Re: [TLS] A la carte handshake negotiation

Dave Garrett <davemgarrett@gmail.com> Sun, 14 June 2015 15:56 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58AE71B2F64 for <tls@ietfa.amsl.com>; Sun, 14 Jun 2015 08:56:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qr4eaaipEkIc for <tls@ietfa.amsl.com>; Sun, 14 Jun 2015 08:55:59 -0700 (PDT)
Received: from mail-qc0-x22f.google.com (mail-qc0-x22f.google.com [IPv6:2607:f8b0:400d:c01::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01FFB1A905B for <tls@ietf.org>; Sun, 14 Jun 2015 08:55:05 -0700 (PDT)
Received: by qcbfz6 with SMTP id fz6so325291qcb.0 for <tls@ietf.org>; Sun, 14 Jun 2015 08:55:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=7lRMNtqse3tWdrnqstHSLJcEU6xDKlVH7FmBEYWku2U=; b=ot9o1+vrQ8OkkXzQPV0Xz1vXup4AHs+HTwNWbiJQ1oF75vsv0Ntq9RstIdIinzIx2f 0cnim/ibfGDqSnF/gXCHrvaEGiaTP4ZHLGuDi/9udFWFGJwduGg+hDlMgTJp+HRiNx2E 4N9eM98xYEaZxtetEfRuHL3/xwYF9/YusMmg/YF52BdDPXCsC01expSt/9bf8BCc+NFZ ObHQB6BLwvznQ7UEzQA8vpHaIUrozan7k8Faj9JiZJa82fFvE3ulk/u2FjqqovYeC9yw tJ4zYTBM9r7jgCYbcQq7dCXsxgDHy6p6OMIsGDNYd2XOLtrqQd5I8T/XcifzMsvTgqLS 5fXA==
X-Received: by 10.140.46.75 with SMTP id j69mr30155007qga.17.1434297304264; Sun, 14 Jun 2015 08:55:04 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by mx.google.com with ESMTPSA id j62sm4856258qhc.33.2015.06.14.08.55.03 (version=TLSv1 cipher=RC4-SHA bits=128/128); Sun, 14 Jun 2015 08:55:03 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Date: Sun, 14 Jun 2015 11:55:02 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <201506111558.21577.davemgarrett@gmail.com> <201506132115.36615.davemgarrett@gmail.com> <20150614063342.GA24954@LK-Perkele-VII>
In-Reply-To: <20150614063342.GA24954@LK-Perkele-VII>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <201506141155.02725.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/gZR7GXVOkr4l-q-AQItlWhrpeMc>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] A la carte handshake negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Jun 2015 15:56:01 -0000

On Sunday, June 14, 2015 02:33:42 am Ilari Liusvaara wrote:
> Trick of using empty cert and HMAC(PSK, ...) as authentication to unify
> GDHE_CERT and GDHE_PSK won't work if one is to remain compatible with
> TLS 1.2 DHE_PSK (or at least, requires further tricks).
> 
> The problem is that in TLS 1.2, there is thing called PSK hint, which
> is optionally sent from server to client. Then client will chose its
> final PSK identity. In TLS 1.3, that sort of thing would need 1RTT
> miss, followed by extra message from the client to select the final
> PSK identity (and possibly also sending a missing group key if in
> GDHE_PSK).

https://www.ietf.org/mail-archive/web/tls/current/msg16748.html

ekr is currently considering adding a PSK identity extension for the ClientHello. (it's in his current WIP branch, atm) It's just a simple extension to have the client send the id it wants. This is what I was saying would be all that was needed for PSK. The entire signatures extension wouldn't be needed; just send the PSK id (anon=null) and the supported groups extension. Selected NamedGroup selects FF/EC DHE; for plain PSK, don't send this extension either.

> And I think optional handshake messages are a bad idea, being souce
> of nasty bugs (situation-dependent is different thing).

Yes, that sort of thing is a risk. This has PSK & CERT largely separate, so within each use-case, not much is optional.

From an alternate perspective, this could be viewed as kicking PSK/anon out of TLS 1.3 proper and moving it entirely to a dedicated extension (though, defined in the same document).


Dave