Re: [TLS] Current TLS 1.3 state?
Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Wed, 05 April 2017 09:03 UTC
Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63D8C12944C for <tls@ietfa.amsl.com>; Wed, 5 Apr 2017 02:03:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10dgURgUFaju for <tls@ietfa.amsl.com>; Wed, 5 Apr 2017 02:03:29 -0700 (PDT)
Received: from mail-wr0-x242.google.com (mail-wr0-x242.google.com [IPv6:2a00:1450:400c:c0c::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45E60129426 for <tls@ietf.org>; Wed, 5 Apr 2017 02:03:29 -0700 (PDT)
Received: by mail-wr0-x242.google.com with SMTP id k6so888041wre.3 for <tls@ietf.org>; Wed, 05 Apr 2017 02:03:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=gQK78s+Fz9IGmT3UhdkAo7DtZUsf0K/IU2oqrT0WR3A=; b=H1o8hXmc4TbPqZoHAsI8P/NVJ0CllyQ0b0I7T+qGPMGxTe4EIkL9HelccD08dqtuNM zy3QUfF2VDL0xQwwunHWUdZLA90FEb2h7eGucWQooTwCaM+MGfxv/+1HfSDnljTH57iD hX3QwKGrKpl3OVYabWVJSl+HOi9tBARp8FJGjPOKT+Qnr0bvvIg/HO0mUBCbTx8JJ/nJ tQJA0Xj1tyfffOAX4yqpYsh6mijdAUCsu/VMJpKW3j7t8Qxch5JLB4xhwXX+MfJfA5g/ T0OxtqcTDrH4T8WzLRFmmXfjDvZDIWxo+iabaVGvWM7wZNVnhnLFXt1jj5x0dwqtXT6W zSvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=gQK78s+Fz9IGmT3UhdkAo7DtZUsf0K/IU2oqrT0WR3A=; b=Z7FWmAhf6lxv6N9+oe7aHdhkLJXKtIJN5Dem5E34dmlEyY2Hkm6sqNHuGNVKH7CxnF /lfFBSJzLCGjcPANBIiwRed/FQPu/KkyzM//2Tf6rIhp6DuDIQOqrjjVUrNLlw4W7GPd OR9b4hj4nazIxx6OGLi1w+NpkDXhqrjVc6Hd1q/uC3ymh14dRphqusW0Q3K82T9oSKSu 0tLcbesemh+IiJUN2vqWTlNSiZyKi5L2DK39A4GXo0otY+zOicPJ5MPTdacyytTAFqL7 snmvMZGhljODTCeCM3apZG9X+SGWphaHFf+t+7ltya7hItX/79PhAshYjeIzJ+EbM2KI BMBg==
X-Gm-Message-State: AFeK/H34XDoIE7aFuT+TU3Uuj5N0pasKngNb7jpdwKc5GYDiqh7hmtwGti1/S3OScpHH9w==
X-Received: by 10.223.155.222 with SMTP id e30mr22881889wrc.165.1491383007757; Wed, 05 Apr 2017 02:03:27 -0700 (PDT)
Received: from [192.168.1.15] (AClermont-Ferrand-653-1-114-20.w86-207.abo.wanadoo.fr. [86.207.165.20]) by smtp.gmail.com with ESMTPSA id o9sm14051180wrc.9.2017.04.05.02.03.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 05 Apr 2017 02:03:26 -0700 (PDT)
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Message-Id: <946F8C1F-FC58-4D03-8EB9-D0B3BFAA59DE@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_06374C05-7CDC-475C-9A15-6932D43F5164"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Wed, 05 Apr 2017 11:03:25 +0200
In-Reply-To: <4d42ad93-4dd4-99af-f90b-0ab61021bcfb@gmail.com>
Cc: tls@ietf.org
To: Sam Scott <sam.scott89@gmail.com>
References: <CACsn0ck2LVSf0eMR4wuabmPxKO7WSPgrVg2+ROkSPDtOwBF8ww@mail.gmail.com> <CABcZeBPFMcoP3Dse5W3F48jWP4oFEsgU1cR2eSx8kvfvao5Amg@mail.gmail.com> <4d42ad93-4dd4-99af-f90b-0ab61021bcfb@gmail.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Tx-Ag2gMpo5qA9qAKLuPTi7V_8w>
Subject: Re: [TLS] Current TLS 1.3 state?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2017 09:03:32 -0000
We’re hoping that the TLS:DIV workshop later this month will serve to gather some opinions from the academic community on the current spec. https://www.mitls.org/tls:div/ <https://www.mitls.org/tls:div/> At IEEE S&P (Oakland), there will be at least two papers on analyses of draft 18: - A ProVerif and CryptoVerif analysis of the protocol (and a minimal reference implementation) - A verified F* implementation of the record layer So, putting these together with the upcoming Tamarin analysis and previously published papers on prior drafts, I think we’ll have a solid bibliography justifying the core design of TLS 1.3, especially the (EC)DHE and PSK 1-RTT handshakes along with resumption. What I am less confident about is the secure usage of features like 0-RTT, 0.5 RTT, and post-handshake authentication. Many researchers have looked at these aspects (and they can correct me if I am wrong) but the security guarantees we can prove for these modes is much more limited than for the regular 1-RTT handshake. My concern is that these features will inspire new usage patterns will emerge for TLS 1.3 that have not been adequately studied. I am not sure what we can do about that except maybe work harder on the security considerations. -Karthik > On 5 Apr 2017, at 10:44, Sam Scott <sam.scott89@gmail.com> wrote: > >> I don't know what the state of the various modelling efforts is, though I imagine >> this will be a topic at TLS:DIV at the end of the month. We did discuss the various >> cryptographic changes in -20 (specifically the extra key derive stages and the >> handshake hash reification) with a number of cryptographers before incorporating. >> Perhaps some of the analytic groups on-list would care to comment? > > From our* point of view we're pretty happy with the current state of the spec. > Our initial results confirm that TLS achieves the core security properties > (secrecy and authentication). More specifically, we prove an absence of attacks > against those properties in our model. > > We're currently waiting for the last version of the spec to be finalised so that > we can make a more definitive statement and share our final results. Although we > do not expect our analysis to be affected by the recent changes to the spec, we > will still need to update our model and re-prove everything, which is quite time > consuming. We will be talking at TLS:DIV so can share more then, including what > is and isn't captured by our model. > > * Us being the Tamarin team: Cas Cremers, Marko Horvat, Jonathan Hoyland, > Sam Scott, and Thyla van der Merwe. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] Current TLS 1.3 state? Watson Ladd
- Re: [TLS] Current TLS 1.3 state? Eric Rescorla
- Re: [TLS] Current TLS 1.3 state? Sam Scott
- Re: [TLS] Current TLS 1.3 state? Karthikeyan Bhargavan
- Re: [TLS] Current TLS 1.3 state? Benjamin Kaduk
- Re: [TLS] Current TLS 1.3 state? Ilari Liusvaara
- Re: [TLS] Current TLS 1.3 state? Colm MacCárthaigh