Re: [TLS] Current TLS 1.3 state?
Benjamin Kaduk <bkaduk@akamai.com> Wed, 05 April 2017 16:24 UTC
Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 108C11292CE for <tls@ietfa.amsl.com>; Wed, 5 Apr 2017 09:24:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.712
X-Spam-Level:
X-Spam-Status: No, score=-0.712 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fcCFe-kIqr02 for <tls@ietfa.amsl.com>; Wed, 5 Apr 2017 09:24:07 -0700 (PDT)
Received: from prod-mail-xrelay05.akamai.com (prod-mail-xrelay05.akamai.com [23.79.238.179]) by ietfa.amsl.com (Postfix) with ESMTP id 65CE41286CA for <tls@ietf.org>; Wed, 5 Apr 2017 09:24:07 -0700 (PDT)
Received: from prod-mail-xrelay05.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id DA406433448; Wed, 5 Apr 2017 16:24:06 +0000 (GMT)
Received: from prod-mail-relay11.akamai.com (prod-mail-relay11.akamai.com [172.27.118.250]) by prod-mail-xrelay05.akamai.com (Postfix) with ESMTP id C4534433407; Wed, 5 Apr 2017 16:24:06 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1491409446; bh=ueoSngAh25claHu30GwUVwG3/lslTImlu6Of7b+nC/I=; l=4904; h=To:References:Cc:From:Date:In-Reply-To:From; b=UfTQdCL0cPBbSrKnHPk/WG8yxVrbKGjGxJ1Qjq693ZyQdjQf3OA8iidGs+OLZ5NRf FEv0i+ft6OvxduEgJZqKDNNfNW+SQ3utYv2uZ6/zZWOWuW8QP6j1RjnRrGKavDvHzN S4i+bu17ZSgdkrV148P2HLAQ4WBGtNKId3FFJHZw=
Received: from [172.19.17.86] (bos-lpczi.kendall.corp.akamai.com [172.19.17.86]) by prod-mail-relay11.akamai.com (Postfix) with ESMTP id 85F301FC93; Wed, 5 Apr 2017 16:24:06 +0000 (GMT)
To: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, Sam Scott <sam.scott89@gmail.com>
References: <CACsn0ck2LVSf0eMR4wuabmPxKO7WSPgrVg2+ROkSPDtOwBF8ww@mail.gmail.com> <CABcZeBPFMcoP3Dse5W3F48jWP4oFEsgU1cR2eSx8kvfvao5Amg@mail.gmail.com> <4d42ad93-4dd4-99af-f90b-0ab61021bcfb@gmail.com> <946F8C1F-FC58-4D03-8EB9-D0B3BFAA59DE@gmail.com>
Cc: tls@ietf.org
From: Benjamin Kaduk <bkaduk@akamai.com>
Message-ID: <5e064d9b-ac36-a611-8b03-a17046ac33f7@akamai.com>
Date: Wed, 05 Apr 2017 11:24:06 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <946F8C1F-FC58-4D03-8EB9-D0B3BFAA59DE@gmail.com>
Content-Type: multipart/alternative; boundary="------------79A1E2D847B467FC292DC851"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/RkasJCCW89OHDijk-jbLxSladmo>
Subject: Re: [TLS] Current TLS 1.3 state?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2017 16:24:11 -0000
On 04/05/2017 04:03 AM, Karthikeyan Bhargavan wrote: > We’re hoping that the TLS:DIV workshop later this month will serve to > gather some opinions from the academic community on the current spec. > https://www.mitls.org/tls:div/ > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mitls.org_tls-3Adiv_&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=sssDLkeEEBWNIXmTsdpw8TZ3tAJx-Job4p1unc7rOhM&m=RT4kw6b0pru9yCl-BAMGwwVVQbdcshQhWcp0gDjoAU0&s=W1pxxY_zxF0_8Wgo8PFzD8btAMyElG7AhMA_jth0VfU&e=> > > At IEEE S&P (Oakland), there will be at least two papers on analyses > of draft 18: > - A ProVerif and CryptoVerif analysis of the protocol (and a minimal > reference implementation) > - A verified F* implementation of the record layer > > So, putting these together with the upcoming Tamarin analysis and > previously published papers on prior drafts, I think we’ll have a > solid bibliography justifying the core design of TLS 1.3, especially > the (EC)DHE and PSK 1-RTT handshakes along with resumption. > > What I am less confident about is the secure usage of features like > 0-RTT, 0.5 RTT, and post-handshake authentication. > Many researchers have looked at these aspects (and they can correct me > if I am wrong) but the security guarantees we can prove for these > modes is much more limited than for the regular 1-RTT handshake. My > concern is that these features will inspire new usage patterns will > emerge for TLS 1.3 that have not been adequately studied. I am not > sure what we can do about that except maybe work harder on the > security considerations. > W.r.t. 0-RTT/0.5-RTT in particular, since applications MUST NOT use them without an application profile specifying their use, it may be worth analyzing the particular application profiles as well, e.g., https://datatracker.ietf.org/doc/html/draft-nottingham-httpbis-retry . -Ben
- [TLS] Current TLS 1.3 state? Watson Ladd
- Re: [TLS] Current TLS 1.3 state? Eric Rescorla
- Re: [TLS] Current TLS 1.3 state? Sam Scott
- Re: [TLS] Current TLS 1.3 state? Karthikeyan Bhargavan
- Re: [TLS] Current TLS 1.3 state? Benjamin Kaduk
- Re: [TLS] Current TLS 1.3 state? Ilari Liusvaara
- Re: [TLS] Current TLS 1.3 state? Colm MacCárthaigh