Re: [TLS] PSK in 1.3?
Watson Ladd <watsonbladd@gmail.com> Sun, 19 October 2014 14:53 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A95D1A1A4B for <tls@ietfa.amsl.com>; Sun, 19 Oct 2014 07:53:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bqN7ch5GoeSZ for <tls@ietfa.amsl.com>; Sun, 19 Oct 2014 07:53:24 -0700 (PDT)
Received: from mail-yh0-x22b.google.com (mail-yh0-x22b.google.com [IPv6:2607:f8b0:4002:c01::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E4CD1A1A6F for <tls@ietf.org>; Sun, 19 Oct 2014 07:53:24 -0700 (PDT)
Received: by mail-yh0-f43.google.com with SMTP id f73so1836308yha.16 for <tls@ietf.org>; Sun, 19 Oct 2014 07:53:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=nTHzcioROFlicjGM4jWeIr8a8pQBASODuiZDBXAT9XE=; b=YJh7z8Y4ODu/Xra0iG4kdeKX9nXexsbX/hyQvqYAC/TIfPP3t2BzJvF2UYKZyp5HGR wCOrvrPeHR2zH2E8Gd7HjmGTd7F7ntb6M06XdMD8iulvnIYp/arrXlXQRWFdA6yFiDUm zYsF7wMmY5HtXZ0xLS2no+FvzDal2FTwrofAvF3ioU6UtcQxgueSbKBg9LASiz8LPOub Ot8FOFY4nfJE4YbeyPw3ejyRqX4baqmHvomCijYo3njPcUQ/bJX7zf5HcLuXMa2P+LZp ERKG290aQvvNYEQS6qEqa2hHvJBRR3j3izgLH+o01lh0if5+BXwatJahyGYvywXvmIEZ Zm1w==
MIME-Version: 1.0
X-Received: by 10.236.38.135 with SMTP id a7mr30439283yhb.84.1413730403847; Sun, 19 Oct 2014 07:53:23 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Sun, 19 Oct 2014 07:53:23 -0700 (PDT)
In-Reply-To: <5443BF95.6090406@hauke-m.de>
References: <544384C7.9030002@polarssl.org> <78795A6D-3DFA-41C6-A380-C63DDF4C0285@gmail.com> <5443BF95.6090406@hauke-m.de>
Date: Sun, 19 Oct 2014 07:53:23 -0700
Message-ID: <CACsn0cnGqOUzm9_Ru901kggChK72NHyXaifezqO8kJHQoSNpyA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Hauke Mehrtens <hauke@hauke-m.de>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/WCpaGFO0RaKoSfZMBLiMigeqtzk
Cc: Manuel Pégourié-Gonnard <mpg@polarssl.org>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] PSK in 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Oct 2014 14:53:26 -0000
On Sun, Oct 19, 2014 at 6:41 AM, Hauke Mehrtens <hauke@hauke-m.de> wrote: > On 10/19/2014 03:03 PM, Yoav Nir wrote: >> As Ilari said, there are ciphersuites with PSK and FS. >> >> I don’t see what the rationale can be to allow non-PFS for PSK authentication, but prohibit it for certificate authentication. That would imply that we can make a blanket statement that the data passed in PSK-authenticated sessions is inherently low-value or non-private. I don’t think we can make that statement. > > For using PFS some asymmetric cryptography is needed in addition to the > symmetric cryptography and without PFS only symmetric cryptography is > needed. For normal desktop usage this does not matter, but when you want > to use TLS and DTLS on some embedded devices like Class 1 node (see > rfc7228 section 3.) with ~ 10 KiB ram and ~ 100 KiB flash and a slow CPU > (~ 10MHz) without any hardware cryptography support a DTLS handshake > without PFS is possible in under two seconds while doing a handshake > with PFS with asymmetric cryptography like ECC would take more than 10 > seconds or even minutes. > In addition adding ECC also adds some more code. > > I tried a DTLS handshake between two simulated MSP430X and it took 3.3 > seconds for the PSK handshake using TLS_PSK_WITH_AES_128_CCM_8 and it > took 336 seconds for a handshake using the > TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 cipher suite on the curve secp256r1 > without client authentication and 499 seconds with client > authentication. The slow part was the elliptic curve multiplication > which took 47 seconds. (my code was not very optimized and this was a > very slow CPU) These costs are close to the costs presented in http://discovery.csc.ncsu.edu/software/TinyECC/TR-2007-36.pdf, and so are in the right ballpark. However, there are several reasons why ECDHE_ECDSA is not optimal. The first is signing and validation takes a long time, the second is that genus 2 is faster. I also think there are some papers that get better multiplication times, but I don't think dramatically so. If we want, we can fix these reasons by moving to solutions like the Triple-DH handshake. But this ends up forcing new certificates and kinds of keys on everyone, and getting genus 2 through CFRG should be easy, but won't be/compatibility concerns. You seem to have a point though: embedded devices use TLS because it can avoid public key cryptography. Removing that option has costs, and makes TLS 1.3 less useful than otherwise. Now, would sticking with TLS 1.2 be an option? Sincerely, Watson Ladd > > Hauke > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- Re: [TLS] PSK in 1.3? Yoav Nir
- [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Yoav Nir
- Re: [TLS] PSK in 1.3? Hauke Mehrtens
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Hauke Mehrtens
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Jeffrey Walton
- Re: [TLS] PSK in 1.3? Paul Bakker
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Mohamad Badra
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Yoav Nir
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Sven Schäge
- Re: [TLS] PSK in 1.3? Christian Kahlo
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? John Mattsson
- Re: [TLS] PSK in 1.3? Alex Elsayed
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Watson Ladd