Re: [TLS] Remove DH-based 0-RTT
Hugo Krawczyk <hugo@ee.technion.ac.il> Wed, 24 February 2016 03:40 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5CBC1B4155 for <tls@ietfa.amsl.com>; Tue, 23 Feb 2016 19:40:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mLcmh2YBA6Ws for <tls@ietfa.amsl.com>; Tue, 23 Feb 2016 19:40:09 -0800 (PST)
Received: from mail-lf0-x22f.google.com (mail-lf0-x22f.google.com [IPv6:2a00:1450:4010:c07::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF6BB1B4043 for <tls@ietf.org>; Tue, 23 Feb 2016 19:40:08 -0800 (PST)
Received: by mail-lf0-x22f.google.com with SMTP id l143so3569679lfe.2 for <tls@ietf.org>; Tue, 23 Feb 2016 19:40:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=OuIhBXZcqaUeXceC6swVSH7lCZvxHYbVKOD6AKWHkRE=; b=fCOzY512H8BN5ebu8EM5Yo+QOKT+VEC8+7PatCBj8QEsql7aDqdAran3UUxUgr2ii8 +cSz4Nb/JkPqi9KwmQqAfE3uau1LqmdyP/QB2+eJdpEhQK4FDeRqjtGKINGQ9oOjrqvI MzdQPVy/A0sjRV/AJNbB+abkf9k00O9bESljFX1zhz4T4DlSO49zqYp6tvaX2TI8NQtI 93yP+JaTYdjoojSF9OAufs/0/FBnVZjfmrJZEuWa5jY4RgigpFDaeyuUig4fy+Z/fYDv tFh/pRK+9UZ6zTcOLDtE/hh0LlvVw8fVbzVafTCXTLOEqrC9wPnjc3TtssU7AlFNQLht xCeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type; bh=OuIhBXZcqaUeXceC6swVSH7lCZvxHYbVKOD6AKWHkRE=; b=ShykqiXEaaLPYgyRfi/YDRqgtzw+CJFeIC33wYP4sfk9HxZ93cvFm8WtdN/b9Lgpbd AMoHtB31sfHIP0dVqUIjd5PW884Z/hw2vID6gCmd/uNT3lNy5+y/aa9XfQia9P1isjii nnn4gujDCbMJORJRpAVHYQpxTfIuf9r/wIAVlcKJ5tukdgDhN9pytAfWohTWEIdalB// koBzFWZQGaG/07ef3oZlzQ1K5pOEIQGm4phht9GBAmkVMAPNEtdrCH8h7id8DAviF8Pt 7My0llOPWAD2+cDXcYJoPSz8Jh8/o3K0PSY6Z4Y9rjHOxOVMx78SwYTt/VOStVi2gTLz yb0w==
X-Gm-Message-State: AG10YOSHNqD+C9P51xskpizv1dbERvM7YEKqS4L/fK3L7+q7ODIKnIqoD0HsVvJ/KfE496HcvKOqwV7Hpew8gg==
X-Received: by 10.25.21.90 with SMTP id l87mr13440339lfi.64.1456285206907; Tue, 23 Feb 2016 19:40:06 -0800 (PST)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.25.31.18 with HTTP; Tue, 23 Feb 2016 19:39:37 -0800 (PST)
In-Reply-To: <201602232057.18505.davemgarrett@gmail.com>
References: <CABkgnnUUXQh=aStz4DuPtw5mWaF7aDFozuUwQp_QbJ2EGL0eHg@mail.gmail.com> <201602232057.18505.davemgarrett@gmail.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Tue, 23 Feb 2016 22:39:37 -0500
X-Google-Sender-Auth: JI2FdeFJL3o0JUKVmV1-ZrS-V40
Message-ID: <CADi0yUP-TAFPWgzG4voFTfUcbrPXcffC5rTTsbsOs+=TQ7jYmw@mail.gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Content-Type: multipart/alternative; boundary="001a113d9b54731315052c7bd203"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Vr-yERTx4DVBuMK9wN_Acn3bGgg>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Remove DH-based 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2016 03:40:11 -0000
On Tue, Feb 23, 2016 at 8:57 PM, Dave Garrett <davemgarrett@gmail.com> wrote: > On Tuesday, February 23, 2016 02:03:53 pm Martin Thomson wrote: > > I propose that we remove DH-based 0-RTT from TLS 1.3. > > > > As ekr's previous mail noted, the security properties of PSK-based > > 0-RTT and DH-based 0-RTT are almost identical. And DH-based 0-RTT is > > much more complex. > > > > For those who love DH-based 0-RTT, and I know that some people are > > fans, here's something that might make you less sad about removing it > > from the core spec. You can use DH out of band to negotiate a PSK. > > You might even do this as an extension to TLS, but that's of less > > value. > > I think there is a good argument for moving DH 0RTT into a TLS extension. > Implementations that are explicitly not going to use it should not be > expected to implement it and risk screwing it up. If we accept that premise > that online DH 0RTT will be unlikely in practice, then we would be > specifying it at least primarily for out-of-band use, and doing it via an > extension will probably be cleaner and safer. > Combining this comment (which I agree with) with the following comment from Watson in another thread: > If they rely on extensions then either those > extensions need to be included in the security proofs, or we need to > make clear that they are not as secure as TLS 1.3, and that > implementations which enable both of them can get completely wrecked >in new and exciting ways. We get that even if it is decided not to include the DH-based 0-RTT as part of mandatory-to-implement TLS 1.3, it should be defined as an extension and as part of the TLS 1.3 document. Leaving the reduction from this case to PSK (as Martin suggested) to popular imagination is too dangerous. By including it as part of TLS 1.3 official text we also encourage the groups that are currently analyzing the protocol to include this specific mechanism in their analysis. If they find something wrong with it then even more reason to do the analysis. > I would still prefer it be defined in the TLS 1.3 specification document, > though optional. > I suggest to also define TLS 1.3-EZ. A subset of core safe functionality that should address the majority of the usage cases. Hugo > > > Dave > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Remove DH-based 0-RTT Martin Thomson
- Re: [TLS] Remove DH-based 0-RTT Wan-Teh Chang
- Re: [TLS] Remove DH-based 0-RTT Martin Thomson
- Re: [TLS] Remove DH-based 0-RTT Andrei Popov
- Re: [TLS] Remove DH-based 0-RTT Dave Garrett
- Re: [TLS] Remove DH-based 0-RTT Bill Cox
- Re: [TLS] Remove DH-based 0-RTT Hugo Krawczyk
- Re: [TLS] Remove DH-based 0-RTT Watson Ladd
- Re: [TLS] Remove DH-based 0-RTT Eric Rescorla
- Re: [TLS] Remove DH-based 0-RTT Subodh Iyengar
- Re: [TLS] Remove DH-based 0-RTT Martin Thomson
- Re: [TLS] Remove DH-based 0-RTT Watson Ladd
- Re: [TLS] Remove DH-based 0-RTT Martin Thomson
- Re: [TLS] Remove DH-based 0-RTT Ilari Liusvaara
- Re: [TLS] Remove DH-based 0-RTT Martin Thomson
- Re: [TLS] Remove DH-based 0-RTT Ilari Liusvaara
- Re: [TLS] Remove DH-based 0-RTT Karthikeyan Bhargavan
- Re: [TLS] Remove DH-based 0-RTT Ilari Liusvaara