[TLS] cryptanalysis vs. encrypted parts of the TLS handshake [was: Re: Simplifying the proof]
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 05 September 2014 16:09 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 753D41A0739 for <tls@ietfa.amsl.com>; Fri, 5 Sep 2014 09:09:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08QbI6hUe0-P for <tls@ietfa.amsl.com>; Fri, 5 Sep 2014 09:09:03 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 840B51A034D for <tls@ietf.org>; Fri, 5 Sep 2014 09:09:03 -0700 (PDT)
Received: from [10.70.10.54] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 2BF70F984; Fri, 5 Sep 2014 12:08:59 -0400 (EDT)
Message-ID: <5409E00D.1070703@fifthhorseman.net>
Date: Fri, 05 Sep 2014 12:08:45 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Icedove/32.0
MIME-Version: 1.0
To: Markulf Kohlweiss <markulf@microsoft.com>, "tls@ietf.org" <tls@ietf.org>
References: <C90F31503317124C8A9B59786EF212EA032D2C@AMSPRD3001MB017.064d.mgd.msft.net>
In-Reply-To: <C90F31503317124C8A9B59786EF212EA032D2C@AMSPRD3001MB017.064d.mgd.msft.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/KUcz5L9X0R4R-c6n9NEHP4olqPo
Subject: [TLS] cryptanalysis vs. encrypted parts of the TLS handshake [was: Re: Simplifying the proof]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Sep 2014 16:09:06 -0000
Hi Markulf-- Thanks for your post encouraging ongoing collaboration between the theoretical and engineering sides of the security community. This is a worthwhile goal. Can you provide clarification on this point below? On 09/02/2014 11:03 AM, Markulf Kohlweiss wrote: > * To remove distraction and be closer to standard models like Bellare > & Rogaway, we would prefer unencrypted finished messages. In > practice this means that the finished message should be sent before > the ChangeCipherSuite message. I understand that the goal here is to be able to improve cryptanalysis of the confidentiality guarantees provided to the application data stream. Does this mean that the finished message needs to be unencrypted, or does it just mean that the finished message (and/or other parts of the handshake) should not be encrypted using the same keying material/session as the application data? That is, would the cryptanalytic side of the community be OK with having the handshake messages encrypted as long as they were using keys/session material that are distinct from the keys/session material used for the application data? Part of the TLS WG's charter for 1.3 is to encrypt as much of the handshake data as possible. I don't want that goal to interfere with theoretical cryptanalysis, but there are serious privacy concerns related to the handshake data that is sent in the clear in TLS 1.2 and below. If the cryptanalysis community insists on entirely cleartext handshake data, that will be in direct opposition to one of the two major prongs of the TLS charter. (as an aside, it would be nice to get some cryptanalytic review of any confidentiality/integrity we attempt to provide for the handshake material itself, though i understand this may be a separate question from the confidentiality/integrity guarantees we strive for in the application data) Regards, --dkg
- [TLS] Simplifying the proof Watson Ladd
- Re: [TLS] Simplifying the proof Nigel Smart
- Re: [TLS] Simplifying the proof Watson Ladd
- Re: [TLS] Simplifying the proof Markulf Kohlweiss
- [TLS] cryptanalysis vs. encrypted parts of the TL… Daniel Kahn Gillmor
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Watson Ladd
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Markulf Kohlweiss
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Fabrice
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Markulf Kohlweiss
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Michael StJohns
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Martin Rex
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Watson Ladd
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Martin Rex
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Watson Ladd
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Nico Williams
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Watson Ladd
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Eric Rescorla
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Douglas Stebila
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Eric Rescorla
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Hugo Krawczyk
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Eric Rescorla
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Alfredo Pironti
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Watson Ladd
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Martin Rex
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Michael StJohns
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Nico Williams
- [TLS] CB cryptanalysis (Re: cryptanalysis vs. enc… Nico Williams
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Nico Williams
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Nico Williams
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Nico Williams
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Martin Rex
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Watson Ladd
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Markulf Kohlweiss
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Markulf Kohlweiss
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Manuel Pégourié-Gonnard
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Nico Williams
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Nico Williams
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Markulf Kohlweiss
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Martin Rex
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Hugo Krawczyk
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Watson Ladd
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Nico Williams
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Nico Williams
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Watson Ladd
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Michael Sweet
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Nikos Mavrogiannopoulos
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Michael Sweet
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Ilari Liusvaara
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Ilari Liusvaara
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Watson Ladd
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Ilari Liusvaara