Re: [TLS] COSIC's look on TLS 1.3

Eric Rescorla <ekr@rtfm.com> Thu, 17 November 2016 07:15 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B9F6129556 for <tls@ietfa.amsl.com>; Wed, 16 Nov 2016 23:15:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jAgPBwJAYS7d for <tls@ietfa.amsl.com>; Wed, 16 Nov 2016 23:15:20 -0800 (PST)
Received: from mail-yw0-x22a.google.com (mail-yw0-x22a.google.com [IPv6:2607:f8b0:4002:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6950D1294AE for <tls@ietf.org>; Wed, 16 Nov 2016 23:15:20 -0800 (PST)
Received: by mail-yw0-x22a.google.com with SMTP id t125so147593791ywc.1 for <tls@ietf.org>; Wed, 16 Nov 2016 23:15:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Ys/bRxQQAHjsYcQ1GVvDgSvxj5MRxdS6PdDowbRghFM=; b=EFjHfHx5GK/bqdreO5GVwvL0SnEjPXRQA6uC02hPzLKgXtwLw4nJmNhrXLoJkJPQ9u nfKRB/PmdpxX0x7tuPJ0NoD8s0yE38BrepKfMxITCvgXrNJcu79NC612hA/M+AFqup+k 7yOk3shlRjvgidGfowSopIXYtFfigJS4rNUQ7MNxRKf6fHKAGe38on24G8luWv66Lzmq oayebV7fV5rGzCgDqgonaKpLwoDeZrTUoucBvwWdQfKt7bGegPFeLLSpY5Dv2Y7S/IX5 sRve03h/2elVDWAbpZd4kjouyY+NGmIj589bsQwnv4eL62Op1y+kYMc1azDpS5ASgmmI 5XaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Ys/bRxQQAHjsYcQ1GVvDgSvxj5MRxdS6PdDowbRghFM=; b=daeOxo5NwEhjBntGtkfKGIKaJXcx6EKF/4nnI+fDDffxSYxpwZXlENS6TG9kNHzsyD Ud2mpFABVCJWuym6MndiEUlwZF++A9WkYpP3cdrPuOrlCljqK+ktW+YaJvaN3Zxg1DAm S30+aJorD9VCWBsrzpIU1/YrkIaAxJMLMotaSeAvxJskfwQgaV/0BLE3n4WhLSddeJdN cFLq03NZMMVNpd8R5bTX5azwx6eyIm7UrOIdleEm2MjtDTt9eLdGlJ3LkO/2Azt2lkqU g8hwY/MA7/0iy76P0L4MFHXZlGRlne7FXjfl/BZO66XlNRCeWt/y8ZLSIQNzeSMgJE6X 5Ubw==
X-Gm-Message-State: ABUngvf1UNM0vUD63bnqNsJvazLXs9E9uOTIv+MepNWj8KMVI3zrn7Zqat8ndTpxAzCMBMXV4+wwYhN79RxzUA==
X-Received: by 10.129.125.215 with SMTP id y206mr1410115ywc.234.1479366919761; Wed, 16 Nov 2016 23:15:19 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.159.141 with HTTP; Wed, 16 Nov 2016 23:14:39 -0800 (PST)
In-Reply-To: <8C67E8BB-B230-4C84-A890-C57614FF8A46@esat.kuleuven.be>
References: <2d2ba626-0b5d-590f-efb7-e4ad30b5608b@esat.kuleuven.be> <201611081626.03635.davemgarrett@gmail.com> <8C67E8BB-B230-4C84-A890-C57614FF8A46@esat.kuleuven.be>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 17 Nov 2016 16:14:39 +0900
Message-ID: <CABcZeBNHCxyUfvT2G1LMuQqYQGZttpGoz+DNEJj7Do4ie0=9Xg@mail.gmail.com>
To: Roel Peeters <roel.peeters@esat.kuleuven.be>
Content-Type: multipart/alternative; boundary=001a11492dfabee41b054179f360
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/fuOwoiYx22mBu9JmUioK3y15gqE>
Cc: Jens Hermans <Jens.Hermans@esat.kuleuven.be>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] COSIC's look on TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2016 07:15:23 -0000

This paragraph refers to the anti-downgrade mechanism described in 4.1.3.

-Ekr


On Wed, Nov 9, 2016 at 6:56 AM, Roel Peeters <roel.peeters@esat.kuleuven.be>
wrote:

> Hi Dave,
>
> We are wondering because of this piece of text from the RFC EDITOR just
> above paragraph 4.1.4 on Hello Retry Request:
>
> RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH Implementations of draft
> versions (see Section 4.2.1.1) of this specification SHOULD NOT implement
> this mechanism on either client and server. A pre-RFC client connecting to
> RFC servers, or vice versa, will appear to downgrade to TLS 1.2. With the
> mechanism enabled, this will cause an interoperability failure.
> Best,
> Roel
>
> On 8 Nov 2016, at 22:26, Dave Garrett <davemgarrett@gmail.com> wrote:
>
> On Tuesday, November 08, 2016 09:55:36 am Roel Peeters wrote:
>
> we are also wondering whether or not the Hello Retry Request will be
> included or omitted in the standard. Leaving it out will make TLS 1.3
> vulnerable again to downgrade attacks ...
>
>
> Why are you wondering about this? HRR is in the specification and there
> has been no discussion to remove it.
>
>
> Dave
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>