IETF Logo Mail Archive

Re: [TLS] An IETF draft on TLS based on ECCSI public key (RFC 6507)

Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 07 July 2017 16:15 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C095612EBF4 for <tls@ietfa.amsl.com>; Fri, 7 Jul 2017 09:15:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BRaioMrxoi1V for <tls@ietfa.amsl.com>; Fri, 7 Jul 2017 09:15:32 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) by ietfa.amsl.com (Postfix) with ESMTP id 569C91201FA for <tls@ietf.org>; Fri, 7 Jul 2017 09:15:31 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id 280312125D; Fri, 7 Jul 2017 19:15:30 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id c9a4hEv2aDSL; Fri, 7 Jul 2017 19:15:29 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id BC94FC4; Fri, 7 Jul 2017 19:15:25 +0300 (EEST)
Date: Fri, 07 Jul 2017 19:15:25 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: Dave Garrett <davemgarrett@gmail.com>, "tls@ietf.org" <tls@ietf.org>, Wang Haiguang <Wang.Haiguang1@huawei.com>
Message-ID: <20170707161525.ayv4z4olmo4r3h73@LK-Perkele-VII>
References: <149907920017.607.217202033021863337.idtracker@ietfa.amsl.com> <0AE05CBFB1A6A0468C8581DAE58A31309DF69D8C@SINEML521-MBX.china.huawei.com> <20170704112144.gzfenmkmvmwry4tg@LK-Perkele-VII> <201707062201.08455.davemgarrett@gmail.com> <5af19fe7273748579cb2537313667aba@usma1ex-dag1mb1.msg.corp.akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <5af19fe7273748579cb2537313667aba@usma1ex-dag1mb1.msg.corp.akamai.com>
User-Agent: NeoMutt/20170609 (1.8.3)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/GQb99CVN_ovfVbxhkGD4Vv8QQO0>
Subject: Re: [TLS] An IETF draft on TLS based on ECCSI public key (RFC 6507)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jul 2017 16:15:35 -0000

On Fri, Jul 07, 2017 at 03:14:10PM +0000, Salz, Rich wrote:
> > Just as a clarification, all new RFCs should ideally meet all of the following
> > criteria:
> > * AEAD only
> > * PFS only
> > * TLS 1.2 and 1.3 support
> > * no TLS 1.0 or 1.1 support (let alone SSL)
> > * no use of broken hashes (MD5, SHA1, etc.)
> 
> That's a good idea.
> 
> Want to throw together a quick draft for curdle or AD-sponsored SAAG?

Well, my own view is (with explanations):

- AEAD only.

TLS streammode has all ciphers deprecated, and furthermore contains a
design mistake. TLS blockmode padding is outside MAC, which makes
implementing such modes securely very hard. This leaves just AEAD
ciphers.

- No use of broken, dubious, <128-bit keylength or <128-bit blocklength
  ciphers.

These probably won't last long until becoming attack vectors (RC4
anyone, that was dubious back in late 90s, when TLS 1.0 was done).

- PFS or pure-PSK only.

Small things can't do PFS unforunately.

- No use of l < 2^241 for key exchange.

Such key exchanges provode <120 bits of security (or thereabouts).
I used 2^241, since this is between the values used by methods claiming
to be "128-bit secure" and "112-bit secure" (or even weaker).

- Security of any key exchange method against classical attacks has to
  be well established.

No key exchanges that are dubious against non-quantum attacks. Impiles
hybrid PQC exchanges,if relevant. I have seen a dubious key exchange
method just catastrophically fail.

- Support TLS 1.3 (unless it is a security fix for earlier TLS, in that
  case it has to co-exist with TLS 1.3).

The current version of TLS in the relevant timeframe will be 1.3.

- No fallbacks for TLS 1.0 or 1.1.

Don't waste effort on TLS 1.0 or 1.1. Use any new features in TLS 1.2
(e.g., not having to define key exchange methods for signature methods)
if those make things simpler.

- No use of broken, dubious, unusual (including usage mode) or <128-bit
  secure hashes.

These probably won't last long, or will be headache to find
implementations for (e.g., try finding implementation of Skein that
supports any more exotic use of datatyping than the native MAC mode,
the reference implementation does not).




-Ilari

v2.23.0 | Report a Bug | By Email