Re: [TLS] Initial draft of DH-based key exchange

[Nikos Mavrogiannopoulos <nmav@redhat.com>]

On Mon, 2015-03-23 at 15:22 -0400, Hugo Krawczyk wrote:


> ​Two important things change in TLS 1.3:​
> - Forward secrecy (PFS) is now mandatory.
> 
> - The protocol accommodate a 0-RTT mode.
> 
> 
> These two changes can only be implemented via Diffie-Hellman
> transforms (in theory, any CCA-secure public key encryption can be
> used but (EC)DH is the only currently practical instantiation in this
> setting). In particular, 0-RTT requires supporting semi-static DH keys
> for the server. All that ekr draft does is to build a protocol where
> PFS is supported, 0-RTT is supported, semi-static keys are supported,
> and TLS-type signatures are supported in any case where the client
> does not have a cached semi-static key of the server. The beauty of
> it, if I can say so, is that all these modes are just subsets of a
> single protocol with a single crypto logic and uniform specification
> (which also covers uniformly PSK and resumption).

So if I understand well the additional semi-static key is to support the
0-rtt case only, and otherwise it should be simply a copy of the
ephemeral key? I cannot say I fully follow the protocol in all possible
scenarios. It would be nice to have a message flow of the interactions
for the DH key exchange in all the cases (e.g., PSK) either as an
appendix or the main text. As we are moving to non-widely known key
exchanges it makes sense to document them clearly, or at least link to
documents which define them.

regards,
Nikos