IETF Logo Mail Archive

Re: [TLS] New draft: draft-rescorla-tls13-new-flows-01

Watson Ladd <watsonbladd@gmail.com> Sun, 23 February 2014 20:13 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F3321A06FD for <tls@ietfa.amsl.com>; Sun, 23 Feb 2014 12:13:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7mEspAIVx-8v for <tls@ietfa.amsl.com>; Sun, 23 Feb 2014 12:13:06 -0800 (PST)
Received: from mail-yh0-x235.google.com (mail-yh0-x235.google.com [IPv6:2607:f8b0:4002:c01::235]) by ietfa.amsl.com (Postfix) with ESMTP id D20801A06F1 for <tls@ietf.org>; Sun, 23 Feb 2014 12:13:05 -0800 (PST)
Received: by mail-yh0-f53.google.com with SMTP id v1so4401632yhn.12 for <tls@ietf.org>; Sun, 23 Feb 2014 12:13:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=tJ6JQypzHS6u7eoV39uu2CoAVAV1NHP+q3EecCX5BW0=; b=CkDrx4/sBG00feCVNiN/+V+uUaZP26RbdYZDfOeFZxHrO4fpJH2fyeoBNNg68MYuw+ 22sY7mRbSlIVuYxVvJYk6cq6N0GiQ55QkAfL7n2EnRLTj6YzTsjAH/ZqurJpEquiH6Jz zS52wJW4+0COCcWoioIcgWhrX7wkI860B9mdqHfxPfzjqzYRzHh0pHEEi9mxhcIQ/PWx k4Spp7UojOAS+bk4XFdZ45mXiZ31ItgulQaWQtGZAPmLnbmR9WK2l2S/6F0pbPpwBsxk XE9NPNEzo/7P1mNIAi2dgRGDEt/BB5ocFSOpR2W8fd1iOpp+3+O2sbuAf6F6gtPjEVCW DINA==
MIME-Version: 1.0
X-Received: by 10.236.137.14 with SMTP id x14mr25150523yhi.4.1393186385391; Sun, 23 Feb 2014 12:13:05 -0800 (PST)
Received: by 10.170.92.85 with HTTP; Sun, 23 Feb 2014 12:13:05 -0800 (PST)
In-Reply-To: <CABcZeBNUjg_Y3MKtRrAMmYAeYFLM1QyHvr1DCbOfA6MB2tJOYQ@mail.gmail.com>
References: <CABcZeBNUjg_Y3MKtRrAMmYAeYFLM1QyHvr1DCbOfA6MB2tJOYQ@mail.gmail.com>
Date: Sun, 23 Feb 2014 12:13:05 -0800
Message-ID: <CACsn0cmZBzrvek_hKTY1Tm-+Win6UOM4paEzJ67JRrk2OZvH7A@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/FITDSJ5YKWnVJlOhozdIMBIzus8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New draft: draft-rescorla-tls13-new-flows-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Feb 2014 20:13:08 -0000

It seems to me the basic idea is to have the client encrypt its
handshake after learning the server ECDH key, under the idea that this
protects the client handshake. But this is wrong: the server's key
isn't authenticated, so the handshake isn't actually being protected.
This is why we need to know the server ECDH key for the 1RTT
transaction.

90% of what people use TLS for can be handled by the following flow:
C->S: g^x
S->C: g^y, Sign(g^y, g^x), certificates
C->S:everything encrypted with g^(xy).

This is 1 round trip with no preknowledge, and has additional security.
In particular for SNI we could get some additional information from
DNS like "hi, I'm hosted with alice.com and bob.com, so if you see
other certificates, close the connection." I don't see a way to do
that with the current round trip proposals.

As a sidenote: kick DH. ECDH has the DH speed record, and isn't going
to give it up anytime soon. The IPR issues are long gone for something
invented in 1985.

Sincerely,
Watson Ladd

On Wed, Feb 19, 2014 at 12:40 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> Folks,
>
> I have prepared a new version of the TLS 1.3 flows document which
> should appear in the repository shortly and in the meantime can be
> found at:
>
> https://github.com/tlswg/tls13-spec/blob/master/draft-rescorla-tls-1.3.txt
>
> This version fleshes out a "recommended" set of flows:
>
> - 2-RTT where the client has no knowledge of the
>   server's capabilities.
>
> - 1-RTT where the client knows the server's semi-permanent
>   DHE/ECDHE key pair.
>
> - 0-RTT where the client and the server have shared anti-replay
>   state.
>
> There are still a number of open issues, but this should be clear
> enough to see the direction I am trying to go. These flows are
> structured so that the 1-RTT case is the base case with the 2-RTT and
> 0-RTT versions being variants of the basic 1-RTT handshake. All
> variants encrypt the client extensions that are not required
> to define the cryptographic processing (e.g., SNI is encrypted
> but curve negotiation is not).
>
> I think the high order bit here is whether we want to have
> encrypted SNI, because that dictates the position of the DHE
> exchanges with respect to the server's messages.
>
> There are three options here:
>
> - Never
> - Sometimes
> - Always
>
> The flows in this draft take the position of "Always" which is
> simple. "Never" is actually simpler. "Sometimes" is the most
> complicated.  There are two cases where we could shave off latency if
> we were willing to disclose the SNI to passive attackers (and in cases
> where the client and server have never talked before.) My sense of
> recent discussion is that people feel it's important to have modes
> that protect SNI even if those are not the only modes. However, that
> means that if we want to have non-SNI protecting modes, they are
> additional complexity. Please let me know if I have misread the WG
> here.
>
>
> Here are some other things to keep in mind as you read the document.
>
> - Per my sense of the list, I have totally removed static RSA.  If
> people strongly object to that, please speak up and let me know.
>
> - There has been no real security analysis of this material other than
> at the hand-wavy level. We clearly need that, but the first thing we
> need is to be clear on whether this is approximately the right set of
> points in the complexity/performance/privacy tradeoff space and then
> make sure that the security properties are correct. So, if you see
> something that looks wrong or even grievously wrong, don't panic (but
> do point it out).
>
>
> - There is no currently defined support for any kind of resumption.
> We need to decide if resumption is still an important feature in light
> of the trend towards more PFS and faster processors.  I'm particularly
> looking for input from the IoT/DICE guys here.
>
> - We will probably need to work out some of the details for DTLS, but
> I wanted to get TLS nailed down first.
>
> - We also need to do some work on the symmetric crypto, e.g., to make
> encrypt-then-MAC the default, perhaps to deprecate some ciphers,
> compression, etc. I haven't forgotten that, but I want to deal with
> the handshakes first.
>
> - As before, this incorporates ideas from a lot of different people
> (and many times the same idea from different people). If you think
> you should acknowledged in the text and/or acknowledgements
> differently, please let me know.
>
> Thanks and comments welcome
> -Ekr
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email