Re: [TLS] Pull request for 1RTT Handshake

Eric Rescorla <ekr@rtfm.com> Fri, 04 July 2014 05:28 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66E9A1B2BE1 for <tls@ietfa.amsl.com>; Thu, 3 Jul 2014 22:28:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tj_NoWRX5iJ5 for <tls@ietfa.amsl.com>; Thu, 3 Jul 2014 22:28:34 -0700 (PDT)
Received: from mail-we0-f181.google.com (mail-we0-f181.google.com [74.125.82.181]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E78A11B2BDB for <tls@ietf.org>; Thu, 3 Jul 2014 22:28:33 -0700 (PDT)
Received: by mail-we0-f181.google.com with SMTP id q59so1145062wes.12 for <tls@ietf.org>; Thu, 03 Jul 2014 22:28:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=Vk41VW5Huy945QcJTnYRVYK/qwsqqC0fLkUIx0zC76c=; b=YwFGWTVxnhJJlxhUkmQi1BgN3ku4gbqDgpqzhx6k2+URE/3Bh/BHl/4r9pn5XS7JNh mTYDh4Q5jNfjJTkc7NFfZiEE/epaHNkMuSO500WJjqYRDV5Ce6M9V3viIMwqyUxpiDqx ofjdBqWWtvMRtJdfu1NaPZEKxYf9z9YM9m7meWqWcdtuUEMrYpleRo3wxwqrO5bciWah PTDAaBbF7dkhE6Kiap79otmwBEjclHp4DAnmHRnsAoLUBdos1nB4woA2+u9rGY8Ha3ga qXOMWCQGle0UF/si8eMPS9YyLuAq6eWxLCUFOlappRsYsjHIzGvNs7GSPqOTnSxNr/pu 8QvQ==
X-Gm-Message-State: ALoCoQmQzB0D7V7fhgNMz9iu+AU/l0GXfdwxjRgtVm/oY5EKzKDcd8Rc6FnNsYl8yKJozRBgs8OI
X-Received: by 10.194.1.164 with SMTP id 4mr9563272wjn.17.1404451712548; Thu, 03 Jul 2014 22:28:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.57.202 with HTTP; Thu, 3 Jul 2014 22:27:52 -0700 (PDT)
X-Originating-IP: [74.95.2.168]
In-Reply-To: <CACsn0c=ANxuR50RtuQPwS-sz9XGHyPW7o9SDRH3YL_yQfZdiqQ@mail.gmail.com>
References: <CABcZeBNTJZo+ua6eV8H1Pwb2MqzD=o20=s+XkiQUL9fftspJrQ@mail.gmail.com> <CACsn0c=2pFnjt2FWryH+N=kLAL7rnWswnqZbH8C4Q1aNM=qsLg@mail.gmail.com> <CABcZeBNoycR_PCKarK+PkK8rHs0LeO=_9h7_h-GYftOvzZfLKA@mail.gmail.com> <CACsn0c=ANxuR50RtuQPwS-sz9XGHyPW7o9SDRH3YL_yQfZdiqQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 3 Jul 2014 22:27:52 -0700
Message-ID: <CABcZeBN3sUTW3+BU3=e51+br20A9Z8=MN0i2YjK3hJ2JvLjwPQ@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary=047d7b3a81766e6f0c04fd5765ec
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/_yvM8zj0mR_1l2R0R-gUuY4KeDA
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Pull request for 1RTT Handshake
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jul 2014 05:28:35 -0000

On Thu, Jul 3, 2014 at 9:41 PM, Watson Ladd <watsonbladd@gmail.com> wrote:

> On Thu, Jul 3, 2014 at 9:00 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
> Why send two messages when one will do? In particular the server can
> send a Server Key Exchange,
> and a Certificate, CertificateVerify message in response to the Client
> Hello.
>

I assume you intend the ServerHello here as well, since you need that for
the
cipher suite, etc.?



> Once the client receives this, it's ready to send data after its CKE
> and such messages.
>
> Restarting the protocol the way we have now introduces another round trip.
>

Ah, I understand what you are suggesting.

Certainly something like this is possible, but the general sense of the
discussion at the Interim was that people wanted the "wrong group"
handshake to look like a missed guess/correction followed by the "right
group" handshake, in the interest of simplicity. Note also that if we
have a relatively small number of groups (which seems like a good idea
in any case) then the vast majority of handshakes can complete in 1-RTT
because the client guesses right (e.g., they send P256 and 25519 and
the server supports one or both.)

Another difficulty is that it in the flow you are suggesting, you don't
protect
the server's first flight, which includes:

- The server's extensions response (and request if we add DKG/Ritter's
   'type B extensions').

- The server's certificate (relevant if using SNI encryption and for
   passive protection for P2P applications).

In some cases, an attacker can elicit these, so protection is just
passive, and in others he cannot, in which case protection is also
active.

Best,
-Ekr