Re: [TLS] New Version Notification for draft-bzwu-tls-ecdhe-keyshare-00.txt

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Tue, 28 April 2015 04:54 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB55E1A0027 for <tls@ietfa.amsl.com>; Mon, 27 Apr 2015 21:54:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.601
X-Spam-Level:
X-Spam-Status: No, score=-1.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KLrLcoU9YzHp for <tls@ietfa.amsl.com>; Mon, 27 Apr 2015 21:54:43 -0700 (PDT)
Received: from emh03.mail.saunalahti.fi (emh03.mail.saunalahti.fi [62.142.5.109]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9484F1A0011 for <tls@ietf.org>; Mon, 27 Apr 2015 21:54:43 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh03.mail.saunalahti.fi (Postfix) with ESMTP id 227401887BE; Tue, 28 Apr 2015 07:54:41 +0300 (EEST)
Date: Tue, 28 Apr 2015 07:54:40 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: =?utf-8?B?5q2m54Kz5q2jKOWFgeS4rSk=?= <bingzheng.wbz@alibaba-inc.com>
Message-ID: <20150428045440.GA7907@LK-Perkele-VII>
References: <20150427023926.28938.22369.idtracker@ietfa.amsl.com> <008e01d080e5$a2db6de0$e89249a0$@alibaba-inc.com> <20150427173533.GA910@LK-Perkele-VII> <001c01d0815e$783cbde0$68b639a0$@alibaba-inc.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <001c01d0815e$783cbde0$68b639a0$@alibaba-inc.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/NEmEeEXCgy53bXYmG3KCSWqmIz0>
Cc: tls@ietf.org
Subject: Re: [TLS] New Version Notification for draft-bzwu-tls-ecdhe-keyshare-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2015 04:54:46 -0000

On Tue, Apr 28, 2015 at 10:53:13AM +0800, 武炳正(允中) wrote:
> 
> 
> > -----Original Message-----
> > From: Ilari Liusvaara [mailto:ilari.liusvaara@elisanet.fi]
> > Sent: Tuesday, April 28, 2015 1:36 AM
> > To: 武炳正(允中)
> > Cc: tls@ietf.org
> > Subject: Re: [TLS] New Version Notification for
> > draft-bzwu-tls-ecdhe-keyshare-00.txt
> > 
> > On Mon, Apr 27, 2015 at 08:28:16PM +0800, 武炳正(允中) wrote:
> > >
> > > https://datatracker.ietf.org/doc/draft-bzwu-tls-ecdhe-keyshare/
> > >
> > > This extension allows a TLS client to carry ECDHE keyshare in ClientHello
> > message, so as to reduce the full handshake latency of 1RTT.
> > >
> > > Please kindly review it. Any comments are welcomed.
> > 
> > Taking a quick look (not considering if this a good idea or not):
> > 
> > > In fact the new version, TLS verion 1.3 [draft] which works in
> > > progress, supports only ECDHE for key exchange.
> > 
> > This is just wrong. In TLS 1.3 editor's copy and in latest draft, non-ECC DHE is
> > supported (2k, 3k, 4k and 8k).
> 
> Thanks for reminding.
> Maybe a 'type' should be added in each ClientKeyShareOffer, to indicate different Diffie-Hellman exchange.
> And change this extension's name from ECDHE-keyshare to DH-keyshare.

Well, there is a draft in pipeline (IETF LC complete, waiting for
writeup) that assigns a range of group IDs for finite-field Diffie-
Hellman (the TLS 1.3 group ids come from there).

Basically, the MSB of group ID being 0x01 means DHE (others are
ECDHE).

> > > ECParameters    curve_params;
> > 
> > I consider supporting arbitrary curves here a bad idea. Why not just use values
> > out of EC Named Curve Registry (16-bit)?
> > 
> > (That's the way TLS 1.3 does it).
> 
> I tried to change as less as possible, to avoid unnecessary trouble, both in protocol or implementation.

Well, the difference between ECParameters and NamedCurve when non-named
groups are disallowed is extra 0x03 prefix (to designate NamedCurve).

Also, I consider using non-named groups to bring more security problems
than it is worth (e.g. currently known ways to exploit THS for (EC)DHE
rely on those).

> > > So I have not find any security problem about this extension yet.
> > 
> > Another problem:
> > 
> > Defintion of extended_master_secret (security fix!) refers to
> > ClientKeyExchange. The relevant part would have to be redefined (I guess
> > taking session_hash after ServerKeyExchange would work).
> 
> I think so too.
> I will add this in the draft after reading this extension carefully.

Basically, the point needs to be after ServerKeyExchange (security) but
before ChangeCipherSpec (possible to implement).

(Without extensions, there is only one such point, but certain
extensions can add extra messages).


-Ilari