Re: [TLS] Should we support static RSA in TLS 1.3?

Geoffrey Keating <geoffk@geoffk.org> Sun, 17 November 2013 04:28 UTC

Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B10F11E84AC for <tls@ietfa.amsl.com>; Sat, 16 Nov 2013 20:28:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YFnN97XI5bx3 for <tls@ietfa.amsl.com>; Sat, 16 Nov 2013 20:28:14 -0800 (PST)
Received: from dragaera.releasedominatrix.com (dragaera.releasedominatrix.com [216.129.105.14]) by ietfa.amsl.com (Postfix) with ESMTP id 6C0E411E84F8 for <tls@ietf.org>; Sat, 16 Nov 2013 20:28:06 -0800 (PST)
Received: by dragaera.releasedominatrix.com (Postfix, from userid 501) id 1718733D0ED; Sun, 17 Nov 2013 04:28:06 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: Eric Rescorla <ekr@rtfm.com>
References: <CABcZeBN3WPigLn-ggm2YGTcPEwn8G-1ecRAxdCtK3ueuUPF09Q@mail.gmail.com>
From: Geoffrey Keating <geoffk@geoffk.org>
Date: 16 Nov 2013 20:28:05 -0800
In-Reply-To: <CABcZeBN3WPigLn-ggm2YGTcPEwn8G-1ecRAxdCtK3ueuUPF09Q@mail.gmail.com>
Message-ID: <m238mv1wkq.fsf@localhost.localdomain>
Lines: 88
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Should we support static RSA in TLS 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Nov 2013 04:28:28 -0000

Eric Rescorla <ekr@rtfm.com> writes:

> One of the topics we didn't really get to in Vancouver was the fate of
> the static RSA ciphersuites. We'll eventually need to decide on this
> for TLS 1.3.
...
> Static RSA has obvious deficiencies:
> 
> - It doesn't offer forward security.
> - The larger key lengths that are required for security are increasingly
>    uncompetitive with other algorithms (principally EC).
> 
> Additionally, since we know we want to offer ephemeral key agreement
> modes such as DHE (see the recommendations in
> http://tools.ietf.org/html/draft-sheffer-tls-bcp-01) it would reduce
> complexity to *only* offer such modes rather than having to support
> static RSA as well.
> 
> This isn't a no-brainer, though. Static RSA is still by far the
> dominant key exchange algorithm and if you have an RSA certificate, is
> strictly faster than any ephemeral suite. So, we're asking everyone to
> take a performance hit at the same time as we're trying to make TLS
> faster; of course this is a computational cost rather than one of
> network latency, but there are still applications where that matters,
> especially in constrained devices.
> 
> There are also some settings where PFS is actually undesirable,
> especially for diagnosis and monitoring. In this settings, it's much
> more convenient to simply provide the monitoring device with the
> server key. ssldump and wireshark, for instance, both provide this
> feature.

Perhaps we could break the operations into three:

- key agreement and generation (including generation of keys for upper layers)
- bulk encryption/mac
- authentication

and negotiate these separately.

Then, if people want a key agreement where one side generates a random
master key, encrypts it with RSA, and sends it to the other, we can do
that.  The RSA key can be ephemeral (or, at least, changed much more
often than today's typical "once every two years"), which gives
forward secrecy, or the RSA key can be fixed, if forward secrecy is
explicitly not wanted.

The 'client' side needs to only do one RSA encryption and one (RSA)
signature verification, which are both the fast side of the
computation, so should be cheap enough.  (The client will probably
need to do some more signature verifications anyway, to verify the
certificate chain.)  You're adding only a single RSA signature
verification compared to the current non-PFS cipher suites.

For debugging, set a fixed RSA key.  When it's over, unconfigure the
fixed key, automatically generate a new one, and you're secure again.

There are a few cases that are more tricky.  Although I know of no
case where the bulk cipher is combined with key agreement or
authentication---there are some cases where a particular cipher is
standardised to be used with particular key agreement, SKIPJACK comes
to mind, but these are not technical restrictions---sometimes key
agreement and authentication are combined, for example in SRP.  I am
not sure if this is an important problem; it can always be worked
around by doing a separate key agreement and SRP (or whatever), and
using the key produced by SRP for a MAC on the original key agreement.
This is more expensive than plain SRP but it is similar to the
technique recommended for privacy using SRP where you start with an
anonymous cipher suite and then renegotiate SRP.

This will also help for those who want a 'raw public key' mode, they
can simply use 'no authentication'.  If you start the bulk
encryption before starting the authentication, you get privacy (but
probably more round trips).  And you could make client authentication
and server authentication the same messages, just in different
directions, which will help make the protocol more direction-agnostic,
and will also allow better negotiation of client authentication
algorithm and perhaps even server certificate roots.

The above covered two of the common reasons for renegotiation: privacy
and needing additional client auth.  The third is for ciphers that
need re-keying, which I think should be part of the 'bulk
encryption/mac' definition; if a cipher needs rekeying every 10M or
10T of data, the spec for using it in TLS should say when this
happens, and the 'key agreement & generation' algorithm should be
responsible for providing new keys.

Sorry for the length, hope there's at least one good idea in here!