Re: [TLS] A la carte handshake negotiation
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Sun, 28 June 2015 07:44 UTC
Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B77021ACD69 for <tls@ietfa.amsl.com>; Sun, 28 Jun 2015 00:44:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_34=0.6, J_CHICKENPOX_44=0.6, J_CHICKENPOX_74=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nLGad6eclCo7 for <tls@ietfa.amsl.com>; Sun, 28 Jun 2015 00:44:07 -0700 (PDT)
Received: from emh03.mail.saunalahti.fi (emh03.mail.saunalahti.fi [62.142.5.109]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B94F1ACD63 for <tls@ietf.org>; Sun, 28 Jun 2015 00:44:06 -0700 (PDT)
Received: from LK-Perkele-VII (a91-155-194-207.elisa-laajakaista.fi [91.155.194.207]) by emh03.mail.saunalahti.fi (Postfix) with ESMTP id 244381887AD; Sun, 28 Jun 2015 10:44:03 +0300 (EEST)
Date: Sun, 28 Jun 2015 10:44:03 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Nico Williams <nico@cryptonector.com>
Message-ID: <20150628074403.GA13633@LK-Perkele-VII>
References: <201506111558.21577.davemgarrett@gmail.com> <20150626221456.GK6117@localhost> <CAF8qwaAkBAXDkhd3zU=uO1t-dv7iu0bhb9bH28JHROrWp98SEA@mail.gmail.com> <201506261924.24454.davemgarrett@gmail.com> <20150627014034.GL6117@localhost> <20150627080928.GA7886@LK-Perkele-VII> <20150628050607.GN6117@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <20150628050607.GN6117@localhost>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/8PMKGj2CkgbT8Qmm5b0TsYtNaHc>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] A la carte handshake negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Jun 2015 07:44:09 -0000
On Sun, Jun 28, 2015 at 12:06:09AM -0500, Nico Williams wrote: > On Sat, Jun 27, 2015 at 11:09:28AM +0300, Ilari Liusvaara wrote: > > > We could do even better: stop cartesian products altogether. > > > > > > TLS_SRV_AUTH_NONE (anon) > > > TLS_SRV_AUTH_PKIX (certs) > > > TLS_SRV_AUTH_PSK (also authenticates the client) > > > > > > TLS_KEX_DH > > > TLS_KEX_ECDH > > > TLS_KEX_KEY_TRANSPORT (encryption to the server's RSA pubkey) > > > > > > TLS_ENC_AES_128_GCM_SHA256 (the hash is for the handshake, but has to > > > match the symmetric encryption suite's > > > strength) > > > TLS_ENC_AES_256_GCM_SHA512 > > > ... > > > > > > Key exchange, authentication, bulk+hash. > > > > One can't really decouple authentication and key exchange cleanly, > > especially because of PSK (KEX+Auth sets key exchange shape). > > But I think it simplifies things if we separate them and note that some > mechanisms of one kind have a "twin" of the other kind. > > Imagine that TLS 1.3 clients offer / servers select mechanisms for key > exchange and authentication separately but either may contribute to the > other. Thus to do PSK without PFS the client would offer PSK for key > exchange, and PSK again for authentication. If the client offers ECDH > for key exchange and PSK for both (and no others), then the server can > pick either PSK only, or PSK + ECDH; if the client offers ECDH for key > exchange and PSK for authentication (and no others) then the server must > do that (or fail). > > Some combinations would be non-sensical, such as RSA key transport for > key exchange but PSK for authentication. The server must not pick them, > but with the client only offering sets of mechanisms from which the > server picks, that's fine. If there's no sane combination that could be > picked, then the client screwed up and the connection fails. "Chinese menus" with coupled choices are classical source of interop problems. Also, out of 6 points for kex/aux (after unifying DH, adding PSK and renaming PKIX to CERT), only 4 seem sane: GDH+CERT GDH+PSK GDH+ANON PSK+PSK KEY_TRANSPORT doesn't lead to anything sane without greatly different key exchange. If new PAKE KEX would be added, it would add 2 combinations fooPAKE+CERT and fooPAKE+ANON (6 for 7). > > Also, DH and ECDH (and perhaps some other things) do unify to GDH. > > Yes. Preferably all DH-like key agreement protocols should be unified, > especially when they can work with standard groups. Things that I think might be able to unify are SIDH and RLWE (but I'm not sure, especially of the latter). Which would be nice, given that both are allegedly PQ, and together with PQ signatures would make PQ protocol. The requirements for unification are: - Capability to work with fixed public parameters - Only one message per side. - The messages can be in either order (even if client always goes first). - Message size <64kB for both. > > Also, one way to do PRF-hash replacement would be to define sets of > > PRF-hashes, and have the symmetric algorithm pick algorithm from > > that set. > > Sure. I tend to think of the PRF as part of the handshake, so it's a > bit strange to associate it with the bulk cipher, but since we want to > match their strengths, it makes some sense. We also have to match key > exchange and authentication strengths, but we want to succeed with a > mismatch provided we don't fall to realtime downgrade attacks -- the one > thing we can always match is the hashed and the bulk ciphers. The reason to have a plan for PRF replacement is that formally TLS 1.3 requires CR prf-hash (even if reality may be a lot less harsh). So if SHA-2 ever breaks, there might be a lot of new ciphers.... (SHA-2 breaking would also cause problems with signatures, but that is a separate matter and only partially solvable at TLS level). -Ilari
- Re: [TLS] A la carte handshake negotiation Hubert Kario
- [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Viktor Dukhovni
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Eric Rescorla
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Viktor Dukhovni
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Viktor Dukhovni
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Viktor Dukhovni
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Aaron Zauner
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Aaron Zauner
- Re: [TLS] A la carte handshake negotiation Viktor Dukhovni
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Viktor Dukhovni
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- [TLS] ECDH_anon I-D (was: A la carte handshake ne… Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Salz, Rich
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Salz, Rich
- Re: [TLS] A la carte handshake negotiation David Benjamin
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation David Benjamin
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Viktor Dukhovni
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Eric Rescorla
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Eric Rescorla
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Hubert Kario
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Eric Rescorla
- Re: [TLS] A la carte handshake negotiation Hubert Kario
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Hubert Kario
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation David Benjamin
- Re: [TLS] A la carte handshake negotiation David Benjamin
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation David Benjamin
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Daniel Kahn Gillmor
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation David Benjamin
- Re: [TLS] A la carte handshake negotiation Daniel Kahn Gillmor
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Peter Gutmann
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Manuel Pegourie-Gonnard
- Re: [TLS] A la carte handshake negotiation Eric Rescorla
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Kyle Rose
- Re: [TLS] A la carte handshake negotiation Martin Thomson
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Peter Gutmann
- Re: [TLS] A la carte handshake negotiation Kyle Rose
- Re: [TLS] A la carte handshake negotiation Peter Gutmann