Re: [TLS] OPTLS: Signature-less TLS 1.3
Eric Rescorla <ekr@rtfm.com> Sat, 01 November 2014 14:47 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D51EC1A88BF for <tls@ietfa.amsl.com>; Sat, 1 Nov 2014 07:47:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KYi3-LMfYjbg for <tls@ietfa.amsl.com>; Sat, 1 Nov 2014 07:47:08 -0700 (PDT)
Received: from mail-wi0-f174.google.com (mail-wi0-f174.google.com [209.85.212.174]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DAC41A88BB for <tls@ietf.org>; Sat, 1 Nov 2014 07:47:08 -0700 (PDT)
Received: by mail-wi0-f174.google.com with SMTP id d1so3352958wiv.13 for <tls@ietf.org>; Sat, 01 Nov 2014 07:47:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=b7uptotVOAMupm8Vj9ecSF/ECRR4xYEIohJLZ9wD570=; b=V6criqM2DkEbyuvuy7MGrGNpR7fIVWN33oAkP+sr/Y93fXfpkiDWESg80PnfQc4WVx 3A4+11b8cdlay8xUhuJ5e2Gb/BegHvGxvc3hfJtFf+Nq0tVeY9vdV1DX9NY9V3CT9BXC bMDLFQiq3Wh9CKWN8GnxhvTlBZA11sLrnh09Rz4zXP216MPJMpjXMUeCR3akmX8VQMEE JdQzGEeeuRdEZRxgNt1d/rLEh/siBw27W8H9IMJ01CkZLEd9Xxo1ytbIHa1Z42kEDKFb QR9ar1X2ExCsBojBwe2OuNbBLAKk8ceKnfeyyhWaZPxGhTWVjx8vEylrm/ZYgKBSB/f8 sWnw==
X-Gm-Message-State: ALoCoQnUHN8YMf43YR9UOQIVhL+XJenfp1sAepIKdcSovQlv00LA+Br8+Pk7IMLvYU+fsuyVJhDH
X-Received: by 10.194.206.106 with SMTP id ln10mr35274293wjc.90.1414853226875; Sat, 01 Nov 2014 07:47:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.49.198 with HTTP; Sat, 1 Nov 2014 07:46:26 -0700 (PDT)
In-Reply-To: <20141101101611.GA25180@LK-Perkele-VII>
References: <CADi0yUObKsTvF6bP=SxAwYA05odyWdzR1-sWutrDLUeu+VJ1KQ@mail.gmail.com> <614363650.3172177.1414834861225.JavaMail.zimbra@redhat.com> <20141101101611.GA25180@LK-Perkele-VII>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 01 Nov 2014 07:46:26 -0700
Message-ID: <CABcZeBNYpQu=SCorXDa+TEEGVLb7d902LAed5fjDeK-wbafVRw@mail.gmail.com>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Content-Type: multipart/alternative; boundary="047d7b874afeff641f0506cd2f64"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/IRuTUVRiUJgxPd2z0HzrsjgFXv8
Cc: "tls@ietf.org" <tls@ietf.org>, Hoeteck Wee <hoeteck@alum.mit.edu>
Subject: Re: [TLS] OPTLS: Signature-less TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Nov 2014 14:47:11 -0000
On Sat, Nov 1, 2014 at 3:16 AM, Ilari Liusvaara <ilari.liusvaara@elisanet.fi > wrote: > > > > PROTOCOL OPTLS: > > > > > > ClientHello > > > ClientKeyShare > > > ClientData* [K0] --------> > > > ServerHello > > > ServerKeyShare > > > ServerCertificate* [K1] > > > ServerFinished [K2] > > > <-------- ServerData* [K2] > > > ClientFinished* [K2] --------> > > > > > > > > > Protected Application Data [K3] > > > <-------> > > > 1-RTT CASE: > > > > > > The basic 1-RTT case omits the ClientData* field. It includes a > > > ClientKeyShare > > > g^x and a ServerKeyShare g^y and an optional (encrypted) server > > > certificate. > > > If the certificate is sent (it can be omitted if the client has > indicated > > > that > > > it knows the server key as in the case in the 0-RTT scenario) and is > > > encrypted, > > > the encryption key K1 is derived from g^{xy}. > > > > > > Key K2 is an encryption key derived from both g^{xs} and g^{xy}. It is > used > > > to > > > authenticate-encrypt the ServerFinished and ClientFinished messages > (which > > > include a hash of the previous traffic) and to encrypt data from the > server > > > if > > > such data is piggybacked to the second message. > > > > How does the client get the DH (or ECDH) group parameters used by the > server? > > Presumably from ServerHello (with CKS being optimistic). > > But the case where client misses all its guesses needs to be handled. Unless I'm missing something, this can be handled the way that we currently handle missed guesses, I.e., by having a HelloRetryRequest followed by a new ClientHello/ClientKeyShare. Though of course the server does need to either keep their RSA private key online or periodically generate new signed DH shares for every group. > However, this poses some challenges with respect to revocation. From what I > understand, the parameters are intended to have limited lifetime (much > shorter than EE certificates). > > The reason this is problematic is that one can't really rely on clocks: > - Even if you happen to have sub-second accurate clock, a lot of computers > don't. > - The time protocols often aren't secured, allowing attacker to play tricks > with endpoint time. We're already starting to have that problem because of a desire to move to OCSP stapling, which, with staple, effectively gives the server a credential which is valid only within a fairly narrow window. However, I think you're right that this probably limits the range of lifetimes you can use with these signed DH keys. -Ekr
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Rene Struik
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Rene Struik
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Ilari Liusvaara
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Manuel Pégourié-Gonnard
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hanno Böck
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Peter Gutmann
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Andy Lutomirski
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Andy Lutomirski
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Salz, Rich
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Salz, Rich
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Dan Brown
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk