IETF Logo Mail Archive

[TLS] I-D: TLS += Kerberos (provides Quantum Relief for DH)

Rick van Rein <rick@openfortress.nl> Tue, 25 February 2020 07:33 UTC

Return-Path: <rick@openfortress.nl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51F5D3A0933 for <tls@ietfa.amsl.com>; Mon, 24 Feb 2020 23:33:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=openfortress.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gl7Nzk-6gMAy for <tls@ietfa.amsl.com>; Mon, 24 Feb 2020 23:33:19 -0800 (PST)
Received: from lb1-smtp-cloud8.xs4all.net (lb1-smtp-cloud8.xs4all.net [194.109.24.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2087C3A092D for <tls@ietf.org>; Mon, 24 Feb 2020 23:33:16 -0800 (PST)
Received: from popmini.vanrein.org ([83.161.146.46]) by smtp-cloud8.xs4all.net with ESMTP id 6UiMjBuErPKvK6UiNjp26Y; Tue, 25 Feb 2020 08:33:12 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openfortress.nl; i=rick@openfortress.nl; q=dns/txt; s=fame; t=1582615981; h=message-id : date : from : mime-version : to : cc : subject : content-type : content-transfer-encoding : date : from : subject; bh=NkwD78lxQHG82gMe8x+wMvs4RzET8Zsr71Wq19y+Qh0=; b=VIdaEURVBCfdoCC3Vh+tA/mWiwARCuL1mEjy4KQFbl+CQwPRqZfJZ/Xd E0BEAocIDUFp5h5+G7TcxhlhU4AyHEIVqTwX0ZPprcRtD7JVh+ZKe9BXQI L1LG2q3w1FrezyEtYvy98yBComVUdInqL2pUxUYi9ASKlUvtNpTZvJ0OM=
Received: by fame.vanrein.org (Postfix, from userid 1006) id DE68B26542; Tue, 25 Feb 2020 07:32:53 +0000 (UTC)
X-Original-To: tls@ietf.org
Received: from airhead.local (phantom.vanrein.org [83.161.146.46]) by fame.vanrein.org (Postfix) with ESMTPA id 8452126753; Tue, 25 Feb 2020 07:32:49 +0000 (UTC)
Message-ID: <5E54CDA0.8070209@openfortress.nl>
Date: Tue, 25 Feb 2020 08:32:48 +0100
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: TLS WG <tls@ietf.org>
CC: "Tom Vrancken (ARPA2)" <tom.vrancken@arpa2.org>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bogosity: Unsure, tests=bogofilter, spamicity=0.520000, version=1.2.4
X-CMAE-Envelope: MS4wfP4A0SgKjQnVhecFhgPFaisIW/nk2b/WXxTmB/7/f7wqYzJlAOCvun0kvvfk5Fh5JTOWjucEtSPfpUkg5ZJY/MiBWTGoeqqCYyGpq9sGjymU9OJ4zbG1 gFQ8tSKo7dzrRtaB6vMfbjvO6MKNo6x30r6Zz94knM4se4sPrs91Y+Pq
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/FtqPaKY4wnQBDk7tFRSEGuGzqE4>
Subject: [TLS] I-D: TLS += Kerberos (provides Quantum Relief for DH)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Feb 2020 07:33:23 -0000

Hello,

We have prepared the following draft, and request feedback on it.  The
main points are

 * Introduction of (anonymous) Kerberos tickets as added entropy to mix
with ECDH, and thereby provide Quantum Relief; it generalises this idea
to allow for other ways of adding entropy
 * Introduction of Kerberos Tickets for Certificate and
CertificateVerify messages
 * User identity on the server side; how TLS can be relayed to a peer,
which Kerberos can handle with its user-to-user authentication
mechanism; it generalises this idea, and perhaps it might be better as a
separate TLS Extension under ClientHello encryption.
 * Everything applies to TLS 1.3 as well as 1.2.

Our intention is to launch this as an independent proposal.

Your insights are highly appreciated!


Best,

Rick van Rein
Tom Vrancken



A new version of I-D, draft-vanrein-tls-kdh-06.txt
has been successfully submitted by Rick van Rein and posted to the
IETF repository.

Name:		draft-vanrein-tls-kdh
Revision:	06
Title:		Quantum Relief with TLS and Kerberos
Document date:	2020-01-22
Group:		Individual Submission
Pages:		19
URL:
https://www.ietf.org/internet-drafts/draft-vanrein-tls-kdh-06.txt
Status:         https://datatracker.ietf.org/doc/draft-vanrein-tls-kdh/
Htmlized:       https://tools.ietf.org/html/draft-vanrein-tls-kdh-06
Htmlized:       https://datatracker.ietf.org/doc/html/draft-vanrein-tls-kdh
Diff:           https://www.ietf.org/rfcdiff?url2=draft-vanrein-tls-kdh-06

Abstract:
   This specification describes a mechanism to use Kerberos
   authentication within the TLS protocol.  This gives users of TLS a
   strong alternative to classic PKI-based authentication, and at the
   same introduces a way to insert entropy into TLS' key schedule such
   that the resulting protocol becomes resistant against attacks from
   quantum computers.  We call this Quantum Relief, and specify it as
   part of a more general framework to make it easier for other
   technologies to achieve similar benefits.

v2.23.0 | Report a Bug | By Email