IETF Logo Mail Archive

Re: [TLS] OPTLS: Signature-less TLS 1.3

Hugo Krawczyk <hugo@ee.technion.ac.il> Sun, 02 November 2014 22:29 UTC

Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE1541A1A9D for <tls@ietfa.amsl.com>; Sun, 2 Nov 2014 14:29:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.222
X-Spam-Level: *
X-Spam-Status: No, score=1.222 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_12=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rZXrhL_jvruX for <tls@ietfa.amsl.com>; Sun, 2 Nov 2014 14:29:17 -0800 (PST)
Received: from mail-la0-x22e.google.com (mail-la0-x22e.google.com [IPv6:2a00:1450:4010:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92A641A1A9C for <tls@ietf.org>; Sun, 2 Nov 2014 14:29:16 -0800 (PST)
Received: by mail-la0-f46.google.com with SMTP id hs14so8801440lab.33 for <tls@ietf.org>; Sun, 02 Nov 2014 14:29:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=PhbQv1XilKEvmY49S6lFnlOVQmCZf2pS+ALsP/rrOeo=; b=ScTsacj+slNZJD0Z74hpSx7RAyDGour157Pot8YiqKzLT+YWE0JTjwBFJKVv5Y7xUy 1dFBBO2rzYopuiFyHmg4JppeAn7INr0VPONQuNSgFn6MkULpfxeqVuX6g7v5X7soPZbo p8fN2jSDIE0xGj0nuy5Lrzq3ha2zkgd5jenrr7FdIBqwg4kBMl6HpIQle+kqkWlFfSn5 Zz+7uek02dhTMp0ntvrGuCEUe2/9DQ/JRkquq1lkcOKQk70jCcNfCRkjIMKmdn2h0Iv+ Ftajr2BcJWprGsGJ7Amd+Q6+HV3wB2bGodD/4FfXV0sA/dHsVYp3d30Ydr/KAE//xdPr uUNw==
X-Received: by 10.112.97.175 with SMTP id eb15mr46192238lbb.12.1414967354933; Sun, 02 Nov 2014 14:29:14 -0800 (PST)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.25.78.20 with HTTP; Sun, 2 Nov 2014 14:28:44 -0800 (PST)
In-Reply-To: <614363650.3172177.1414834861225.JavaMail.zimbra@redhat.com>
References: <CADi0yUObKsTvF6bP=SxAwYA05odyWdzR1-sWutrDLUeu+VJ1KQ@mail.gmail.com> <614363650.3172177.1414834861225.JavaMail.zimbra@redhat.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Mon, 03 Nov 2014 00:28:44 +0200
X-Google-Sender-Auth: 5f5cqXYjBybfoob0q2DELkDudH4
Message-ID: <CADi0yUO+wobcn0NHGc3-avzMBwTwUjbvSGk8aEmdrCC8d0bEMQ@mail.gmail.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
Content-Type: multipart/alternative; boundary="001a1133b6348f4a420506e7c295"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/AqVWsjSe1ia4fVC0m3vg-fiFHyQ
Cc: "tls@ietf.org" <tls@ietf.org>, Hoeteck Wee <hoeteck@alum.mit.edu>
Subject: Re: [TLS] OPTLS: Signature-less TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Nov 2014 22:29:18 -0000

The issues regarding group matching (and mis-matching) raised here and
discussed
in other messages are indeed very important. In the case of server-only
authentication this reduces to the client guessing the right g^x and thus
requires dealing with wrong guesses (this only applies to the 1-RTT case as
in
the 0-RTT case the client learns the group together with the server's static
key g^s). In the mutual authentication case, if server and client cannot
agree
on using the same group for authentication, then the client would need to
choose its g^x in the server's group while authentication by the client
would
require the server to send an additional ServerKeyShare in the client's
group.
Note, however, that in the use case where the parties have certificates for
signature keys and they sign their own static DH key, clients and servers
can
possess static DH keys in different groups (without requiring a CA-issued
certificate for each such group), hence more easily support the peer's
group.

Hugo



On Sat, Nov 1, 2014 at 11:41 AM, Nikos Mavrogiannopoulos <nmav@redhat.com>
wrote:

> ----- Original Message -----
> > During the TLS interim meeting of last week (Oct 22 2014) I suggested
> that
> > TLS
> > 1.3 should abandon signature-based authentication (other than for
> > certificates)
> > and be based solely on a combination of ephemeral Diffie-Hellman for PFS
> and
> > static Diffie-Hellman for authentication. This has multiple benefits
> > including
> > major performance gain (by replacing the per-handshake RSA signature by
> the
> > server with a much cheaper elliptic curve exponentiation), compatibility
> > with
> > the mechanisms required for forward secrecy, natural accommodation of a
> > 0-RTT
> > option, and a simple extension without signatures for client
> authentication.
>
> That effectively deprecates all existing infrastructure used for TLS that
> pretty
> much only works with RSA and ECDSA certificates (from smart cards, to HSMs
> and
> acceleration hardware). That's not necessarily bad, and we may already be
> past the
> point where TLS 1.3 can be considered a minor revision of TLS 1.2.
>
> > PROTOCOL OPTLS:
> >
> > ClientHello
> > ClientKeyShare
> > ClientData* [K0]       -------->
> >                                            ServerHello
> >                                            ServerKeyShare
> >                                            ServerCertificate* [K1]
> >                                            ServerFinished [K2]
> >                        <--------           ServerData* [K2]
> > ClientFinished* [K2]   -------->
> >
> >
> >             Protected Application Data [K3]
> >                        <------->
> > 1-RTT CASE:
> >
> > The basic 1-RTT case omits the ClientData* field. It includes a
> > ClientKeyShare
> > g^x and a ServerKeyShare g^y and an optional (encrypted) server
> > certificate.
> > If the certificate is sent (it can be omitted if the client has indicated
> > that
> > it knows the server key as in the case in the 0-RTT scenario) and is
> > encrypted,
> > the encryption key K1 is derived from g^{xy}.
> >
> > Key K2 is an encryption key derived from both g^{xs} and g^{xy}. It is
> used
> > to
> > authenticate-encrypt the ServerFinished and ClientFinished messages
> (which
> > include a hash of the previous traffic) and to encrypt data from the
> server
> > if
> > such data is piggybacked to the second message.
>
> How does the client get the DH (or ECDH) group parameters used by the
> server?
>
> > CLIENT AUTHENTICATION:
> >
> > Client authentication can be supported via an option or extension. It
> would
> > include a client certificate for a static DH key g^c sent in the third
> > message
> > (the certificate can be encrypted under key K2 to provide client's
> identity
> > protection). In this case, the key for computing the ClientFinished
> message
> > and
> > the application key K3 would be derived from a combination of the values
> > g^xy,
> > g^xs, g^yc (and possibly also g^{cs}).
>
> As I understand client authentication as above would only work if both the
> client
> and the server share the same DH/ECDH group for their certificates, and
> that cannot
> be assumed to be true on an infrastructure that is designed to upgrade
> (e.g., change
> client certs from secp192r1 to secp256r1).
>
> regards,
> Nikos
>

v2.23.0 | Report a Bug | By Email