Re: [TLS] OPTLS: Signature-less TLS 1.3
Eric Rescorla <ekr@rtfm.com> Sat, 01 November 2014 23:22 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C23FD1A1B9E for <tls@ietfa.amsl.com>; Sat, 1 Nov 2014 16:22:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qkp4nnD1QDoK for <tls@ietfa.amsl.com>; Sat, 1 Nov 2014 16:22:47 -0700 (PDT)
Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com [209.85.212.173]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96BEF1A1B9C for <tls@ietf.org>; Sat, 1 Nov 2014 16:22:46 -0700 (PDT)
Received: by mail-wi0-f173.google.com with SMTP id n3so3849348wiv.6 for <tls@ietf.org>; Sat, 01 Nov 2014 16:22:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=zhNWh/czQbukas/Nfn98JT0J74FgcBeLjI6RBAnIzRw=; b=kgyGPceSSTcbRm0BNQPgiD+ccwh2XPvkwnulTu275/rWC9L8PEVZAZ1u2gokJep4L1 x4wTRLgmMyKRld7QOIhwKTx4aCSQj6YVeLRzmqx2QVnLIelX75aHLSYw/1T/KJcTLrwu /9h739RAmjd3idd3N5T52+ZR+oeFZvgPY0OvOLXwwe0koxttbxmq0RLNm2B/mXGPJN8Q RTvZ7/xdDbbQxIh5rYMNeX7LGUD3uIg97LZ6RtTEmPLsrLjfU35nkxJCvEGpvqA+WJwF YUQ+g2qReO0n+k+b3XEmKzam72ef0yB5pbtM7c9i5SQE4sFLCk1cLtI2uWHmxsaBK1MU ooEg==
X-Gm-Message-State: ALoCoQloykpv459HACyEslvxdBj7alF4BOv2rpVYsjD92VYbcK9GkhrYpjK74a1NGIZOj4M1UitP
X-Received: by 10.194.76.202 with SMTP id m10mr15053102wjw.42.1414884165239; Sat, 01 Nov 2014 16:22:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.49.198 with HTTP; Sat, 1 Nov 2014 16:22:05 -0700 (PDT)
In-Reply-To: <CACsn0cmX1gdhBRbpSwoS0qqffOBXMOg-=xLn56EpiL=40t_kmw@mail.gmail.com>
References: <CADi0yUObKsTvF6bP=SxAwYA05odyWdzR1-sWutrDLUeu+VJ1KQ@mail.gmail.com> <614363650.3172177.1414834861225.JavaMail.zimbra@redhat.com> <20141101101611.GA25180@LK-Perkele-VII> <CABcZeBNYpQu=SCorXDa+TEEGVLb7d902LAed5fjDeK-wbafVRw@mail.gmail.com> <CACsn0c=c6z5VR3KZ2f6oydVrFxBxzWwpbyVr4Xt5x04NAUiVYQ@mail.gmail.com> <CABcZeBNG1q37tZ1JOZEKOm8aAVZc3Ve6C5jkFTdA0fWu_kjn5g@mail.gmail.com> <CACsn0cmX1gdhBRbpSwoS0qqffOBXMOg-=xLn56EpiL=40t_kmw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 01 Nov 2014 16:22:05 -0700
Message-ID: <CABcZeBPbRD44oXMmdGHWooFVp5qshzO_ML9e6QnKUQDUoSoOLQ@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="047d7bf0c1b2115d520506d4648e"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/g2NquXaeHdaKpha-InJrg25jrbU
Cc: "tls@ietf.org" <tls@ietf.org>, Hoeteck Wee <hoeteck@alum.mit.edu>
Subject: Re: [TLS] OPTLS: Signature-less TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Nov 2014 23:22:49 -0000
On Sat, Nov 1, 2014 at 3:22 PM, Watson Ladd <watsonbladd@gmail.com> wrote: > On Sat, Nov 1, 2014 at 2:45 PM, Eric Rescorla <ekr@rtfm.com> wrote: > > > > > > On Sat, Nov 1, 2014 at 2:07 PM, Watson Ladd <watsonbladd@gmail.com> > wrote: > >> > >> On Sat, Nov 1, 2014 at 7:46 AM, Eric Rescorla <ekr@rtfm.com> wrote: > >> > > >> > On Sat, Nov 1, 2014 at 3:16 AM, Ilari Liusvaara > >> > <ilari.liusvaara@elisanet.fi> wrote: > >> >> > <snip> > >> >> > >> >> However, this poses some challenges with respect to revocation. From > >> >> what > >> >> I > >> >> understand, the parameters are intended to have limited lifetime > (much > >> >> shorter than EE certificates). > >> >> > >> >> The reason this is problematic is that one can't really rely on > clocks: > >> >> - Even if you happen to have sub-second accurate clock, a lot of > >> >> computers > >> >> don't. > >> >> - The time protocols often aren't secured, allowing attacker to play > >> >> tricks > >> >> with endpoint time. > >> > > >> > > >> > We're already starting to have that problem because of a desire to > move > >> > to > >> > OCSP > >> > stapling, which, with staple, effectively gives the server a > credential > >> > which is > >> > valid only within a fairly narrow window. However, I think you're > right > >> > that > >> > this > >> > probably limits the range of lifetimes you can use with these signed > DH > >> > keys. > >> > >> That's not the problem Illari was talking about: It's not that g^s has > >> limited lifetime, but that there is no way to know that the lifetime > >> is expired, so it has long lifetime. NTP is not secure, so we have to > >> deal with bad clocks. In the case of certificates, this is usually not > >> so bad as the lifetimes are long. It might not be a problem for this, > >> as we can occasionally resign, keep s in memory and not be worse off > >> than today, or say that TLS clients need trusted clocks to avoid > >> compromise when s is revealed. > > > > > > Yes. I understand this. My point is that OCSP Stapling is effectively > > like short-lived certificates (and short-lived DHE shares) in that > > you have a credential which is valid for a relatively short period of > > time and which therefore requires that therefore requires tight > > clock synchronization. And since we're moving towards OCSP > > stapling and short-lived certs, we've got this problem in any case. > > Ah, I was thinking of a different problem with OCSP stapling, which is > getting the response to staple periodically, and when you don't... > > Thinking about it more, I think I don't understand this. X509 > certificates have expiration dates. Doesn't that mean the client needs > a synchronized clock already? Yes, it does. > Why does the duration of the validity of > the response affect the existence of this issue? > My argument here is that clients have some ability to sanity check network time information, and so it's not necessarily like the attacker can set the time to anything (I don't know how NTP clients currently work). So an attacker who can only move the clock by a day or two is going to of course be more effective attacking credentials with a short time window than with a long time window (though arguably that's because the latter is less secure to start out with). Does that make sense? -Ekr
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Rene Struik
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Rene Struik
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Ilari Liusvaara
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Manuel Pégourié-Gonnard
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hanno Böck
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Peter Gutmann
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Andy Lutomirski
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Andy Lutomirski
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Salz, Rich
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Salz, Rich
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Dan Brown
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk