Re: [TLS] Initial draft of DH-based key exchange
Hugo Krawczyk <hugo@ee.technion.ac.il> Fri, 27 March 2015 23:52 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4B421A00DB for <tls@ietfa.amsl.com>; Fri, 27 Mar 2015 16:52:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 74KzGosR1ITQ for <tls@ietfa.amsl.com>; Fri, 27 Mar 2015 16:52:27 -0700 (PDT)
Received: from mail-lb0-x22a.google.com (mail-lb0-x22a.google.com [IPv6:2a00:1450:4010:c04::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 704FD1A0023 for <tls@ietf.org>; Fri, 27 Mar 2015 16:52:26 -0700 (PDT)
Received: by lbcmq2 with SMTP id mq2so74176471lbc.0 for <tls@ietf.org>; Fri, 27 Mar 2015 16:52:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=od6y+Ff7wRpShFnUyzAW6KZG5WL7DiqGR/AoDkZVHf8=; b=p3x6Qn0zR5Gjx4zGukNbPq3W4yezl1vMTeiUhOWTWzloDQ/1YErgQX+kY9FnR23bW6 fuelVsfrzP2o+HYQ18y+YnmQAcGp+ydzypr6TWcmZH8y1beX9PlwdttVVIhKQeaSiVGo wairdHB/xe8FJLTalxd3IRTM38LdJfwtFWdgCHefd10C6ZJD0QxtY0P/YQil3hRh8XWx Gq7DrnpI6CHTSjJmHZMnbGddkQ8ksLi8ojQbaWmNUbb2y6QZX4yGsVBLb0pmiQ3nJMRk Q/EwUIn1pe9H+q+FDBEG1pvJAh9vxt+WBPKjuHFrLGyi85b3d85jAXTdNdoYq4qZndUk rhSg==
X-Received: by 10.152.198.170 with SMTP id jd10mr19543949lac.60.1427500344979; Fri, 27 Mar 2015 16:52:24 -0700 (PDT)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.25.78.9 with HTTP; Fri, 27 Mar 2015 16:51:54 -0700 (PDT)
In-Reply-To: <20150327161746.GA28742@LK-Perkele-VII>
References: <CABcZeBNmufvfJ_2Nvw1YwvwGZ2u1=WvL45rPGJXARN1tAxOEfw@mail.gmail.com> <20150327150032.GA27825@LK-Perkele-VII> <D13ADBCE.43E69%kenny.paterson@rhul.ac.uk> <20150327161746.GA28742@LK-Perkele-VII>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Fri, 27 Mar 2015 19:51:54 -0400
X-Google-Sender-Auth: Mc653C4Hccp-MAimYRYKv2T-FlI
Message-ID: <CADi0yUN9Q7X1nm-bRwD6H2oqMANNLsTxhgSXbgF7odHTYRbbtw@mail.gmail.com>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Content-Type: multipart/alternative; boundary="001a11349c0afab76405124dd243"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/6X_EwxrmSNXflNKQ-YBE5rzlsr0>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Initial draft of DH-based key exchange
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Mar 2015 23:52:28 -0000
The theme of simplification applies to your concerns below too. The simpler the protocol the closer it stays to its underlying cryptographic core hence the closer it stays to the cryptographic semantics. Actually, the issue of simplifying semantics is of utmost importance. For example, the hierarchical key derivation scheme in TLS 1.3/OPTLS bind terminal keys (those used for data protection either inside the handshake or output for record protection) to a unique context encompassing a label defining the key's functionality and information that ties the key to particular handshake session (including nonces, negotiated parameters, identities, etc.). That defines the semantics and provenance of keys which should be the only thing that consumers of the TLS handshake need to know about these keys. One thing to double check when specifying the handshake protocol is that context and intended semantics match indeed. (I wonder, for example, if we should label keys derived with PFS from those derived without PFS.) Hugo On Fri, Mar 27, 2015 at 12:17 PM, Ilari Liusvaara < ilari.liusvaara@elisanet.fi> wrote: > On Fri, Mar 27, 2015 at 03:27:54PM +0000, Paterson, Kenny wrote: > > > > The limitation of scope does not mean the papers are useless. As you > write > > above, one just needs to be wary of over-interpreting what they say. > > Well, not useless, but... > > There are different kinds of problems arising for over-interpreting > security proofs: > > Take some protocol X that is designed to use TLS feature Y for purpose > Z (e.g. SPDY used TLS-Extractor for channel binding). > > This can be outright broken (like the example is in TLS 1.2 without > extensions). > > This calls for documenting limiations of various TLS features. And > preferably not provoding "attractive nuisances". But that doesn't > mean the features provoded won't be used in strange ways. > > > More nasty case is if there is a security proof that some strengthening > A is unnecressary given assumptions B (which seems quite broadly > applicable). > Then TLS removes A as "unnecressary". Except that using Y for Z breaks B > and relies on A, so now X is insecure. This is obviously highly attractive > for crypto sabotage projects. > > E.g. suppose TLS had renego-fix-like fix for resumption. Now remove > session-hash because it is unnecressary given proper certificate > authentication. Except now TLS-Extractor for channel binding is broken. > > This calls for being conservative with strengthening. > > > -Ilari > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Nikos Mavrogiannopoulos
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Salz, Rich
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Salz, Rich
- Re: [TLS] Initial draft of DH-based key exchange Dave Garrett
- Re: [TLS] Initial draft of DH-based key exchange Nikos Mavrogiannopoulos
- Re: [TLS] Initial draft of DH-based key exchange Nikos Mavrogiannopoulos
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Paterson, Kenny
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Russ Housley
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara