Re: [TLS] removal of nonces [was: What would make TLS cryptographically better for TLS 1.3]

Nico Williams <nico@cryptonector.com> Sat, 02 November 2013 21:23 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CED821E80D8 for <tls@ietfa.amsl.com>; Sat, 2 Nov 2013 14:23:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.171
X-Spam-Level:
X-Spam-Status: No, score=-2.171 tagged_above=-999 required=5 tests=[AWL=-0.194, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dL8Jn487xl73 for <tls@ietfa.amsl.com>; Sat, 2 Nov 2013 14:23:07 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (caiajhbdcaid.dreamhost.com [208.97.132.83]) by ietfa.amsl.com (Postfix) with ESMTP id 35F8B11E811D for <tls@ietf.org>; Sat, 2 Nov 2013 14:23:07 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTP id E39489405E; Sat, 2 Nov 2013 14:23:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=QdTX0xmN3M8KBp Q8HdffFR5Vees=; b=WZVg219UfEE88IaYm1mKPHl+RsvDIZyPg/A6hcTTRNuwfR erckqylU9DNaqVMrCLKaV+ZjBwkOp9iW0df5d4U2PPdUEOXRr4EBfz/2oSNGK8Ba N5CSoHgbZP942FBGlRTngaGC7A5Yrw2w5CuBtFD+THqp5UXa5om+U0IDTqiQU=
Received: from gmail.com (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTPSA id 890D29405C; Sat, 2 Nov 2013 14:23:06 -0700 (PDT)
Date: Sat, 2 Nov 2013 16:22:54 -0500
From: Nico Williams <nico@cryptonector.com>
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Message-ID: <20131102212250.GB11907@gmail.com>
References: <CACsn0cnS7LWo+AN1maw-KYGhWXY1BLNPNOjiL-Y3UU3zG-Je_Q@mail.gmail.com> <20131031230955.GB32733@gmail.com> <5274A92A.4030508@gnutls.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5274A92A.4030508@gnutls.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: tls@ietf.org
Subject: Re: [TLS] removal of nonces [was: What would make TLS cryptographically better for TLS 1.3]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Nov 2013 21:23:12 -0000

On Sat, Nov 02, 2013 at 08:26:34AM +0100, Nikos Mavrogiannopoulos wrote:
> On 11/01/2013 12:09 AM, Nico Williams wrote:
> >  - Many fewer nonce bytes and random IVs where possible.  Nonce payloads
> >    should be sent when needed, if needed.  For example, to derive a
> >    session key from an DHE shared secret one does not really need
> >    nonces.
> 
> Not really. Nonces are needed even in DHE ciphersuites. The nonces in
> TLS make sure that the signatures from both parties are fresh and only
> valid for this session (i.e., cannot be taken and re-used in another
> session). See how PKINIT Kerberos has issues when used with smart cards,
> just because it saved a round-trip by not sending a server nonce.

If your DH key is fresh then you don't need a nonce: the shared secret
will have a minimum of entropy close to that which you put into
selecting the DH private key, even if your peer reuses their DH key.

If you reuse DH keys then you need a coutner/nonce; the size of the
counter/nonce relates to the number of times you plan on reusing the DH
key.

>              [...], what would that buy? [...]

Nonces and explicit (even confounded) random IVs -especially the latter-
provide high subliminal channel bandwidth.  Smaller/fewer nonces and
explicit random IVs -> less subliminal channel bandwidth.  Capping the
number of subliminal channel bits per-connection is even more
interesting.

Nico
--