Re: [TLS] Contemplated major revision to draft-ietf-negotiated-ff-dhe
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Fri, 19 September 2014 21:10 UTC
Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4771F1A8762 for <tls@ietfa.amsl.com>; Fri, 19 Sep 2014 14:10:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3wO8YgjOjUrC for <tls@ietfa.amsl.com>; Fri, 19 Sep 2014 14:10:04 -0700 (PDT)
Received: from emh06.mail.saunalahti.fi (emh06.mail.saunalahti.fi [62.142.5.116]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03FA21A0ADE for <tls@ietf.org>; Fri, 19 Sep 2014 14:10:02 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh06.mail.saunalahti.fi (Postfix) with ESMTP id 17AD669AC1; Sat, 20 Sep 2014 00:09:59 +0300 (EEST)
Date: Sat, 20 Sep 2014 00:09:59 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Message-ID: <20140919210959.GA5533@LK-Perkele-VII>
References: <87bnqbxu9s.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <87bnqbxu9s.fsf@alice.fifthhorseman.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/PpD9m9WveK5uFc2cJKvGabAWkEM
Cc: IETF TLS Working Group <tls@ietf.org>
Subject: Re: [TLS] Contemplated major revision to draft-ietf-negotiated-ff-dhe
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Sep 2014 21:10:06 -0000
On Fri, Sep 19, 2014 at 03:52:31PM -0400, Daniel Kahn Gillmor wrote: > > The idea is to have the draft drop the proposed FF-DHE TLS extension > entirely and instead redefine "Supported Elliptic curves" (TLS > extension 10) [0] to be a "Supported named groups" extension. Then > we would allocate some of the currently unallocated codepoints in the > NamedCurve IANA registry [1] to the proposed FF-DHE groups. > > == Advantages == > > The main goal of this change is to simplify the TLS 1.3 handshake while > allowing clients to send a 1.2+1.3 compatible first flight that includes > FF DHE without excessive duplication. Couple problems: - Implementations may not support same curves for ECDH and ECDSA, and SEC negotiates both. - It would be clearer if TLS 1.3 worked in terms of DH functions instead of DH groups (avoids problems with encodings for one, which are made more severe by inability to negotiate). Just check some drafts trying to fit Curve25519 into TLS. Those are quite hacky. Making DH function out of it would be trivial (since it already is DHF). DH Groups can be turned into DHFs by specifying encoding rules (which have to be specified anyway). Also, there are things even more exotic than Curve25519 & co. Like what is called "Kummer" in eBATS. > For aware servers, if they select a DHE key exchange they should send an > SKE as indicated in the current draft, with the server's DHParams > modified appropriately. (possibly, Alfredo's suggestion of sending an > entirely different handshake message instead of SKE in this case offers > a clearer indication to the client that the server has selected a named > group). SKE is quite different in 1.2 and 1.3: In 1.2, it also carries server signature. This does not specify the group used, which leads into a security problem since groups can be confused. In 1.3 the server signature is elsewhere (it has to be because of certificate encryption) which also avoids the group confusion problem (and some annoyances at analyzing security of key exchange). If server's choice of DHG/DHF is specified in ServerHello or SKE is also dependent on how "missed guess" is handled. There are two basic ways: 1) Restart. DHG/DHF has to be in SH. Potential for downgrade attacks? 2) Remedial CKE. The DHG/DHF can be in either SH or SKE. -Ilari
- Re: [TLS] Contemplated major revision to draft-ie… Ilari Liusvaara
- [TLS] Contemplated major revision to draft-ietf-n… Daniel Kahn Gillmor
- Re: [TLS] Contemplated major revision to draft-ie… Martin Thomson
- Re: [TLS] Contemplated major revision to draft-ie… Ilari Liusvaara