Re: [TLS] Problems with TLS 1.3 handshake protocol
"Dan Harkins" <dharkins@lounge.org> Tue, 26 August 2014 21:05 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 309CE1A8846 for <tls@ietfa.amsl.com>; Tue, 26 Aug 2014 14:05:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.167
X-Spam-Level:
X-Spam-Status: No, score=-1.167 tagged_above=-999 required=5 tests=[BAYES_50=0.8, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9whNuqKJqThe for <tls@ietfa.amsl.com>; Tue, 26 Aug 2014 14:05:19 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 1830E1A883D for <tls@ietf.org>; Tue, 26 Aug 2014 14:05:19 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id AB6F710224008; Tue, 26 Aug 2014 14:05:18 -0700 (PDT)
Received: from 199.127.104.10 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Tue, 26 Aug 2014 14:05:18 -0700 (PDT)
Message-ID: <d92a1a8dbe9fa96dbb04fb4a812b43c7.squirrel@www.trepanning.net>
In-Reply-To: <20140820164500.GA26426@LK-Perkele-VII>
References: <20140820164500.GA26426@LK-Perkele-VII>
Date: Tue, 26 Aug 2014 14:05:18 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/7z9wMHF8gr6Ml3JmJkvrE9le9AU
Cc: tls mailing list <tls@ietf.org>
Subject: Re: [TLS] Problems with TLS 1.3 handshake protocol
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 21:05:20 -0000
Hello, On Wed, August 20, 2014 9:45 am, Ilari Liusvaara wrote: [snip] > 6) Problems with SRP: > --------------------- > > SRP in general needs ServerKeyExchange before ClientKeyExchange. > Now, if client is able to guess the exchange group, the order > of those two can be inverted. > > Also, the key exchange messages have their own format. > > Some additional issues: > - The key shares are relatively large (multiplicative group!) > - The key shares are relatively slow to generate (ditto) > - The usual SRP groups do not match named groups. > > There is no straightforward way to make ECC SRP. All of these issues are addressed by draft-ietf-tls-pwd-- it can use ECC, supports named groups, and can have key shares that are smaller and faster to generate. > Also, SRP is seemingly pretty much unused in context of TLS. > > Proposal: Does this need to be supported? The overwhelming majority of use of TLS is browser based and there really isn't a compelling use for SRP (or any similar kind of password-authenticated key exchange) in a browser but there is in other uses of TLS, notably EST (RFC 7030). EST requires maintenance of a trust anchor database so you need a certificate to get a certificate. By using a TLS cipher suite that does not require a certificate, like TLS-pwd, this problem is mitigated. It's much easier to use an app that implements EST and it's much less likely that such an app would be misconfigured. For this reason alone I think such a cipher suite needs to be supported. regards, Dan.
- [TLS] Problems with TLS 1.3 handshake protocol Ilari Liusvaara
- Re: [TLS] Problems with TLS 1.3 handshake protocol Eric Rescorla
- Re: [TLS] Problems with TLS 1.3 handshake protocol Ilari Liusvaara
- Re: [TLS] Problems with TLS 1.3 handshake protocol Martin Thomson
- Re: [TLS] Problems with TLS 1.3 handshake protocol Eric Rescorla
- Re: [TLS] Problems with TLS 1.3 handshake protocol Martin Thomson
- Re: [TLS] Problems with TLS 1.3 handshake protocol Michael StJohns
- Re: [TLS] Problems with TLS 1.3 handshake protocol Dan Harkins