Re: [TLS] Comments on PR #95

Ilari Liusvaara <> Wed, 07 January 2015 22:36 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 319721A1B93 for <>; Wed, 7 Jan 2015 14:36:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0klFKidU3C86 for <>; Wed, 7 Jan 2015 14:36:29 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A82D81A1BA3 for <>; Wed, 7 Jan 2015 14:36:29 -0800 (PST)
Received: from LK-Perkele-VII ( []) by (Postfix) with ESMTP id 664CD90029; Thu, 8 Jan 2015 00:36:26 +0200 (EET)
Date: Thu, 08 Jan 2015 00:36:26 +0200
From: Ilari Liusvaara <>
To: Tom Wu <>
Message-ID: <20150107223626.GA20002@LK-Perkele-VII>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <>
Cc: "" <>
Subject: Re: [TLS] Comments on PR #95
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 07 Jan 2015 22:36:32 -0000

On Wed, Jan 07, 2015 at 01:40:56PM -0800, Tom Wu wrote:
> > Line 1912: Was anyone using SRP? The more generic we have to make TLS
> > 1.3, and the more we > have to shoehorn in, the more complex it gets.
> > This open issue could get hairy.
> SRP is definitely useful, as it's the only PAKE ciphersuite available
> in TLS.  What exactly are the interactions that need to be worked out
> with PSK and SRP?

AFAIK, There issues are:

1) None of the groups defined for TLS are compatible with SRP.
2) Server will encrypt first (in TLS 1.2, client encrypted first).
   This may have cryptographic implications on SRP (and those are
   beyond my ability to analyze).
3) PSK has identities and identity hints.

A solution for 1)

If server selected SRP ciphersuite, it deems client to have missed
a group guess. The message about this includes the SRP group
parameters, and client then transmits its nonce public key
(with some fixed group number, the server knows the group).

A solution for 3)

If server selected PSK ciphersuite and client asked for a hint,
deem client to have missed the group guess. The message about this
includes hint about the identity. The client then transmits its
final identity (if doing "remedials", one could perhaps just
miss the identity and transmit it as a special handshake message).