Re: [TLS] AdditionalKeyShare Internet-Draft
Benjamin Kaduk <bkaduk@akamai.com> Mon, 17 April 2017 20:14 UTC
Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EC0F129463 for <tls@ietfa.amsl.com>; Mon, 17 Apr 2017 13:14:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QVcBMSRbdQWQ for <tls@ietfa.amsl.com>; Mon, 17 Apr 2017 13:14:29 -0700 (PDT)
Received: from prod-mail-xrelay07.akamai.com (prod-mail-xrelay07.akamai.com [23.79.238.175]) by ietfa.amsl.com (Postfix) with ESMTP id D14C812945D for <tls@ietf.org>; Mon, 17 Apr 2017 13:14:28 -0700 (PDT)
Received: from prod-mail-xrelay07.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id DE06E43342F; Mon, 17 Apr 2017 20:14:27 +0000 (GMT)
Received: from prod-mail-relay10.akamai.com (prod-mail-relay10.akamai.com [172.27.118.251]) by prod-mail-xrelay07.akamai.com (Postfix) with ESMTP id C6E4643340C; Mon, 17 Apr 2017 20:14:27 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1492460067; bh=c18/SNa+E8KCvcf7xfvvkdR7MWRI83xWnW0Hfnukrw8=; l=8533; h=To:References:Cc:From:Date:In-Reply-To:From; b=Q0aFQB5Bg8snhTkvah0ncv17tC6P1tGxn9AwEoCZD4zxKs/I5vnKQvCbgVS+PiMS8 OXckJlLVHfMlTi9QgkqKIT128bRtv4Xyjzy3UMe73wLlXFK2Wr/geAsuwBya/zwKx0 UB89iqrZDb47VCaxovSxnyQmwObXqEX+1HlnfsJE=
Received: from [172.19.17.86] (bos-lpczi.kendall.corp.akamai.com [172.19.17.86]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id 7BFAE1FC86; Mon, 17 Apr 2017 20:14:27 +0000 (GMT)
To: Douglas Stebila <dstebila@gmail.com>, David Benjamin <davidben@chromium.org>
References: <E8836EB8-EFC4-4506-BCBB-2F4FE9BA075F@gmail.com> <CAF8qwaB74gFFdc6jQ0ySddYO4FQJmZdDS=uo5yF5UzQ+5sTP=A@mail.gmail.com> <E0EDAFAD-E0B5-4BBD-8553-1AC1E448E5D6@gmail.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
From: Benjamin Kaduk <bkaduk@akamai.com>
Message-ID: <436c8c50-6a32-8d4e-d666-b96684847c55@akamai.com>
Date: Mon, 17 Apr 2017 15:14:27 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <E0EDAFAD-E0B5-4BBD-8553-1AC1E448E5D6@gmail.com>
Content-Type: multipart/alternative; boundary="------------74C0E74B8A4710CBEA3BE0F4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/SP5tgRucD16coh8NKueoL8Zlz-A>
Subject: Re: [TLS] AdditionalKeyShare Internet-Draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Apr 2017 20:14:31 -0000
On 04/17/2017 02:44 PM, Douglas Stebila wrote: > Hi David, > > Thanks for the feedback. > >> This seems overly complicated. Why implement a parallel key share >> mechanism rather than merely defining a new NamedGroup value? >> >> Using your example of Google's recent New Hope experiment, I would >> imagine defining, say, NamedGroup.cecpq1. Let its key_shares be the >> concatenation of New Hope and X25519 public values, and let the >> resulting shared secret be some combination of the two resulting keys. >> >> This avoids changing the key schedule or protocol logic and slots in >> nicely into the existing arrangement. The AdditionalKeyShare proposal >> has more moving parts and combinatorial combinations to test and >> worry about. > > Defining combined NamedGroups, like in the Google New Hope experiment, > also incurs a combinatorial explosion, this time in the number of > NamedGroups. Given that TLS 1.3 has taken the approach of splitting > off each component of a TLS 1.2 ciphersuite into its own negotiable > component to avoid combinatorial explosion in standardized values, > separately negotiating each parallel key share mechanism seemed to us > to follow the TLS 1.3 design approach. > You only get the combinatorial explosion if you let it happen. A lot of the possible combinations wouldn't make much sense, and would not need to be defined. TLS 1.3 also tries to limit the possible combinations in some aspects, presenting just a few good choices with clear trade-offs. >> It also requires implementations answer silly questions like: >> - What happens the server selects two New Hopes with no X25519? >> X25519 and P-256 together? > > In our draft, KeyShare and AdditionalKeyShare form disjoint pools of > NamedGroups from which one element can be selected. If the client > offers say P256 and X5519 in KeyShare and NewHope in its > AdditionalKeyShare, your first problem cannot happen. If the client > offers NewHope in both pools, then the situation you propose could > happen. This does not negatively impact compatibility or security, > although there is obviously no value in doing two NewHopes compared to > a single NewHope. I don't think we've put in a MUST NOT/SHOULD NOT > here, but we could add that. > That's pushing complexity from the spec into implementations; we have a lot of evidence to suggest that not all implementations will get it right. > > - How can I plausibly expose this complex array of options to the > consumer of my TLS library? > > Yes, there is a complex array of options: > - which algorithm(s) the client views as "must have" > - which algorithm(s) the client views as "would like to have" > - which algorithm(s) should/should not happen at the same time > > If this functionality is encapsulated anywhere in TLS, then that > complexity needs to incorporated somewhere, either already in compound > NamedGroups or in configuration of the parallel key share mechanism. > As I mentioned above, we thought that combinatorial explosion of > NamedGroups was not the TLS 1.3 way. However, we are open to > considering that if there's a clear preference for it. > I would rather leave the complexity in the NamedGroups registry. -Ben
- Re: [TLS] AdditionalKeyShare Internet-Draft David Benjamin
- [TLS] AdditionalKeyShare Internet-Draft Douglas Stebila
- Re: [TLS] AdditionalKeyShare Internet-Draft Eric Rescorla
- Re: [TLS] AdditionalKeyShare Internet-Draft Benjamin Kaduk
- Re: [TLS] AdditionalKeyShare Internet-Draft Douglas Stebila
- Re: [TLS] AdditionalKeyShare Internet-Draft Scott Fluhrer (sfluhrer)
- Re: [TLS] AdditionalKeyShare Internet-Draft William Whyte
- Re: [TLS] AdditionalKeyShare Internet-Draft William Whyte