IETF Logo Mail Archive

Re: [TLS] OPTLS: Signature-less TLS 1.3

Watson Ladd <watsonbladd@gmail.com> Thu, 13 November 2014 15:43 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 569AE1A897B for <tls@ietfa.amsl.com>; Thu, 13 Nov 2014 07:43:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3O1gGXckXYMt for <tls@ietfa.amsl.com>; Thu, 13 Nov 2014 07:43:02 -0800 (PST)
Received: from mail-yh0-x236.google.com (mail-yh0-x236.google.com [IPv6:2607:f8b0:4002:c01::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D79C91A8980 for <tls@ietf.org>; Thu, 13 Nov 2014 07:42:47 -0800 (PST)
Received: by mail-yh0-f54.google.com with SMTP id 29so3933395yhl.41 for <tls@ietf.org>; Thu, 13 Nov 2014 07:42:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Ut9sa0cWEiuttQdQAj0yWW9NvslFO5J7Lof6AP6FNL4=; b=MSLifgb3KIxpmuI5m5XtUxjiTU2EzygZlGGBBSMDzRmaJ9odzgRe9yLtw7EX2ZSQ2K y6ZTcsgHStfTvCAB1zT/7iRX+Znvt35QJauKU4eLAEm2HbruwCSAzyi7SZVXm6RZGF9Z j35wipzBI0+nGK/dbim79mmAhS4zzKr9sKvcDRSrwSgecGyi2fvIPY0cRyFVsgym/XEw lhHa8p3S2mX1gZDkD2eQS/IQ+cXsP3H1VmuOR8cri7TpIAVSJxOLqu08IU+EtycO7mhS SmbCC7StVlP6RqwRKx6BVMom4mm2h6me821UDsFKiRn1//hevTh+XXq8AeaXKNZ0V4Qv 8IvQ==
MIME-Version: 1.0
X-Received: by 10.170.100.215 with SMTP id r206mr4072113yka.19.1415893367036; Thu, 13 Nov 2014 07:42:47 -0800 (PST)
Received: by 10.170.195.203 with HTTP; Thu, 13 Nov 2014 07:42:46 -0800 (PST)
In-Reply-To: <CADi0yUOELWqkOrrYh24Kcaiz8h27DxC=a5X4piLwxyr2N-1SqQ@mail.gmail.com>
References: <CABkgnnXWAZ78ir-62cnsZM080GAFzScNSv52SKGAc6ZRYM+++w@mail.gmail.com> <CACsn0c=nh1yDUcYGYSMBhUs0OnJJJeOh5CRT3qyz8ZEVQsdokA@mail.gmail.com> <54615526.5020504@fifthhorseman.net> <20141111005220.GG3412@localhost> <8C76E955-0942-4343-B044-8E490C6264FB@gmail.com> <20141111021201.GH3412@localhost> <5461A3DD.4030102@fifthhorseman.net> <CADi0yUO4Q8=FkmAXH0na2gd6MADb4JSCGUGju7mYYm-qxqEKQw@mail.gmail.com> <20141111173325.GK3412@localhost> <4008860D-58A7-4A48-A4FC-A5823D94B791@gmail.com> <20141111203740.GN3412@localhost> <CADi0yUOELWqkOrrYh24Kcaiz8h27DxC=a5X4piLwxyr2N-1SqQ@mail.gmail.com>
Date: Thu, 13 Nov 2014 07:42:46 -0800
Message-ID: <CACsn0c=J-0sB5uyBBuf9tqmviD2CGF3e+PhQt_gcxm2EQfcfjw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/VlkSglWBM7HdXyjBxtZyoq1YW4w
Cc: "tls@ietf.org" <tls@ietf.org>, Hoeteck Wee <hoeteck@alum.mit.edu>
Subject: Re: [TLS] OPTLS: Signature-less TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Nov 2014 15:43:10 -0000

On Wed, Nov 12, 2014 at 8:02 PM, Hugo Krawczyk <hugo@ee.technion.ac.il> wrote:
><snip>
>
> * Assuming that servers will not want to get certificates for use with TLS
> 1.3
>   only (why not?), then we need to address the above subcert forgery
> scenario
>   where the atacker gets limited access to the signing key. An imperfect but
>   effective solution is to only issue subcerts with short validity period,
>   i.e.  where the difference T2-T1 is small. In this case the attacker with
>   temporary access to the signing key can only create a limited number of
>   subcerts covering a limited time span.
>
> Operational note: It is the servers' responsibility to create such
> short-lived
> subcerts but it is the clients' responsibility to check the subcerts are
> indeed short-lived (otherwise an attacker can generate a long-lived subcert
> that the client will accept).
>
> * Clients with clocks with significant deviations from the correct time will
>   have trouble accepting valid subcerts and may be induced to accept old (or
>   into-the-future) subcerts. I can imagine this to be a problem. But is it
>   enough to abandon the benefits of a ECDH-based solution like OPTLS?

I don't think this is quite right. An attacker might root a box
connected to an HSM, and sign several thousand short term shares: to
the HSM this looks like the website being popular, and will cover a
large range of time. There doesn't seem to be an easy way to limit the
time the signature was made, and such a limitation could be
counterproductive in some scenarios. However, I don't think this is a
real problem: HSM usage on major sites is extremely low, and OPTLS
makes it easier.

Sincerely,
Watson Ladd
>
> On Tue, Nov 11, 2014 at 3:37 PM, Nico Williams <nico@cryptonector.com>
> wrote:
>>
>> On Tue, Nov 11, 2014 at 09:47:23AM -1000, Yoav Nir wrote:
>> > > On Nov 11, 2014, at 7:33 AM, Nico Williams <nico@cryptonector.com>
>> > > wrote:
>> > > That the "sub-cert" needs either a revocation scheme (not likely) or a
>> > > short lifetime.  The latter puts this on a par with session
>> > > resumption,
>> > > thus making one (well, me) wonder what the advantage to the static DH
>> > > concept would be.
>> >
>> > There is a revocation scheme. If the private ECDH key is lost, you
>> > revoke the certificate, thereby invalidating the delegation.
>>
>> Ah, good point!
>>
>> > > We could put static DH keys in DNSSEC and learn them that way, which
>> > > would get us 0rt.
>> >
>> > Another possibility is to place the ECDH public key in a certificate
>> > extension. This gives it a lifetime as long as the certificate, and it
>> > doesn’t matter whether the “regular” certificate public key is RSA or
>> > ECDSA or anything else.
>>
>> Sure, certs could have multiple subject public keys.  That'd be a very
>> nice.  A cert could have an encryption key, a different signature key,
>> and a key agreement key.
>>
>> > It removes the need to use signatures at all by the server. Not even
>> > once.
>>
>> Yes.  I like this.
>>
>> Nico
>> --
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email