IETF Logo Mail Archive

Re: [TLS] Initial draft of DH-based key exchange

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Tue, 24 March 2015 14:03 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CB851A8713 for <tls@ietfa.amsl.com>; Tue, 24 Mar 2015 07:03:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OENo4mVpeA53 for <tls@ietfa.amsl.com>; Tue, 24 Mar 2015 07:03:48 -0700 (PDT)
Received: from emh03.mail.saunalahti.fi (emh03.mail.saunalahti.fi [62.142.5.109]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A22091A870F for <tls@ietf.org>; Tue, 24 Mar 2015 07:03:47 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh03.mail.saunalahti.fi (Postfix) with ESMTP id 37F171887BF; Tue, 24 Mar 2015 16:03:45 +0200 (EET)
Date: Tue, 24 Mar 2015 16:03:45 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
Message-ID: <20150324140344.GA797@LK-Perkele-VII>
References: <CABcZeBNmufvfJ_2Nvw1YwvwGZ2u1=WvL45rPGJXARN1tAxOEfw@mail.gmail.com> <1427123147.19595.62.camel@redhat.com> <CADi0yUMxvN3hHJ2zx7m5hOrPdu080DjvyOGim8c3++QETcx3bA@mail.gmail.com> <1427185709.3200.23.camel@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <1427185709.3200.23.camel@redhat.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/d-LCSmNXn51HtE2YB-K1VY44a_k>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Initial draft of DH-based key exchange
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2015 14:03:50 -0000

On Tue, Mar 24, 2015 at 09:28:29AM +0100, Nikos Mavrogiannopoulos wrote:
> On Mon, 2015-03-23 at 15:22 -0400, Hugo Krawczyk wrote:
> 
> 
> > ​Two important things change in TLS 1.3:​
> > - Forward secrecy (PFS) is now mandatory.
> > 
> > - The protocol accommodate a 0-RTT mode.
> > 
> > 
> > These two changes can only be implemented via Diffie-Hellman
> > transforms (in theory, any CCA-secure public key encryption can be
> > used but (EC)DH is the only currently practical instantiation in this
> > setting). In particular, 0-RTT requires supporting semi-static DH keys
> > for the server. All that ekr draft does is to build a protocol where
> > PFS is supported, 0-RTT is supported, semi-static keys are supported,
> > and TLS-type signatures are supported in any case where the client
> > does not have a cached semi-static key of the server. The beauty of
> > it, if I can say so, is that all these modes are just subsets of a
> > single protocol with a single crypto logic and uniform specification
> > (which also covers uniformly PSK and resumption).
> 
> So if I understand well the additional semi-static key is to support the
> 0-rtt case only, and otherwise it should be simply a copy of the
> ephemeral key? I cannot say I fully follow the protocol in all possible
> scenarios. It would be nice to have a message flow of the interactions
> for the DH key exchange in all the cases (e.g., PSK) either as an
> appendix or the main text. As we are moving to non-widely known key
> exchanges it makes sense to document them clearly, or at least link to
> documents which define them.

>From what I can understand, it adds interrim server DH key, which server
signs (which may be the same as the server eph. key), computes DH of
both with client eph. key and mixes those to become session keys
(the interrim key can be reused to become 0RTT key for the next
connection).

So roughly:
- Client: C_pub_e 
- Server: S_pub_e, S_pub_s, Sign(S_pub_s, handshake_messages)
- 0RTT key: F(DH(S_pub_s_prev, C_pub_e)
- Session keys: G(DH(S_pub_s, C_pub_e), DH(S_pub_e, C_pub_e))


To me, this looks to lose all the benefits of of offline version:
- The offline version is two-level key scheme, this isn't.
- This version is quite a bit slower unless you disable 0RTT.
- The offline version avoids server to have implement online
  signature, simplifying the code a good bit (especially if the
  signature is apparently intentionally made difficult, like ECDSA).



-Ilari

v2.23.0 | Report a Bug | By Email