IETF Logo Mail Archive

Re: [TLS] Semi-Static Diffie-Hellman Key Establishment for TLS 1.3

Tony Putman <Tony.Putman@dyson.com> Thu, 08 March 2018 17:41 UTC

Return-Path: <prvs=598c50370=Tony.Putman@dyson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64525127522 for <tls@ietfa.amsl.com>; Thu, 8 Mar 2018 09:41:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e8cYsUrj9mQH for <tls@ietfa.amsl.com>; Thu, 8 Mar 2018 09:41:15 -0800 (PST)
Received: from esa4.dyson.c3s2.iphmx.com (esa4.dyson.c3s2.iphmx.com [68.232.139.183]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 225F912751F for <tls@ietf.org>; Thu, 8 Mar 2018 09:41:14 -0800 (PST)
X-IronPort-SPF: SKIP
X-IronPort-AV: E=McAfee;i="5900,7806,8826"; a="30168638"
X-IronPort-AV: E=Sophos; i="5.47,441,1515456000"; d="scan'208,217"; a="30168638"
Received: from unknown (HELO uk-dlp-smtp-01.dyson.global.corp) ([62.189.202.16]) by esa4.dyson.c3s2.iphmx.com with ESMTP; 08 Mar 2018 17:41:07 +0000
Received: from uk-dlp-smtp-01.dyson.global.corp (uk-dlp-smtp-01.dyson.global.corp [127.0.0.1]) by uk-dlp-smtp-01.dyson.global.corp (Service) with ESMTP id 20E89FA10; Thu, 8 Mar 2018 16:06:46 +0000 (GMT)
Received: from UK-MAL-CAS-01.dyson.global.corp (unknown [10.1.108.2]) by uk-dlp-smtp-01.dyson.global.corp (Service) with ESMTP id 08A18FA02; Thu, 8 Mar 2018 16:06:46 +0000 (GMT)
Received: from UK-MAL-OWA-02.dyson.global.corp (10.1.108.7) by UK-MAL-CAS-01.dyson.global.corp (10.1.108.2) with Microsoft SMTP Server (TLS) id 14.3.319.2; Thu, 8 Mar 2018 17:41:06 +0000
Received: from UK-MAL-MBOX-02.dyson.global.corp ([fe80::d06f:fa07:f6dd:5a9c]) by UK-MAL-OWA-02.dyson.global.corp ([fe80::f9b6:1719:a6d9:1eca%10]) with mapi id 14.03.0319.002; Thu, 8 Mar 2018 17:41:06 +0000
From: Tony Putman <Tony.Putman@dyson.com>
To: Eric Rescorla <ekr@rtfm.com>
CC: "<tls@ietf.org>" <tls@ietf.org>, Christopher Wood <christopherwood07@gmail.com>
Thread-Topic: [TLS] Semi-Static Diffie-Hellman Key Establishment for TLS 1.3
Thread-Index: AQHTtMcJWeEnis9wG0CY/StJz+XTI6PD/QqAgAKL6FA=
Date: Thu, 08 Mar 2018 17:41:05 +0000
Message-ID: <140080C241BAA1419B58F093108F9EDC1678CD1A@UK-MAL-MBOX-02.dyson.global.corp>
References: <CABcZeBON1KiUUFx9h863APxB31Poy-czNpYS1+HwZjyQxn6wEw@mail.gmail.com> <b76b0d82-5714-4e1e-82ff-3f8af59c2c3e@Spark>
In-Reply-To: <b76b0d82-5714-4e1e-82ff-3f8af59c2c3e@Spark>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.1.108.27]
Content-Type: multipart/alternative; boundary="_000_140080C241BAA1419B58F093108F9EDC1678CD1AUKMALMBOX02dyso_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/alnK1pVoa2db9VNumG_FIPUsB9U>
Subject: Re: [TLS] Semi-Static Diffie-Hellman Key Establishment for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Mar 2018 17:41:18 -0000

Hi Ekr,

Firstly, thanks for this. My primary reason for putting together draft-putman was to propose a handshake exchange which only uses a single asymmetric algorithm. If this proposal is extended to include raw public keys (I think these are already supported, but not mentioned in the text) and an ECDH-based MAC for client authentication, then this satisfies my constraints.

As a single data point, I can state that some of the IoT products that I'm working with already use static ECDH keys for client authentication (though not within TLS).

Although OPTLS is able to use 0-RTT, I don't see how this capability could be used in this implementation, even if the client knows the server static key. Because SS is only included in the key schedule when the master secret is generated, the client_early_traffic_secret has no input secret. Conversely, if the SS is included in the key schedule as the PSK, then the certificate cannot be decrypted by a client which does not have the server static key.

My conclusion is that, although this is usable with pre-provisioned ECDH keys, this is not the main use case. The different use case results in fewer properties; in particular (as noted), a client static key is not included in the key schedule. This means application data sent from the server before the client finished message is received is sent to an unauthenticated client (this is not the case with either PSK auth or with draft-putman).

I think that this and draft-putman are not competing, but rather that they serve different use cases. They could be synergistic, such that this draft provides a mechanism for distributing a static key which could later be used in a draft-putman exchange; however, the natural continuation would be to use a resumption PSK, so this would only be useful if there were a long gap between session, which seems unlikely.

Regards,
Tony

From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Christopher Wood
Sent: 07 March 2018 01:26
To: <tls@ietf.org>; Eric Rescorla
Subject: Re: [TLS] Semi-Static Diffie-Hellman Key Establishment for TLS 1.3

Thanks for putting this together! I’m in favor of the mechanism and look forward to discussing it. Negotiating with signature_algorithms is a simple way to roll this out, it fits in cleanly with the key schedule, and the benefits outlined in the introduction (PRNG hardening, plausible deniability, etc.) seem worth the effort. Although the approach has its roots in OPTLS, we will certainly need to re-assess its impact on the handshake. (I know of some folks actively working on this.) We also need to spend more time thinking about the open issues — specifically, the story around early data encryption. This variant has the benefit of enabling early data with public key encryption, as opposed to (trackable) symmetric key encryption. It’s unclear to me whether or not we need to address the static share publication issue for this benefit.

Anyway, thanks again for the draft. I’ll read it carefully before London.

Best,
Chris

On Mar 5, 2018, 4:14 PM -0500, Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>>, wrote:

Hi folks,

Here's another entry in the DH-only pile.

I've just posted:
   draft-rescorla-tls13-semistatic-dh-00

This implements a semi-static DH exchange mostly borrowed from
OPTLS [0]. There are obviously connections with draft-putman, but
this is more oriented towards implementing a 1-RTT style
exchange where the client has no foreknowledge of the server's
capabilities (though it's extensible to 0-RTT) than towards
pre-distributed DH keys, and has less invasive changes to the
key schedule.

We'd like 10 minutes to discuss this in London.

Thanks,
-Ekr

[0] http://ieeexplore.ieee.org/abstract/document/7467348/



_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

Dyson Technology Limited, company number 01959090, Tetbury Hill, Malmesbury, SN16 0RP, UK.
This message is intended solely for the addressee and may contain confidential information. If you have received this message in error, please immediately and permanently delete it, and do not use, copy or disclose the information contained in this message or in any attachment.
Dyson may monitor email traffic data and content for security & training.

v2.23.0 | Report a Bug | By Email