IETF Logo Mail Archive

Re: [TLS] OPTLS: Signature-less TLS 1.3

Watson Ladd <watsonbladd@gmail.com> Sat, 01 November 2014 21:07 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E305B1A1A82 for <tls@ietfa.amsl.com>; Sat, 1 Nov 2014 14:07:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hjrP60xJh1Bg for <tls@ietfa.amsl.com>; Sat, 1 Nov 2014 14:07:55 -0700 (PDT)
Received: from mail-yk0-x236.google.com (mail-yk0-x236.google.com [IPv6:2607:f8b0:4002:c07::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96B6C1A1A77 for <tls@ietf.org>; Sat, 1 Nov 2014 14:07:54 -0700 (PDT)
Received: by mail-yk0-f182.google.com with SMTP id q200so4245682ykb.13 for <tls@ietf.org>; Sat, 01 Nov 2014 14:07:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=0nXp1e5IfYPa5PD9ktbVySz2yaXxnKmpIOjUNXvby4k=; b=EIB8bAou0xgZlj2bXSTNUBuAkT0jsg+w6pON9Nu9uiJQnp58rEZ1TmFSz+1lD4SfZd M3SM4ZnEdSfl1iZwgO8zGWp/gBioy6tkRT7uPi3d4vY039b/gs8zCcpfC+lLkWK6peXX jOmHmdIU2vYFhMyiaagNetd+seAox0VbLkTvTPPXKYF9Igoc6NnTF0aU81rX93F5WFyl iosV9jHofsyqfFXXmM04wFg59Hyx8DrCnxB3gWKTuoWH+iMTKF5xfp6Dck62im74eoNu GrdQhyJ1gOTi2QZUUAe8yGEf6xhpHoaxASLxJj5OICP4wZeYh6wEC9mrxvB0nK73YrHU wJQg==
MIME-Version: 1.0
X-Received: by 10.236.17.129 with SMTP id j1mr2932982yhj.143.1414876073938; Sat, 01 Nov 2014 14:07:53 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Sat, 1 Nov 2014 14:07:53 -0700 (PDT)
In-Reply-To: <CABcZeBNYpQu=SCorXDa+TEEGVLb7d902LAed5fjDeK-wbafVRw@mail.gmail.com>
References: <CADi0yUObKsTvF6bP=SxAwYA05odyWdzR1-sWutrDLUeu+VJ1KQ@mail.gmail.com> <614363650.3172177.1414834861225.JavaMail.zimbra@redhat.com> <20141101101611.GA25180@LK-Perkele-VII> <CABcZeBNYpQu=SCorXDa+TEEGVLb7d902LAed5fjDeK-wbafVRw@mail.gmail.com>
Date: Sat, 01 Nov 2014 14:07:53 -0700
Message-ID: <CACsn0c=c6z5VR3KZ2f6oydVrFxBxzWwpbyVr4Xt5x04NAUiVYQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/c5yRQqnV7_RJv1_rHeDYYhKo2ps
Cc: "tls@ietf.org" <tls@ietf.org>, Hoeteck Wee <hoeteck@alum.mit.edu>
Subject: Re: [TLS] OPTLS: Signature-less TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Nov 2014 21:07:58 -0000

On Sat, Nov 1, 2014 at 7:46 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>
> On Sat, Nov 1, 2014 at 3:16 AM, Ilari Liusvaara
> <ilari.liusvaara@elisanet.fi> wrote:
>>
>> > > PROTOCOL OPTLS:
>> > >
>> > > ClientHello
>> > > ClientKeyShare
>> > > ClientData* [K0]       -------->
>> > >                                            ServerHello
>> > >                                            ServerKeyShare
>> > >                                            ServerCertificate* [K1]
>> > >                                            ServerFinished [K2]
>> > >                        <--------           ServerData* [K2]
>> > > ClientFinished* [K2]   -------->
>> > >
>> > >
>> > >             Protected Application Data [K3]
>> > >                        <------->
>> > > 1-RTT CASE:
>> > >
>> > > The basic 1-RTT case omits the ClientData* field. It includes a
>> > > ClientKeyShare
>> > > g^x and a ServerKeyShare g^y and an optional (encrypted) server
>> > > certificate.
>> > > If the certificate is sent (it can be omitted if the client has
>> > > indicated
>> > > that
>> > > it knows the server key as in the case in the 0-RTT scenario) and is
>> > > encrypted,
>> > > the encryption key K1 is derived from g^{xy}.
>> > >
>> > > Key K2 is an encryption key derived from both g^{xs} and g^{xy}. It is
>> > > used
>> > > to
>> > > authenticate-encrypt the ServerFinished and ClientFinished messages
>> > > (which
>> > > include a hash of the previous traffic) and to encrypt data from the
>> > > server
>> > > if
>> > > such data is piggybacked to the second message.
>> >
>> > How does the client get the DH (or ECDH) group parameters used by the
>> > server?
>>
>> Presumably from ServerHello (with CKS being optimistic).
>>
>> But the case where client misses all its guesses needs to be handled.
>
>
> Unless I'm missing something, this can be handled the way that we
> currently handle missed guesses, I.e., by having a HelloRetryRequest
> followed by a new ClientHello/ClientKeyShare. Though of course
> the server does need to either keep their RSA private key online
> or periodically generate new signed DH shares for every group.
>
>
>>
>> However, this poses some challenges with respect to revocation. From what
>> I
>> understand, the parameters are intended to have limited lifetime (much
>> shorter than EE certificates).
>>
>> The reason this is problematic is that one can't really rely on clocks:
>> - Even if you happen to have sub-second accurate clock, a lot of computers
>> don't.
>> - The time protocols often aren't secured, allowing attacker to play
>> tricks
>>   with endpoint time.
>
>
> We're already starting to have that problem because of a desire to move to
> OCSP
> stapling, which, with staple, effectively gives the server a credential
> which is
> valid only within a fairly narrow window. However, I think you're right that
> this
> probably limits the range of lifetimes you can use with these signed DH
> keys.

That's not the problem Illari was talking about: It's not that g^s has
limited lifetime, but that there is no way to know that the lifetime
is expired, so it has long lifetime. NTP is not secure, so we have to
deal with bad clocks. In the case of certificates, this is usually not
so bad as the lifetimes are long. It might not be a problem for this,
as we can occasionally resign, keep s in memory and not be worse off
than today, or say that TLS clients need trusted clocks to avoid
compromise when s is revealed.

I don't think this is worse than today, where short lived certificates
can be wound back by similar means. However, the fact that this
requires changes to the handling of secrets may prove a barrier to
adoption of TLS 1.3. I hope people who are involved with more complex
things than tiny herds of beefy boxes will comment on how this
proposal does or doesn't work for them, and that these issues don't
turn out to be a dealbreaker.

Long term we need secure NTP if we want to limit things by time: there
is a proposal in the NTP WG, but it is overly complex and will likely
never be implemented due to gratuitous use of CMS. This time issue may
very well need to go into Security Considerations as unresolveable.

Sincerely,
Watson Ladd

>
> -Ekr
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.14.0 | Report a Bug | By Email