Re: [TLS] removal of nonces [was: What would make TLS cryptographically better for TLS 1.3]
Nico Williams <nico@cryptonector.com> Sat, 02 November 2013 21:23 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CED821E80D8 for <tls@ietfa.amsl.com>; Sat, 2 Nov 2013 14:23:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.171
X-Spam-Level:
X-Spam-Status: No, score=-2.171 tagged_above=-999 required=5 tests=[AWL=-0.194, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dL8Jn487xl73 for <tls@ietfa.amsl.com>; Sat, 2 Nov 2013 14:23:07 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (caiajhbdcaid.dreamhost.com [208.97.132.83]) by ietfa.amsl.com (Postfix) with ESMTP id 35F8B11E811D for <tls@ietf.org>; Sat, 2 Nov 2013 14:23:07 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTP id E39489405E; Sat, 2 Nov 2013 14:23:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=QdTX0xmN3M8KBp Q8HdffFR5Vees=; b=WZVg219UfEE88IaYm1mKPHl+RsvDIZyPg/A6hcTTRNuwfR erckqylU9DNaqVMrCLKaV+ZjBwkOp9iW0df5d4U2PPdUEOXRr4EBfz/2oSNGK8Ba N5CSoHgbZP942FBGlRTngaGC7A5Yrw2w5CuBtFD+THqp5UXa5om+U0IDTqiQU=
Received: from gmail.com (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTPSA id 890D29405C; Sat, 2 Nov 2013 14:23:06 -0700 (PDT)
Date: Sat, 02 Nov 2013 16:22:54 -0500
From: Nico Williams <nico@cryptonector.com>
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Message-ID: <20131102212250.GB11907@gmail.com>
References: <CACsn0cnS7LWo+AN1maw-KYGhWXY1BLNPNOjiL-Y3UU3zG-Je_Q@mail.gmail.com> <20131031230955.GB32733@gmail.com> <5274A92A.4030508@gnutls.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5274A92A.4030508@gnutls.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: tls@ietf.org
Subject: Re: [TLS] removal of nonces [was: What would make TLS cryptographically better for TLS 1.3]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Nov 2013 21:23:12 -0000
On Sat, Nov 02, 2013 at 08:26:34AM +0100, Nikos Mavrogiannopoulos wrote: > On 11/01/2013 12:09 AM, Nico Williams wrote: > > - Many fewer nonce bytes and random IVs where possible. Nonce payloads > > should be sent when needed, if needed. For example, to derive a > > session key from an DHE shared secret one does not really need > > nonces. > > Not really. Nonces are needed even in DHE ciphersuites. The nonces in > TLS make sure that the signatures from both parties are fresh and only > valid for this session (i.e., cannot be taken and re-used in another > session). See how PKINIT Kerberos has issues when used with smart cards, > just because it saved a round-trip by not sending a server nonce. If your DH key is fresh then you don't need a nonce: the shared secret will have a minimum of entropy close to that which you put into selecting the DH private key, even if your peer reuses their DH key. If you reuse DH keys then you need a coutner/nonce; the size of the counter/nonce relates to the number of times you plan on reusing the DH key. > [...], what would that buy? [...] Nonces and explicit (even confounded) random IVs -especially the latter- provide high subliminal channel bandwidth. Smaller/fewer nonces and explicit random IVs -> less subliminal channel bandwidth. Capping the number of subliminal channel bits per-connection is even more interesting. Nico --
- [TLS] What would make TLS cryptographically bette… Watson Ladd
- Re: [TLS] What would make TLS cryptographically b… Nico Williams
- Re: [TLS] What would make TLS cryptographically b… Dan Harkins
- Re: [TLS] What would make TLS cryptographically b… Nikos Mavrogiannopoulos
- Re: [TLS] What would make TLS cryptographically b… Robert Ransom
- Re: [TLS] What would make TLS cryptographically b… Nico Williams
- Re: [TLS] What would make TLS cryptographically b… Robert Ransom
- Re: [TLS] What would make TLS cryptographically b… Robert Ransom
- Re: [TLS] What would make TLS cryptographically b… Dan Harkins
- Re: [TLS] What would make TLS cryptographically b… Watson Ladd
- Re: [TLS] What would make TLS cryptographically b… Nico Williams
- Re: [TLS] What would make TLS cryptographically b… Robert Ransom
- Re: [TLS] What would make TLS cryptographically b… Nico Williams
- Re: [TLS] What would make TLS cryptographically b… Dan Harkins
- Re: [TLS] What would make TLS cryptographically b… Robert Ransom
- Re: [TLS] What would make TLS cryptographically b… Robert Ransom
- Re: [TLS] What would make TLS cryptographically b… Dan Harkins
- Re: [TLS] What would make TLS cryptographically b… Robert Ransom
- Re: [TLS] What would make TLS cryptographically b… Watson Ladd
- [TLS] removal of nonces [was: What would make TLS… Nikos Mavrogiannopoulos
- Re: [TLS] What would make TLS cryptographically b… Andy Lutomirski
- Re: [TLS] What would make TLS cryptographically b… Nico Williams
- Re: [TLS] removal of nonces [was: What would make… Nico Williams
- Re: [TLS] What would make TLS cryptographically b… Robert Ransom
- Re: [TLS] What would make TLS cryptographically b… Ralf Skyper Kaiser
- Re: [TLS] What would make TLS cryptographically b… Ralf Skyper Kaiser
- Re: [TLS] What would make TLS cryptographically b… Nikos Mavrogiannopoulos
- Re: [TLS] What would make TLS cryptographically b… Yoav Nir
- Re: [TLS] What would make TLS cryptographically b… Robert Ransom
- Re: [TLS] What would make TLS cryptographically b… Ralf Skyper Kaiser
- Re: [TLS] What would make TLS cryptographically b… Ralf Skyper Kaiser
- Re: [TLS] What would make TLS cryptographically b… Watson Ladd
- Re: [TLS] What would make TLS cryptographically b… Yoav Nir
- Re: [TLS] What would make TLS cryptographically b… Ralf Skyper Kaiser
- Re: [TLS] What would make TLS cryptographically b… Martin Rex
- Re: [TLS] What would make TLS cryptographically b… Ralf Skyper Kaiser
- Re: [TLS] What would make TLS cryptographically b… Jeff Jarmoc
- Re: [TLS] What would make TLS cryptographically b… Nico Williams
- Re: [TLS] What would make TLS cryptographically b… Yoav Nir
- Re: [TLS] What would make TLS cryptographically b… Johannes Merkle
- Re: [TLS] What would make TLS cryptographically b… Dan Harkins
- Re: [TLS] What would make TLS cryptographically b… Yoav Nir
- Re: [TLS] What would make TLS cryptographically b… Santosh Chokhani
- Re: [TLS] What would make TLS cryptographically b… Ralf Skyper Kaiser