[TLS] I-D: TLS += Kerberos (provides Quantum Relief for DH)
Rick van Rein <rick@openfortress.nl> Tue, 25 February 2020 07:33 UTC
Return-Path: <rick@openfortress.nl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51F5D3A0933 for <tls@ietfa.amsl.com>; Mon, 24 Feb 2020 23:33:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=openfortress.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gl7Nzk-6gMAy for <tls@ietfa.amsl.com>; Mon, 24 Feb 2020 23:33:19 -0800 (PST)
Received: from lb1-smtp-cloud8.xs4all.net (lb1-smtp-cloud8.xs4all.net [194.109.24.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2087C3A092D for <tls@ietf.org>; Mon, 24 Feb 2020 23:33:16 -0800 (PST)
Received: from popmini.vanrein.org ([83.161.146.46]) by smtp-cloud8.xs4all.net with ESMTP id 6UiMjBuErPKvK6UiNjp26Y; Tue, 25 Feb 2020 08:33:12 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openfortress.nl; i=rick@openfortress.nl; q=dns/txt; s=fame; t=1582615981; h=message-id : date : from : mime-version : to : cc : subject : content-type : content-transfer-encoding : date : from : subject; bh=NkwD78lxQHG82gMe8x+wMvs4RzET8Zsr71Wq19y+Qh0=; b=VIdaEURVBCfdoCC3Vh+tA/mWiwARCuL1mEjy4KQFbl+CQwPRqZfJZ/Xd E0BEAocIDUFp5h5+G7TcxhlhU4AyHEIVqTwX0ZPprcRtD7JVh+ZKe9BXQI L1LG2q3w1FrezyEtYvy98yBComVUdInqL2pUxUYi9ASKlUvtNpTZvJ0OM=
Received: by fame.vanrein.org (Postfix, from userid 1006) id DE68B26542; Tue, 25 Feb 2020 07:32:53 +0000 (UTC)
X-Original-To: tls@ietf.org
Received: from airhead.local (phantom.vanrein.org [83.161.146.46]) by fame.vanrein.org (Postfix) with ESMTPA id 8452126753; Tue, 25 Feb 2020 07:32:49 +0000 (UTC)
Message-ID: <5E54CDA0.8070209@openfortress.nl>
Date: Tue, 25 Feb 2020 08:32:48 +0100
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: TLS WG <tls@ietf.org>
CC: "Tom Vrancken (ARPA2)" <tom.vrancken@arpa2.org>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bogosity: Unsure, tests=bogofilter, spamicity=0.520000, version=1.2.4
X-CMAE-Envelope: MS4wfP4A0SgKjQnVhecFhgPFaisIW/nk2b/WXxTmB/7/f7wqYzJlAOCvun0kvvfk5Fh5JTOWjucEtSPfpUkg5ZJY/MiBWTGoeqqCYyGpq9sGjymU9OJ4zbG1 gFQ8tSKo7dzrRtaB6vMfbjvO6MKNo6x30r6Zz94knM4se4sPrs91Y+Pq
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/FtqPaKY4wnQBDk7tFRSEGuGzqE4>
Subject: [TLS] I-D: TLS += Kerberos (provides Quantum Relief for DH)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Feb 2020 07:33:23 -0000
Hello, We have prepared the following draft, and request feedback on it. The main points are * Introduction of (anonymous) Kerberos tickets as added entropy to mix with ECDH, and thereby provide Quantum Relief; it generalises this idea to allow for other ways of adding entropy * Introduction of Kerberos Tickets for Certificate and CertificateVerify messages * User identity on the server side; how TLS can be relayed to a peer, which Kerberos can handle with its user-to-user authentication mechanism; it generalises this idea, and perhaps it might be better as a separate TLS Extension under ClientHello encryption. * Everything applies to TLS 1.3 as well as 1.2. Our intention is to launch this as an independent proposal. Your insights are highly appreciated! Best, Rick van Rein Tom Vrancken A new version of I-D, draft-vanrein-tls-kdh-06.txt has been successfully submitted by Rick van Rein and posted to the IETF repository. Name: draft-vanrein-tls-kdh Revision: 06 Title: Quantum Relief with TLS and Kerberos Document date: 2020-01-22 Group: Individual Submission Pages: 19 URL: https://www.ietf.org/internet-drafts/draft-vanrein-tls-kdh-06.txt Status: https://datatracker.ietf.org/doc/draft-vanrein-tls-kdh/ Htmlized: https://tools.ietf.org/html/draft-vanrein-tls-kdh-06 Htmlized: https://datatracker.ietf.org/doc/html/draft-vanrein-tls-kdh Diff: https://www.ietf.org/rfcdiff?url2=draft-vanrein-tls-kdh-06 Abstract: This specification describes a mechanism to use Kerberos authentication within the TLS protocol. This gives users of TLS a strong alternative to classic PKI-based authentication, and at the same introduces a way to insert entropy into TLS' key schedule such that the resulting protocol becomes resistant against attacks from quantum computers. We call this Quantum Relief, and specify it as part of a more general framework to make it easier for other technologies to achieve similar benefits.
- [TLS] I-D: TLS += Kerberos (provides Quantum Reli… Rick van Rein
- Re: [TLS] I-D: TLS += Kerberos (provides Quantum … Salz, Rich
- Re: [TLS] I-D: TLS += Kerberos (provides Quantum … Nico Williams
- Re: [TLS] I-D: TLS += Kerberos (provides Quantum … Rick van Rein
- Re: [TLS] I-D: TLS += Kerberos (provides Quantum … Salz, Rich
- Re: [TLS] I-D: TLS += Kerberos (provides Quantum … Rick van Rein