Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.txt

Bodo Moeller <> Fri, 21 July 2006 09:39 UTC

Received: from [] ( by with esmtp (Exim 4.43) id 1G3rTz-0004dO-Pc; Fri, 21 Jul 2006 05:39:43 -0400
Received: from [] ( by with esmtp (Exim 4.43) id 1G3rTy-0004dJ-S7 for; Fri, 21 Jul 2006 05:39:42 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1G3rTx-0001Ha-Ei for; Fri, 21 Jul 2006 05:39:42 -0400
Received: from [] (helo=tau.invalid) by (node=mrelayeu2) with ESMTP (Nemesis), id 0MKwtQ-1G3rTv3rPL-00048b; Fri, 21 Jul 2006 11:39:40 +0200
Received: by tau.invalid (Postfix, from userid 1000) id E004517D41; Fri, 21 Jul 2006 11:39:38 +0200 (CEST)
Date: Fri, 21 Jul 2006 11:39:38 +0200
From: Bodo Moeller <>
Subject: Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.txt
Message-ID: <>
References: <>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.9i
X-Provags-ID: login:2100a517a32aea841b51dac1f7c5a318
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 50a516d93fd399dc60588708fd9a3002
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

On Thu, Jul 20, 2006 at 06:50:01PM -0400, wrote:

> 	Title		: Pre-Shared Key Cipher Suite with NULL Encryption for Transport Layer Security 
> 	Author(s)	: U. Blumenthal, P. Goel
> 	Filename	: draft-ietf-tls-psk-null-00.txt
> 	Pages		: 5
> 	Date		: 2006-7-20
>    This document specifies authentication-only cipher suites for the 
>    Pre-Shared Key based [TLS-PSK] Transport Layer Security (TLS) [TLS] 
>    protocol to support null encryption. These cipher suites are useful 
>    for countries and places with cryptography-related restrictions.  


The new I-D contains three ciphersuites:


Is there a good case for definining a DHE_PSK ciphersuite with NULL
encryption?  RSA_PSK involves server certificates, so it does not
solely rely on pre-shared keys for authentication.  DHE_PSK, however,
uses ephemeral Diffie-Hellman without certificate-based
authentication.  This is very useful when the key exchange is used to
obtain keys for symmetric encryption.  However, in these NULL
encryption ciphersuites, the key exchange is only used to derive
authentication keys, so there is only a very limited need for forward
security.  (DHE_DSK, when using NULL encryption, provides protection
against exposure of a pre-shared key if use of said key has been
stopped, but TLS session based on the key remain active.)

If we are going to allocate additional ciphersuite numbers for new PSK
ciphersuites, other key exchange mechanisms for use with symmetric
encryption would appear more useful to me than DHE_PSK for NULL
encryption: RFC 4247 does not have any DHE_RSA_PSK and EDH_DSS_PSK
methods, which would combine ephemeral Diffie-Hellman with RSA or DSA
certificates -- thus providing both forward security and
certificate-based server authentication.  I don't know if this variant
is really needed (probably so rarely that combining multiple different
key exchange methods via renegotiation is a more reasonable technique
than specifying another set of specific ciphersuites), but it
certainly looks more useful to me than TLS_DHE_PSK_WITH_NULL_SHA!

So currently I think we should cut down the I-D to only two

TLS mailing list