IETF Logo Mail Archive

Re: [TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3

Alyssa Rowan <akr@akr.io> Thu, 27 March 2014 12:59 UTC

Return-Path: <akr@akr.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B9371A068D for <tls@ietfa.amsl.com>; Thu, 27 Mar 2014 05:59:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YiAlLCXEnkVg for <tls@ietfa.amsl.com>; Thu, 27 Mar 2014 05:59:09 -0700 (PDT)
Received: from entima.net (entima.net [78.129.143.175]) by ietfa.amsl.com (Postfix) with ESMTP id 0886B1A00B4 for <tls@ietf.org>; Thu, 27 Mar 2014 05:59:08 -0700 (PDT)
Received: from [10.103.236.114] (94.197.120.139.threembb.co.uk [94.197.120.139]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by entima.net (Postfix) with ESMTPSA id 57E88600FE for <tls@ietf.org>; Thu, 27 Mar 2014 12:59:06 +0000 (GMT)
User-Agent: K-9 Mail for Android
In-Reply-To: <02c101cf49b9$5d080da0$171828e0$@offspark.com>
References: <AD51D38F-2CFE-4277-854D-C0E56292A336@cisco.com> <20140326211219.27D281AC7D@ld9781.wdf.sap.corp> <20140327095527.5335c7fa@hboeck.de> <20140327115551.GA24503@randombit.net> <6f43d6c5-b70f-4a80-98e6-f653011317c7@email.android.com> <02c101cf49b9$5d080da0$171828e0$@offspark.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
From: Alyssa Rowan <akr@akr.io>
Date: Thu, 27 Mar 2014 12:59:02 +0000
To: tls@ietf.org
Message-ID: <3d2bb399-b932-4bc1-89d0-848260e0036d@email.android.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/BVJTJz86TR4PiL4220QcHg1QviA
Subject: Re: [TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Mar 2014 12:59:10 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 27 March 2014 12:37:43 GMT+00:00, Paul Bakker <p.j.bakker@offspark.com> wrote:

>Other key exchanges, such as pure PSK have their value in very-low-resource
>situations.

Hmm. Where you're low resource enough to have to pre-share keys, you're specifying your own profile because you know exactly what's connecting (otherwise you couldn't pre-share keys with it).

I don't think that's suitably applicable to the general profile for TLS on the internet.

Maybe, if you're that constrained, you don't *really* want TLS and its x.509 luggage at all: AES-GCM or ChaCha20-Poly1305 and a monotonic counter nonce? And if you want forward security, and you probably should, then you probably want... curve25519.

I certainly don't see how that's a good argument for keeping DHE around, which is the fattest of the key exchanges. Seems rather like the opposite, actually.

>And I think it's never a good idea to depend on a single key exchange
>scheme, for future security robustness.

Agreed, which is part of why I suggested ECDHE over *two* curves: djb's fast curve25519, and NIST's already-deployed and 'Suite Beatified' secp256r1. They're fairly different.

We can specify further ones in future if (and hopefully in advance of when) problems arise. Specifying several exchanges might potentially make us vulnerable to the difficulties of both, if the attacker gets to pick which. We *should* safely avoid that of course, but it should be kept in mind.

- --
/akr
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1

iQI3BAEBCgAhBQJTNCCWGhxBbHlzc2EgUm93YW4gPGFrckBha3IuaW8+AAoJEOyE
jtkWi2t6EzkQAKJJOpH7xSKAzcP+ENVAMtO3wD+u5z2Q8JLPTwGc4+x+vo8hsPk6
rFXqt2311ENAkGdft99eD7n8xSF03a/WVnSNv6pn20XLeJhXiWPyv6m2onL8+Kv0
wAQbkIp6WN1bb4BvlQ9EVYTWFmxIEZpCW7A1ebi95sdi/Z+ctwS6F5AYBn3DQx2Z
2UVGS0idrcXA1F1js31WfPEggYsAf9AH9jpBV6Ya3233KdGYqlptx4o9vLDY3lZn
yojcYKPcRg6e1hCGkTUYr/cckj3qnal3oHjKQBrILRysxPKm4KavDzVRjvrMgwBU
C4sQP+mQHm9+ynYcYySrur0uD5f8tFdCgYOHJa3gj9eppfufZxt303SOuLbbyW6k
Qoryg/YNeZ6kvIyLRqxbVNACBYamNwVZxnNedZm10VfW6FSr7AE1m58PFyCK8Wu2
v7tacmnCVe+zl6KHKLDcnTaS2iRdM1QwUBOoTdcxvlRddzJTPi0cs5ghRbs5ZCpM
fTIaNVGcVPx1GuNUpWu6rhA3U+E+oMojmyVMjJEHQWYXryJoi0MCS+TW0MInrGfW
uD4qt2P7RltmZw+qsRKuv6yKs+904LpFqsyMZa+DFVMis5ntvBBMIpyp3eNDX8A/
SpqSypLovgVRKc3oA8TTwvTU+jucVDIUHwU2YQC+gr68rI5gg2wmWuL1
=IABy
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email