IETF Logo Mail Archive

Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt

Yoav Nir <ynir@checkpoint.com> Fri, 04 May 2012 21:13 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13C4721F8472 for <tls@ietfa.amsl.com>; Fri, 4 May 2012 14:13:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.357
X-Spam-Level:
X-Spam-Status: No, score=-10.357 tagged_above=-999 required=5 tests=[AWL=0.242, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o1A8BhG8Y12h for <tls@ietfa.amsl.com>; Fri, 4 May 2012 14:13:27 -0700 (PDT)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id B936921F844F for <tls@ietf.org>; Fri, 4 May 2012 14:13:26 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id q44LDIHu030592; Sat, 5 May 2012 00:13:19 +0300
X-CheckPoint: {4FA4542A-0-1B221DC2-2FFFF}
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Sat, 5 May 2012 00:13:17 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Marsh Ray <marsh@extendedsubset.com>
Date: Sat, 05 May 2012 00:13:20 +0300
Thread-Topic: [TLS] draft-ray-tls-encrypted-handshake-00.txt
Thread-Index: Ac0qOrkwcQrdq1C1TDuqeI7+GCLPbw==
Message-ID: <6296DC06-A0A4-4A75-9FCC-AE0B402CBD20@checkpoint.com>
References: <4FA401F7.5060003@extendedsubset.com>
In-Reply-To: <4FA401F7.5060003@extendedsubset.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 11f30c4be1fa5f8968fc57728da2aada2d93cd1c5e
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 21:13:28 -0000

Hi Marsh.

Interesting stuff. There have been several ideas for moving parts of the handshake to after the CCS. There's NPN, identity protection, and even the EAP-in-TLS draft. Your draft takes care of the identity protection, but accepting it would also make the others easier.

I think this moves TLS to be more like IKE, where encryption of the IKE protocol precedes everything else (authentication, configuration, and IPsec setup)

IMO this is a huge change to the TLS state machine. Much bigger than the diff between TLS 1.1 and 1.0, and bigger than the difference between 1.2 and 1.1. This should not be an extension but a new version number. You would still need an extension to carry the extra information (if we want backwards compatibility), but negotiating this capability should be done at the version level.

Yoav


On May 4, 2012, at 7:21 PM, Marsh Ray wrote:

> 
> I would appreciate it if the participants of the TLS WG will give this 
> draft a reading and serious consideration to taking it up as a work item:
> 
> ------------------------------
> http://datatracker.ietf.org/doc/draft-ray-tls-encrypted-handshake/
> 
> A new version of I-D, draft-ray-tls-encrypted-handshake-00.txt has been 
> successfully submitted by Marsh Ray and posted to the IETF repository.
> 
> Filename:	 draft-ray-tls-encrypted-handshake
> Revision:	 00
> Title:		 Transport Layer Security (TLS) Encrypted Handshake Creation 
> date:	 2012-05-04
> WG ID:		 Individual Submission
> Number of pages: 18
> Abstract:
>    This specification defines a Transport Layer Security (TLS) extension
>    which allows endpoints to negotiate the use of encryption with
>    forward secrecy at the beginning of the handshake.  Two levels of
>    functionality are defined.  Implementations are free to support one
>    or both levels, with the first level incurring no additional
>    computational or round-trip overhead.  The TLS cryptographic
>    calculations are unchanged.
> ------------------------------
> 
> This draft is motivated by the discussions in recent weeks, when some 
> related issues came up in a similar context:
> 
> * AGL et al. have some particular requirements for the handshake when 
> using the NP(N)/SPDY feature. They really need confidentiality in 
> negotiating the next protocol but they cannot afford the overhead of 
> even one extra round trip (let alone renegotiation). I would like for 
> them to be able to implement NP(N) in an RFC-defined way.
> 
> * When coupled with the RFC 4680 'TLS Handshake Message for Supplemental 
> Data' that Martin Rex pointed out, it provides a powerful and very 
> general way of negotiating features under encryption. It could possible 
> enable new features.
> 
> * Alternatively, we could view this as a round-trip-saving optimization 
> for certain handshake operations that really do need encryption.
> 
> * It allows to encrypt the client certificate without renegotiation, 
> magic cipher suite values, or a bunch of new protocol that isn't useful 
> for anything else.
> 
> * I watched a fascinating presentation from the Tor project
> https://www.youtube.com/watch?v=GwMr8Xl7JMQ
> Unfortunately, they are having to minimize their dependence on TLS 
> because it's so easy to DoS selectively. I don't know if this proposal 
> will make TLS suitable for Tor again, but I do think it represents a 
> shortcoming of the protocol which deserves fixing.
> 
> * There's simply no reason TLS needs to leak so much plaintext.
> 
> * I believe it may help a little with the issue Nikos Mavrogiannopoulos 
> and I were discussing, where an attacker is able to trick the client 
> into interpreting the server's signed key exchange parameters as the 
> wrong type of structure.
> 
> * To the implementers in the group: don't be fooled, it's not as big a 
> change as it looks! I just tried to be extra careful to describe it 
> step-by-step in the spec. Did I mention it doesn't change the crypto 
> calculations?
> 
> Thanks,
> 
> - Marsh
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> 
> Scanned by Check Point Total Security Gateway.

v2.23.0 | Report a Bug | By Email