys with multip… Shahin Noursalehi
- Re: [TLS] the idea of using multiple keys with mu… Karthikeyan Bhargavan
- Re: [TLS] the idea of using multiple keys with mu… Ilari Liusvaara
- Re: [TLS] the idea of using multiple keys with mu… Russ Housley
- Re: [TLS] the idea of using multiple keys with mu… Karthikeyan Bhargavan
- Re: [TLS] the idea of using multiple keys with mu… Hanno Böck
- Re: [TLS] the idea of using multiple keys with mu… Shahin Noursalehi