IETF Logo Mail Archive

Re: [TLS] OPTLS: Signature-less TLS 1.3

Hugo Krawczyk <hugo@ee.technion.ac.il> Tue, 04 November 2014 08:45 UTC

Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC2AF1A702C for <tls@ietfa.amsl.com>; Tue, 4 Nov 2014 00:45:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.677
X-Spam-Level:
X-Spam-Status: No, score=-0.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_55=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ibKfEouXsEIU for <tls@ietfa.amsl.com>; Tue, 4 Nov 2014 00:45:36 -0800 (PST)
Received: from mail-lb0-x232.google.com (mail-lb0-x232.google.com [IPv6:2a00:1450:4010:c04::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19C4A1A7002 for <tls@ietf.org>; Tue, 4 Nov 2014 00:45:35 -0800 (PST)
Received: by mail-lb0-f178.google.com with SMTP id f15so11818318lbj.23 for <tls@ietf.org>; Tue, 04 Nov 2014 00:45:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=tBiAdgCqG0aeAg7dqiN++B99OjSeMqQXSKTxeRB1t2g=; b=R2UeJSvC0O1K2SXVSVUKqYzfEuBO9lQC83Xah4psILZX1sFHYLS7NDHhrjflafcRmK ndnqHl/vqmTsO1fTo6FqusGmjRJJ6hPYtbedyGBhIg4liRPojhcxwY1tX0bZiptqsMrO sEUs20FmPIs1F2XZymU7RY07lHr+f7CW2w2oo7ed9laeaBpSClwrySZ9u//uu/zJQSco 7yc289Rh7lSYB9LpUraVbcr/W46M55yfTm/w685MX8BQloKfvnD1Vm7SL6aZukmMmnpG DOL6Yxba4uGriu55gL1gygYPZMiK4i2vNmZxG32t4ez/8fb+hGahqlhXZg9s4mxUeydq ecbg==
X-Received: by 10.112.97.175 with SMTP id eb15mr57466067lbb.12.1415090734186; Tue, 04 Nov 2014 00:45:34 -0800 (PST)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.25.78.20 with HTTP; Tue, 4 Nov 2014 00:45:04 -0800 (PST)
In-Reply-To: <CABcZeBPyvzVsZiTk+Q00K=awQRNfMi=eAGgwynkqfV9Ut8_9vg@mail.gmail.com>
References: <CADi0yUObKsTvF6bP=SxAwYA05odyWdzR1-sWutrDLUeu+VJ1KQ@mail.gmail.com> <CABcZeBNQBC1XXFR5sGo=V8WmxmL5thaBpeHSasy3SordbqNRTQ@mail.gmail.com> <CABcZeBMEmoR18O0-NjuEeoPGTTVuOrwa_WM8YBiS=yd5-NWMbA@mail.gmail.com> <CACsn0cmmtUY17gMk537p8EiXuR3sNMb+rHY2b2nfK3S7-TE+1Q@mail.gmail.com> <CADi0yUNCGAVvqFF9t1X+gRf36iHsxZOFOVacA=PfrV9-JcArqQ@mail.gmail.com> <CABcZeBPyvzVsZiTk+Q00K=awQRNfMi=eAGgwynkqfV9Ut8_9vg@mail.gmail.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Tue, 04 Nov 2014 10:45:04 +0200
X-Google-Sender-Auth: K9vaDm4vQT15HT53Gn_jc70SMYg
Message-ID: <CADi0yUN5qc_01Jk8jzsaqX4o0RagAS87eLVNK2mgKQ82Kx=Pbw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="001a1133b6348946030507047c52"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/NgLMGLwV6PxiU-yyi540andWEVE
Cc: "tls@ietf.org" <tls@ietf.org>, Hoeteck Wee <hoeteck@alum.mit.edu>
Subject: Re: [TLS] OPTLS: Signature-less TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Nov 2014 08:45:38 -0000

On Mon, Nov 3, 2014 at 12:38 AM, Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Sun, Nov 2, 2014 at 2:24 PM, Hugo Krawczyk <hugo@ee.technion.ac.il>
> wrote:
>
>>
>>
>> On Sat, Nov 1, 2014 at 7:15 AM, Watson Ladd <watsonbladd@gmail.com>
>> wrote:
>>
>>> Dear Hugo,
>>>
>>> There are some issues I can see:
>>>
>>> -Servers already supporting ECDSA certificates seem to not win. If I'm
>>> understanding correctly, a server does three exponentiations, one of
>>> which can be optimized by ephemeral reuse, when using ECDSA+ECDHE. The
>>> servers that win are the ones with RSA certs. The only way to win vs
>>> ECDSA is if DH only permits faster exponentiation, which it does, and
>>> removing the ancillary junk in ECDSA.  However, here we have two
>>> variable base exponentiations after ephemeral reuse, as opposed to one
>>> fixed, one variable, so there is a loss in performance on the same
>>> group, made up for by removing inversions modulo the group order.
>>>
>>
>> ​Don't forget that 0-RTT cannot be supported with a signature-based
>> protocol
>>
>
> I'm not sure that this is correct. If a client does a 1-RTT exchange first
> (which he will have to do if he is naive about the server) then the
> server can provide a semi-static DH key for future use at that time
> and use a signature over the entire transcript to authenticate it, no?
>

​When I said that "0-RTT cannot be supported with a signature-based
protocol"
I meant to say that the key exchanged in the 0-RTT client-to-server message
(used to encrypt ClientData) cannot be authenticated by a server's
session-specific signature and therefore it must use a DH-based mechanism
(or other PK encryption). A signature by the server can still be used to
sign the
semi-static key as you point out but that's an offline signature.
Or maybe I misunderstood your point?
​


>
> -Ekr
>
>

v2.14.0 | Report a Bug | By Email