Re: [TLS] New Version Notification for draft-putman-tls-preshared-ecdh-00.txt

Tony Putman <Tony.Putman@dyson.com> Fri, 01 December 2017 08:49 UTC

Return-Path: <prvs=501d6e10c=Tony.Putman@dyson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33F81127333 for <tls@ietfa.amsl.com>; Fri, 1 Dec 2017 00:49:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y4D68NziZggX for <tls@ietfa.amsl.com>; Fri, 1 Dec 2017 00:49:51 -0800 (PST)
Received: from esa3.dyson.c3s2.iphmx.com (esa3.dyson.c3s2.iphmx.com [68.232.139.42]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42C2E126B7E for <tls@ietf.org>; Fri, 1 Dec 2017 00:49:50 -0800 (PST)
X-IronPort-SPF: SKIP
X-IronPort-AV: E=McAfee;i="5900,7806,8731"; a="25662285"
X-IronPort-AV: E=Sophos;i="5.45,344,1508799600"; d="scan'208";a="25662285"
Received: from unknown (HELO uk-dlp-smtp-01.dyson.global.corp) ([62.189.202.16]) by esa3.dyson.c3s2.iphmx.com with ESMTP; 01 Dec 2017 09:03:09 +0000
Received: from uk-dlp-smtp-01.dyson.global.corp (uk-dlp-smtp-01.dyson.global.corp [127.0.0.1]) by uk-dlp-smtp-01.dyson.global.corp (Service) with ESMTP id D7FF7FA10; Fri, 1 Dec 2017 07:32:50 +0000 (GMT)
Received: from UK-MAL-CAS-02.dyson.global.corp (unknown [10.1.108.3]) by uk-dlp-smtp-01.dyson.global.corp (Service) with ESMTP id CB50CFA02; Fri, 1 Dec 2017 07:32:50 +0000 (GMT)
Received: from UK-MAL-CAS-03.dyson.global.corp (10.1.108.111) by UK-MAL-CAS-02.dyson.global.corp (10.1.108.3) with Microsoft SMTP Server (TLS) id 14.3.319.2; Fri, 1 Dec 2017 08:49:32 +0000
Received: from UK-MAL-MBOX-02.dyson.global.corp ([fe80::d06f:fa07:f6dd:5a9c]) by UK-MAL-CAS-03.dyson.global.corp ([10.1.108.111]) with mapi id 14.03.0319.002; Fri, 1 Dec 2017 08:49:32 +0000
From: Tony Putman <Tony.Putman@dyson.com>
To: Katriel Cohn-Gordon <me@katriel.co.uk>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] New Version Notification for draft-putman-tls-preshared-ecdh-00.txt
Thread-Index: AQHTafzmFrjATNGI7ku1Z80A/CPnz6MtLWfwgAAReICAAO4lgA==
Date: Fri, 1 Dec 2017 08:49:32 +0000
Message-ID: <140080C241BAA1419B58F093108F9EDC0B036464@UK-MAL-MBOX-02.dyson.global.corp>
References: <151206123390.4809.15953787972366154379.idtracker@ietfa.amsl.com> <140080C241BAA1419B58F093108F9EDC0B0363F0@UK-MAL-MBOX-02.dyson.global.corp> <1512066683.2703229.1189737376.36787A76@webmail.messagingengine.com>
In-Reply-To: <1512066683.2703229.1189737376.36787A76@webmail.messagingengine.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.1.108.27]
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/RN95fmHV9XzMAn9r79BeI_AgyAY>
Subject: Re: [TLS] New Version Notification for draft-putman-tls-preshared-ecdh-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Dec 2017 08:49:53 -0000

From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Katriel Cohn-Gordon
> If you add the fourth (static-static) DH, you should be protected
> against poor generation of ephemeral keys.

Thanks, this sounds like a good idea. It can be precomputed (and stored if
all comms is to a single server) so it doesn't slow down the actual protocol
exchange. 

I added the two static public keys into the premaster calculation as they are
included in the Session Id definition in [Kudla]. I wonder if I can replace them
with the static-static computation, which seems (to me) to offer the same
protection.
-- 
Tony


Dyson Technology Limited, company number 01959090, Tetbury Hill, Malmesbury, SN16 0RP, UK.
This message is intended solely for the addressee and may contain confidential information. If you have received this message in error, please immediately and permanently delete it, and do not use, copy or disclose the information contained in this message or in any attachment.
Dyson may monitor email traffic data and content for security & training.