Re: [TLS] I-D Action: draft-ietf-tls-ctls-00.txt
Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 27 April 2020 12:47 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DA333A08CC for <tls@ietfa.amsl.com>; Mon, 27 Apr 2020 05:47:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1EkabWgvkVUY for <tls@ietfa.amsl.com>; Mon, 27 Apr 2020 05:47:52 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB6A03A08CB for <tls@ietf.org>; Mon, 27 Apr 2020 05:47:51 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 6BBAC140B6 for <tls@ietf.org>; Mon, 27 Apr 2020 15:47:49 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id IiIfsdTuIMBt for <tls@ietf.org>; Mon, 27 Apr 2020 15:47:48 +0300 (EEST)
Received: from LK-Perkele-VII (87-100-246-37.bb.dnainternet.fi [87.100.246.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id DF7BF27B for <tls@ietf.org>; Mon, 27 Apr 2020 15:47:46 +0300 (EEST)
Date: Mon, 27 Apr 2020 15:47:46 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: tls@ietf.org
Message-ID: <20200427124746.GA3839288@LK-Perkele-VII>
References: <158793540276.8190.8571632584417892419@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <158793540276.8190.8571632584417892419@ietfa.amsl.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XG_NZqzq3jqwXpa0I5l8KpTI0BI>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-ctls-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2020 12:47:55 -0000
On Sun, Apr 26, 2020 at 02:10:02PM -0700, internet-drafts@ietf.org wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Transport Layer Security WG of the IETF. > > Title : Compact TLS 1.3 > Authors : Eric Rescorla > Richard Barnes > Hannes Tschofenig > Filename : draft-ietf-tls-ctls-00.txt > Pages : 17 > Date : 2020-04-26 > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-tls-ctls/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-tls-ctls-00 > https://datatracker.ietf.org/doc/html/draft-ietf-tls-ctls-00 First impressions: - I think this protocol should use different label in key derivations from the "tls13" label used by TLS 1.3. I do not see any fundamential reason why transcripts could not collide with TLS 1.3 ones. - It seems not be possible for server to support multiple profiles at once. This could be useful for things like updating clients to use better algorithms. - It probably makes sense to support the case where client profile has incomplete list of certificates. E.g., some IoT client only knows its own and server certificates, whereas the server knows all certificates. - If one wanted dual TLS 1.3/cTLS server, one would presumably have to define TCP mapping. Simplest one that might work: Connection starts with fixed byte (which should not be 20-126 to be able to tell the thing apart from both TLS 1.x and HTTP), followed by sequence of records, where each record is prefixed with varint length. Application data records transport application data. However, cTLS is not quite "TLS 2.0", as that would presumably move some important extensions into top-level messages. Especially stuff like supported_groups, key_share and pre_shared_key. - There is one special case where epoch is not clear: alert mesages in response to server handshake. These can be unprotected despite being in position where protected record is possible. It is possible to tell apart unprotected alerts from everything else by size. Unprotected alerts are 2 bytes (if the useless severity field is stripped out), and no protected record can be that small. - Just blindly switching all integers to varints does not work, as there are integer fields that can legimately have integer values >=2^22. TLS 1.3 spec itself has two of those: PskIdentity.obfuscated_ticket_age and NewSessionTicket.ticket_age_add. And with those two, it is not even possible to just take modulo 2^22, as the time unit is milliseconds, so that would limit the ticket age to just ~70 minutes. Some extensions have more integer fields that can be >=2^22, but none that I can find where limiting to 2^22-1 would be a significant issue. - Strict ascending extension sort probably does not work, as extension 41 is magic due to having to be last in client hello. If there is strict extension sort, most straightforward fix would be to make the order 0,1,2,3,4,..,39,40,42,43,,..,65534,65535,41. - Some ways to eke a few more bytes out of profiling: * If group is specified, move key share out of extensions. * If group is specified to something with fixed length, omit the group length. * If using uncompressed P-x keys, strip the 04 prefix (does not work with X25519 nor X448, as there is no prefix). * If using compressed P-521 keys, stuff the sign bit into unused bit of the x coordinate field (does not work with P-256 nor P-384 as there are no unused bits in x coordinate field, nor with X25519 nor X448 as there is no sign bit). * If signature algorith is specified, omit the signature algorithm. * If EncryptedExtensions is empty, omit it (can tell if it is there from type sequence). * Re-encode ECDSA signatures to raw form (can also be done without profiling; does not work with Ed25519 nor Ed448 as the signatures are already in raw form). * If signature algorithm has fixed signature length, omit it in signatures (e.g., Ed25519 and raw form ECDSA/P-256 are always 64 bytes; can also be done without profiling). - The example in A.1 looks suspect: * Why is client_shares.length encoded as 2 bytes? it is vector length <128, so should be 1 byte? * Why is KeyShareEntry.group encoded as 2 bytes? It is enumeration value <128, so should be 1 byte? (Both in Client Hello and Server Hello). * Why is length of KeyShareEntry.key_exchange encoded as 2 bytes? It is vector length <128, so should be 1 byte? (Both in Client Hello and Server Hello). * Why does the signature start with 4047? The signature should be 71 bytes, so should be 47? (Both in server and client flights). - And example in A.2 has this: * Server hello has 18 bytes = RANDOM(16) + 2 ... Those 2 are presumably overhead? * Client Flight: 1 byte = Overhead(3) ... Should presumably be 1 byte of overhead. -Ilari
- [TLS] I-D Action: draft-ietf-tls-ctls-00.txt internet-drafts
- Re: [TLS] I-D Action: draft-ietf-tls-ctls-00.txt Ilari Liusvaara
- Re: [TLS] I-D Action: draft-ietf-tls-ctls-00.txt Raja Ashok