Re: [TLS] Initial draft of DH-based key exchange
Eric Rescorla <ekr@rtfm.com> Tue, 24 March 2015 14:08 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5ADE61A8739 for <tls@ietfa.amsl.com>; Tue, 24 Mar 2015 07:08:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yPRDuuqI-oYd for <tls@ietfa.amsl.com>; Tue, 24 Mar 2015 07:08:35 -0700 (PDT)
Received: from mail-wi0-f181.google.com (mail-wi0-f181.google.com [209.85.212.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17AF91A872D for <tls@ietf.org>; Tue, 24 Mar 2015 07:08:35 -0700 (PDT)
Received: by wixw10 with SMTP id w10so53645551wix.0 for <tls@ietf.org>; Tue, 24 Mar 2015 07:08:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=svkcNso8yYoLhnnFc6qODuDShyr8eJfqGR6kc46Uiww=; b=P/m26DPR3LlCE+Nno/IdVGQz+eLjnY6llPXJ4+e+KlFwf28bSW2ea0hHifx5XwRrH+ eql7/XXGGPdtL5vOBN8Q9D/H7UblYYcMlR3oIMqTy//7GD6M9jOn36DfQ7s2FFBkWojH QaRQ3HSJ/H2dKLe2mAfGYasKeDQYegnfKPZXW7kTaUZxF90bf8Q0vpayGMvPgLIze9rU 8em/QtusTtXmWCmZk/3RngTUN6RPsKnqGppScwYG1DT40UQcyqqmTnc9jxNXNdLuML5q aZhCc8S/uWnUabaAukLBET9wHKSZGfah6fn593uESxbzjbBzgnkvnJAnLyheEiUEQ5dA 9IUQ==
X-Gm-Message-State: ALoCoQnmtIkPLrfvrcCqDMyK5fKZrPxWxMmDWXhvaEYBj7jCeS1VsU+sYeYp986xvo4uA1Ch2ruA
X-Received: by 10.194.191.228 with SMTP id hb4mr8610850wjc.116.1427206113780; Tue, 24 Mar 2015 07:08:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.205.198 with HTTP; Tue, 24 Mar 2015 07:07:52 -0700 (PDT)
In-Reply-To: <20150324140344.GA797@LK-Perkele-VII>
References: <CABcZeBNmufvfJ_2Nvw1YwvwGZ2u1=WvL45rPGJXARN1tAxOEfw@mail.gmail.com> <1427123147.19595.62.camel@redhat.com> <CADi0yUMxvN3hHJ2zx7m5hOrPdu080DjvyOGim8c3++QETcx3bA@mail.gmail.com> <1427185709.3200.23.camel@redhat.com> <20150324140344.GA797@LK-Perkele-VII>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 24 Mar 2015 09:07:52 -0500
Message-ID: <CABcZeBMyB7FiLcxeAL0RBed6T9FsMnFYun3qvZ0owga0t0oE5A@mail.gmail.com>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Content-Type: multipart/alternative; boundary="047d7b8750be6ef88005120951a4"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/P-yTkWIjqwAtYuPHJo7pfFbaVJc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Initial draft of DH-based key exchange
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2015 14:08:37 -0000
On Tue, Mar 24, 2015 at 9:03 AM, Ilari Liusvaara < ilari.liusvaara@elisanet.fi> wrote: > On Tue, Mar 24, 2015 at 09:28:29AM +0100, Nikos Mavrogiannopoulos wrote: > > On Mon, 2015-03-23 at 15:22 -0400, Hugo Krawczyk wrote: > > > > > > > Two important things change in TLS 1.3: > > > - Forward secrecy (PFS) is now mandatory. > > > > > > - The protocol accommodate a 0-RTT mode. > > > > > > > > > These two changes can only be implemented via Diffie-Hellman > > > transforms (in theory, any CCA-secure public key encryption can be > > > used but (EC)DH is the only currently practical instantiation in this > > > setting). In particular, 0-RTT requires supporting semi-static DH keys > > > for the server. All that ekr draft does is to build a protocol where > > > PFS is supported, 0-RTT is supported, semi-static keys are supported, > > > and TLS-type signatures are supported in any case where the client > > > does not have a cached semi-static key of the server. The beauty of > > > it, if I can say so, is that all these modes are just subsets of a > > > single protocol with a single crypto logic and uniform specification > > > (which also covers uniformly PSK and resumption). > > > > So if I understand well the additional semi-static key is to support the > > 0-rtt case only, and otherwise it should be simply a copy of the > > ephemeral key? I cannot say I fully follow the protocol in all possible > > scenarios. It would be nice to have a message flow of the interactions > > for the DH key exchange in all the cases (e.g., PSK) either as an > > appendix or the main text. As we are moving to non-widely known key > > exchanges it makes sense to document them clearly, or at least link to > > documents which define them. > > >From what I can understand, it adds interrim server DH key, which server > signs (which may be the same as the server eph. key), computes DH of > both with client eph. key and mixes those to become session keys > (the interrim key can be reused to become 0RTT key for the next > connection). > > So roughly: > - Client: C_pub_e > - Server: S_pub_e, S_pub_s, Sign(S_pub_s, handshake_messages) > - 0RTT key: F(DH(S_pub_s_prev, C_pub_e) > - Session keys: G(DH(S_pub_s, C_pub_e), DH(S_pub_e, C_pub_e)) > > > To me, this looks to lose all the benefits of of offline version: > - The offline version is two-level key scheme, this isn't. > - This version is quite a bit slower unless you disable 0RTT. > Note: we haven't yet determined how we are going to establish the key for future 0-RTT messages. You could reuse the key as you said above, but you could also just send a second key in a separate message, in which case you wouldn't have to take the hit, but at slightly more protocol complexity. -Ekr
- [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Nikos Mavrogiannopoulos
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Salz, Rich
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Salz, Rich
- Re: [TLS] Initial draft of DH-based key exchange Dave Garrett
- Re: [TLS] Initial draft of DH-based key exchange Nikos Mavrogiannopoulos
- Re: [TLS] Initial draft of DH-based key exchange Nikos Mavrogiannopoulos
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Paterson, Kenny
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Russ Housley
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara