Re: [TLS] An IETF draft on TLS based on ECCSI public key (RFC 6507)
Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 07 July 2017 16:15 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C095612EBF4 for <tls@ietfa.amsl.com>; Fri, 7 Jul 2017 09:15:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BRaioMrxoi1V for <tls@ietfa.amsl.com>; Fri, 7 Jul 2017 09:15:32 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) by ietfa.amsl.com (Postfix) with ESMTP id 569C91201FA for <tls@ietf.org>; Fri, 7 Jul 2017 09:15:31 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id 280312125D; Fri, 7 Jul 2017 19:15:30 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id c9a4hEv2aDSL; Fri, 7 Jul 2017 19:15:29 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id BC94FC4; Fri, 7 Jul 2017 19:15:25 +0300 (EEST)
Date: Fri, 07 Jul 2017 19:15:25 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: Dave Garrett <davemgarrett@gmail.com>, "tls@ietf.org" <tls@ietf.org>, Wang Haiguang <Wang.Haiguang1@huawei.com>
Message-ID: <20170707161525.ayv4z4olmo4r3h73@LK-Perkele-VII>
References: <149907920017.607.217202033021863337.idtracker@ietfa.amsl.com> <0AE05CBFB1A6A0468C8581DAE58A31309DF69D8C@SINEML521-MBX.china.huawei.com> <20170704112144.gzfenmkmvmwry4tg@LK-Perkele-VII> <201707062201.08455.davemgarrett@gmail.com> <5af19fe7273748579cb2537313667aba@usma1ex-dag1mb1.msg.corp.akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <5af19fe7273748579cb2537313667aba@usma1ex-dag1mb1.msg.corp.akamai.com>
User-Agent: NeoMutt/20170609 (1.8.3)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/GQb99CVN_ovfVbxhkGD4Vv8QQO0>
Subject: Re: [TLS] An IETF draft on TLS based on ECCSI public key (RFC 6507)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jul 2017 16:15:35 -0000
On Fri, Jul 07, 2017 at 03:14:10PM +0000, Salz, Rich wrote: > > Just as a clarification, all new RFCs should ideally meet all of the following > > criteria: > > * AEAD only > > * PFS only > > * TLS 1.2 and 1.3 support > > * no TLS 1.0 or 1.1 support (let alone SSL) > > * no use of broken hashes (MD5, SHA1, etc.) > > That's a good idea. > > Want to throw together a quick draft for curdle or AD-sponsored SAAG? Well, my own view is (with explanations): - AEAD only. TLS streammode has all ciphers deprecated, and furthermore contains a design mistake. TLS blockmode padding is outside MAC, which makes implementing such modes securely very hard. This leaves just AEAD ciphers. - No use of broken, dubious, <128-bit keylength or <128-bit blocklength ciphers. These probably won't last long until becoming attack vectors (RC4 anyone, that was dubious back in late 90s, when TLS 1.0 was done). - PFS or pure-PSK only. Small things can't do PFS unforunately. - No use of l < 2^241 for key exchange. Such key exchanges provode <120 bits of security (or thereabouts). I used 2^241, since this is between the values used by methods claiming to be "128-bit secure" and "112-bit secure" (or even weaker). - Security of any key exchange method against classical attacks has to be well established. No key exchanges that are dubious against non-quantum attacks. Impiles hybrid PQC exchanges,if relevant. I have seen a dubious key exchange method just catastrophically fail. - Support TLS 1.3 (unless it is a security fix for earlier TLS, in that case it has to co-exist with TLS 1.3). The current version of TLS in the relevant timeframe will be 1.3. - No fallbacks for TLS 1.0 or 1.1. Don't waste effort on TLS 1.0 or 1.1. Use any new features in TLS 1.2 (e.g., not having to define key exchange methods for signature methods) if those make things simpler. - No use of broken, dubious, unusual (including usage mode) or <128-bit secure hashes. These probably won't last long, or will be headache to find implementations for (e.g., try finding implementation of Skein that supports any more exotic use of datatyping than the native MAC mode, the reference implementation does not). -Ilari
- [TLS] An IETF draft on TLS based on ECCSI public … Wang Haiguang
- Re: [TLS] An IETF draft on TLS based on ECCSI pub… Ilari Liusvaara
- Re: [TLS] An IETF draft on TLS based on ECCSI pub… Wang Haiguang
- Re: [TLS] An IETF draft on TLS based on ECCSI pub… Dave Garrett
- Re: [TLS] An IETF draft on TLS based on ECCSI pub… Salz, Rich
- Re: [TLS] An IETF draft on TLS based on ECCSI pub… Ilari Liusvaara
- Re: [TLS] An IETF draft on TLS based on ECCSI pub… Russ Housley
- Re: [TLS] An IETF draft on TLS based on ECCSI pub… Ilari Liusvaara
- Re: [TLS] An IETF draft on TLS based on ECCSI pub… Dave Garrett
- Re: [TLS] An IETF draft on TLS based on ECCSI pub… Martin Thomson
- Re: [TLS] An IETF draft on TLS based on ECCSI pub… Wang Haiguang