IETF Logo Mail Archive

Re: [TLS] Ephemeral key exchange in TLS Snap Start (was RE: TLS Snap Start)

Adam Langley <agl@google.com> Sun, 01 August 2010 00:44 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C0BE13A6AAE for <tls@core3.amsl.com>; Sat, 31 Jul 2010 17:44:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.977
X-Spam-Level:
X-Spam-Status: No, score=-101.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 18wnvZ1IuidJ for <tls@core3.amsl.com>; Sat, 31 Jul 2010 17:44:38 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 699103A6A50 for <tls@ietf.org>; Sat, 31 Jul 2010 17:44:37 -0700 (PDT)
Received: from kpbe13.cbf.corp.google.com (kpbe13.cbf.corp.google.com [172.25.105.77]) by smtp-out.google.com with ESMTP id o710j2b5020615 for <tls@ietf.org>; Sat, 31 Jul 2010 17:45:02 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1280623503; bh=0Aqx2r/ixF1VoFS3n1bsLWcNsRI=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=wZ2ZbHTXIhD9lwCU4A8zycKG65muys5fB9RgII7iFN4uoLLEQpPwSEcoyotbyVRdA mG5/mL24lRCwVp4vbEqEQ==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:content-transfer-encoding:x-system-of-record; b=FIm14GoVzun8smb/DdITAZohNJUDm5lLYvZ9v9Zm+Bw7rnHsPS4/Ddcpx04ta4Rny 9SXw90NDbXEd5mK0WhjRw==
Received: from iwn41 (iwn41.prod.google.com [10.241.68.105]) by kpbe13.cbf.corp.google.com with ESMTP id o710j0Fb019532 for <tls@ietf.org>; Sat, 31 Jul 2010 17:45:01 -0700
Received: by iwn41 with SMTP id 41so2448229iwn.30 for <tls@ietf.org>; Sat, 31 Jul 2010 17:45:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.30.134 with SMTP id u6mr4190845ibc.121.1280623500779; Sat, 31 Jul 2010 17:45:00 -0700 (PDT)
Received: by 10.231.142.32 with HTTP; Sat, 31 Jul 2010 17:45:00 -0700 (PDT)
In-Reply-To: <001301cb3100$ef203ee0$cd60bca0$@briansmith.org>
References: <001201cb1c6b$b24f9730$16eec590$@briansmith.org> <AANLkTil_u_ZUj-suzrdJryzS7cIqofFLGIwXUk2eIB4x@mail.gmail.com> <001301cb3100$ef203ee0$cd60bca0$@briansmith.org>
Date: Sat, 31 Jul 2010 20:45:00 -0400
Message-ID: <AANLkTimM=mRqCMqvO+vCR_t==Wjz1Jd5jMM_43-6sAbS@mail.gmail.com>
From: Adam Langley <agl@google.com>
To: Brian Smith <brian@briansmith.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: tls@ietf.org
Subject: Re: [TLS] Ephemeral key exchange in TLS Snap Start (was RE: TLS Snap Start)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Aug 2010 00:44:39 -0000

On Sat, Jul 31, 2010 at 6:37 PM, Brian Smith <brian@briansmith.org> wrote:
> 1. An extension (or new cipher suites) for indicating that the (EC)DH parameters in a ServerKeyExchange message are not really ephemeral, but rather are reusable for a certain duration of time. This part could be used reused independently of the other parts.

I believe that this is isomorphic to (EC)DH_(RSA|DSS). Although I must
admit that I've never seen a fixed DH TLS connection, and a brief
check of the RFC wasn't enlightening. I'm not aware of the standard
format for (EC)DH_(RSA|DSS) certificates, although I suppose that the
X.509 PublicKey field is flexible enough to admit a fixed DH value. If
the server knew that the client could trust the fixed DH value via
another means (i.e. DNSSEC) then the signature of the certificate
could be omitted and the _(RSA|DSS) part rendered moot.

> 2. An extension that allows the client to put its ClientKeyExchange in a ClientHello extension. For DHE key exchanges, this would depend on the preceding extension.

I believe that the fixed DH value would be included in the client's
certificate with (EC)DH_(RSA|DSS). Again, probably unsigned.

> Given #1 and #2, the handshake would be optimized to a sequence similar to session resumption, but allowing a request for client authentication:

(I intended that Snap start already allow for client-side
certificates, although none of my unittests verify this.)

> Notice that, since the key exchange is done before the server sends its ServerHello, the CertificateStatus, CertificateRequest, Certificate, CertificateVerify, and NewSessionTicket messages can be encrypted and authenticated simply by placing them after the Finished messages, instead of before them. This would provide the extra benefit of even better privacy for the client user than previous attempts like [1] and [2], including unlinkability of session tickets (but still subject to traffic analysis).

I like encrypting as much as possible in principle.

> Like I mentioned before, I think snap start should be modified so that only the initial ClientHello-embedded application-data is encrypted/authenticated using the keys derived purely from client-supplied information. All the subsequent application data should be protected using new keys derived using a random value generated by the server. For many applications, this would greatly reduce the impact of many replay attacks that weren't caught due to some error on the server side in managing the strike register, because it would provide the same guarantee as standard TLS that the server would *never* reuse IVs and keys, even if the client did. And, this change may  allow may allow many applications to work securely even *without* a strike register. For example, it seems like a public search engine that allowed read-only queries wouldn't necessarily need a strike register if this modification were made to snap start.

Your point about making sure that the server never reuses an IV + Key
is a very good one. I would want to consider it for a couple of days
but, at this point, I think it has sufficient merit to warrant
changing Snap Start. I suspect that my thinking was clouded because it
wouldn't have been easy in the original formulation of Snap Start, but
is much more so with the current one.

In general, I see EDH as much more of a spectrum than the dichotomy
that I often find it presented as. At one extreme, multiple EDH
handshakes could be performed in a single connection to protect
different time spans of that connection. At the other, the practice of
rotating RSA keys every year provides some forward security: a
compromise of this year's key doesn't allow for retrospective
decryption of last year's traffic.

When using ECDHE with a 224-bit curve (or larger), I think key
compromise is the greatest danger. The work required to calculate
discrete logs in such a large group suggests that, if accomplished,
the attacker probably has such a monumental breakthrough (i.e. a
quantum computer) that per-connection EDH probably isn't going to
present much more of a challenge.

Therefore, rotating a fixed DH value at some frequency may well
provide a better performance/security trade-off than per-connection
EDH. (And I'm probably pointing out the obvious when I say that DNSSEC
seems to provide a convenient, dynamic trust base for that.)


AGL

v2.23.0 | Report a Bug | By Email