IETF Logo Mail Archive

Re: [TLS] Re-thinking OPTLS

Hugo Krawczyk <hugo@ee.technion.ac.il> Sun, 23 November 2014 01:03 UTC

Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C0BD1A1A0B for <tls@ietfa.amsl.com>; Sat, 22 Nov 2014 17:03:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nloqo6GBJCDB for <tls@ietfa.amsl.com>; Sat, 22 Nov 2014 17:03:08 -0800 (PST)
Received: from mail-lb0-x22a.google.com (mail-lb0-x22a.google.com [IPv6:2a00:1450:4010:c04::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E511B1A1A06 for <tls@ietf.org>; Sat, 22 Nov 2014 17:03:07 -0800 (PST)
Received: by mail-lb0-f170.google.com with SMTP id w7so5895986lbi.15 for <tls@ietf.org>; Sat, 22 Nov 2014 17:03:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=Zk4sl6AUxGPH+tyMcF+idQp/wFQuw86VPsAGFwqyh4E=; b=KfK1tTSCvSwEy42RdC15IUbVKFULialtweiz5dgwTiFTXlvWyVMr4+CfIJT/9Oe1aJ bcdqoY1Dgbcp6stqdix+1baoEZlHlsvK540IbxO0w9MbEOmFYZx2lUPH1XoInxbCSTeL BMxtTUK99Kh0JBZlmqUdx4SSwoPcNVM2Yal+SUqQ68bEulmPZqjUJV8wkpKDbUN1Oi9U AWMtM6wk3ZaUFVUHTrEB5ruXNd0knxt7DIF5rsvvr5qmHDXiGonH5qjvMSsO4Ilq+9IL ERGEP/G1dURWz3NDJM/yKlgUDYjiPwSc9rC0FY9M/1qc99LUjuNu3jni/EMySGK6UcxD OY0Q==
X-Received: by 10.112.156.138 with SMTP id we10mr12004899lbb.88.1416704586154; Sat, 22 Nov 2014 17:03:06 -0800 (PST)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.25.78.135 with HTTP; Sat, 22 Nov 2014 17:02:35 -0800 (PST)
In-Reply-To: <CABcZeBOR6tYDvt+mVFYdmA+PjZSAYivu8F7s=M_4_dRTaKpN4w@mail.gmail.com>
References: <CADi0yUMCGuYbqrJWa-KXNmgNvc19xOWwpx2DCLOvgv62haedCQ@mail.gmail.com> <CABkgnnU7RNxjNW++qoS+zY6RBCag3tmCaWiR7Szw_zu45_X7HA@mail.gmail.com> <CADi0yUN4NPAV0ntrXyb2H6Pp_BOWBh8CwtsF4WbPL+UomvJJyw@mail.gmail.com> <CABkgnnVDchZd91nt4pVJT3rDzjbRLOHi=xDH-agQeg+PeEJzqw@mail.gmail.com> <CADi0yUOCoB1_wb26u=cLx=nmwDWaYDLgB-XF9+wBscp+MUa5aQ@mail.gmail.com> <CABcZeBOR6tYDvt+mVFYdmA+PjZSAYivu8F7s=M_4_dRTaKpN4w@mail.gmail.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Sat, 22 Nov 2014 20:02:35 -0500
X-Google-Sender-Auth: UWvH3JWin-Y6mf4eNfHKOYglMro
Message-ID: <CADi0yUPrbfNj-uwHSj8U33e9s+WomB4XB9M6uf+CUr66HbpkXw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="001a11c344c89c0a6205087c3da5"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/7bfmQnokUiNERfch1rPwb5UosNo
Cc: "tls@ietf.org" <tls@ietf.org>, Hoeteck Wee <hoeteck@alum.mit.edu>
Subject: Re: [TLS] Re-thinking OPTLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Nov 2014 01:03:10 -0000

I thought that was what you meant but at least Watson seemed to be
interpreting in the arithmetic sense and he was right to point out that it
would be insecure to do so.

On Sat, Nov 22, 2014 at 6:29 PM, Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Sat, Nov 22, 2014 at 3:09 PM, Hugo Krawczyk <hugo@ee.technion.ac.il>
> wrote:
>
>> See below on the issue of key derivation
>>
>> On Sat, Nov 22, 2014 at 1:14 AM, Martin Thomson <martin.thomson@gmail.com
>> > wrote:
>>
>>> On 21 November 2014 19:29, Hugo Krawczyk <hugo@ee.technion.ac.il> wrote:
>>> > I am glad to hear this too. Please let me know what the sources of
>>> perceived
>>> > complexity are.
>>>
>>> ​​
>>> The only items of note were:
>>>  - the second update to the handshake protection under g^{xs}+g^{xy}.
>>> We all realized that this was trivially addressed (ekr had a slide at
>>> the meeting that showed an easy simplification, which should be in the
>>> meeting materials).
>>>
>>
>> ​I haven't seen these slides and didn't know about them.
>> The derivation of keys based on g^{xs} and g^{xy} does NOT use a sum or
>> any
>> other algebraic combination (although some combinations are secure, most
>> are
>> not, and identifying the good ones is non-trivial).
>>
>
> Note, I didn't intend addition (and I suspect Martin didn't either). I was
> just using
> '+' as shorthand for "both" and being vague about the details of the
> key derivation (as you suggest below). Sorry about the confusion.
>
> -Ekr
>
>
>
>

v2.23.0 | Report a Bug | By Email