Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.txt
Bodo Moeller <bmoeller@acm.org> Fri, 21 July 2006 09:39 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G3rTz-0004dO-Pc; Fri, 21 Jul 2006 05:39:43 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G3rTy-0004dJ-S7 for tls@ietf.org; Fri, 21 Jul 2006 05:39:42 -0400
Received: from moutng.kundenserver.de ([212.227.126.171]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G3rTx-0001Ha-Ei for tls@ietf.org; Fri, 21 Jul 2006 05:39:42 -0400
Received: from [134.147.40.251] (helo=tau.invalid) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis), id 0MKwtQ-1G3rTv3rPL-00048b; Fri, 21 Jul 2006 11:39:40 +0200
Received: by tau.invalid (Postfix, from userid 1000) id E004517D41; Fri, 21 Jul 2006 11:39:38 +0200 (CEST)
Date: Fri, 21 Jul 2006 11:39:38 +0200
From: Bodo Moeller <bmoeller@acm.org>
To: tls@ietf.org
Subject: Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.txt
Message-ID: <20060721093938.GA21125@iota.site>
References: <E1G3hLF-00055R-Fd@stiedprstage1.ietf.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <E1G3hLF-00055R-Fd@stiedprstage1.ietf.org>
User-Agent: Mutt/1.5.9i
X-Provags-ID: kundenserver.de abuse@kundenserver.de login:2100a517a32aea841b51dac1f7c5a318
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 50a516d93fd399dc60588708fd9a3002
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
On Thu, Jul 20, 2006 at 06:50:01PM -0400, Internet-Drafts@ietf.org wrote: > Title : Pre-Shared Key Cipher Suite with NULL Encryption for Transport Layer Security > Author(s) : U. Blumenthal, P. Goel > Filename : draft-ietf-tls-psk-null-00.txt > Pages : 5 > Date : 2006-7-20 > > This document specifies authentication-only cipher suites for the > Pre-Shared Key based [TLS-PSK] Transport Layer Security (TLS) [TLS] > protocol to support null encryption. These cipher suites are useful > for countries and places with cryptography-related restrictions. > http://www.ietf.org/internet-drafts/draft-ietf-tls-psk-null-00.txt The new I-D contains three ciphersuites: TLS_PSK_WITH_NULL_SHA TLS_DHE_PSK_WITH_NULL_SHA TLS_RSA_PSK_WITH_NULL_SHA Is there a good case for definining a DHE_PSK ciphersuite with NULL encryption? RSA_PSK involves server certificates, so it does not solely rely on pre-shared keys for authentication. DHE_PSK, however, uses ephemeral Diffie-Hellman without certificate-based authentication. This is very useful when the key exchange is used to obtain keys for symmetric encryption. However, in these NULL encryption ciphersuites, the key exchange is only used to derive authentication keys, so there is only a very limited need for forward security. (DHE_DSK, when using NULL encryption, provides protection against exposure of a pre-shared key if use of said key has been stopped, but TLS session based on the key remain active.) If we are going to allocate additional ciphersuite numbers for new PSK ciphersuites, other key exchange mechanisms for use with symmetric encryption would appear more useful to me than DHE_PSK for NULL encryption: RFC 4247 does not have any DHE_RSA_PSK and EDH_DSS_PSK methods, which would combine ephemeral Diffie-Hellman with RSA or DSA certificates -- thus providing both forward security and certificate-based server authentication. I don't know if this variant is really needed (probably so rarely that combining multiple different key exchange methods via renegotiation is a more reasonable technique than specifying another set of specific ciphersuites), but it certainly looks more useful to me than TLS_DHE_PSK_WITH_NULL_SHA! So currently I think we should cut down the I-D to only two ciphersuites, TLS_PSK_WITH_NULL_SHA and TLS_RSA_PSK_WITH_NULL_SHA. _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.t… Bodo Moeller
- RE: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.t… Pasi Eronen
- Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.t… Bodo Moeller
- Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.t… Bodo Moeller
- Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.t… Eric Rescorla
- Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.t… Bodo Moeller
- [TLS] Suggestion for TLS Developer List Ron Teitelbaum