Re: [TLS] Initial draft of DH-based key exchange
Hugo Krawczyk <hugo@ee.technion.ac.il> Mon, 23 March 2015 19:22 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 599FF1A079D for <tls@ietfa.amsl.com>; Mon, 23 Mar 2015 12:22:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xMrCs-V9ynZy for <tls@ietfa.amsl.com>; Mon, 23 Mar 2015 12:22:45 -0700 (PDT)
Received: from mail-lb0-x22e.google.com (mail-lb0-x22e.google.com [IPv6:2a00:1450:4010:c04::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B697A1B29D8 for <tls@ietf.org>; Mon, 23 Mar 2015 12:22:37 -0700 (PDT)
Received: by lbcmq2 with SMTP id mq2so15652686lbc.0 for <tls@ietf.org>; Mon, 23 Mar 2015 12:22:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=CovSjXHazM3jA7jd/o/Yh4qOimE9GT1PgGSIV9LrJ6o=; b=FMReI1JKwGdHyescABWpk46QdkEDNg0cXJpwxHCPQZJlmyU+L0YKxRo8KwK83XbiSh SgV0kkteeq8mEjnKqXy7C8RrlZXcDNLeBsWQiB5db4ZTntJqwM+u28DEp8fbboc0wXqp oPipvHrFuRbcqjMIEF1i8oIYvOdHa+pYll45/VXMIQN6XUsmg2ZCN6649WzckkhLJyfG +V0cK152dwF5eHRJBgJPjTFg/Cveap3IDMMSRW6xiAWLplWhKgI1vxFxzTi8kK2lHKoK /NqUalkQ9ax31rg0BTSriA6XO5ApaGr7iSixAIPv98+NwYWQdm0Y4QW6kByEXtrxsQxa j5FQ==
X-Received: by 10.152.27.39 with SMTP id q7mr498747lag.49.1427138556227; Mon, 23 Mar 2015 12:22:36 -0700 (PDT)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.25.78.19 with HTTP; Mon, 23 Mar 2015 12:22:05 -0700 (PDT)
In-Reply-To: <1427123147.19595.62.camel@redhat.com>
References: <CABcZeBNmufvfJ_2Nvw1YwvwGZ2u1=WvL45rPGJXARN1tAxOEfw@mail.gmail.com> <1427123147.19595.62.camel@redhat.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Mon, 23 Mar 2015 15:22:05 -0400
X-Google-Sender-Auth: 1_Gsizr4lIPLpsNuON3L56jeLP4
Message-ID: <CADi0yUMxvN3hHJ2zx7m5hOrPdu080DjvyOGim8c3++QETcx3bA@mail.gmail.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
Content-Type: multipart/alternative; boundary="089e0160aca4b0774d0511f99619"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/iJpeGF5bzqsS47AdGLOajPUbD2M>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Initial draft of DH-based key exchange
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 19:22:49 -0000
Hi Nikos, These are good questions - see responses below. On Mon, Mar 23, 2015 at 11:05 AM, Nikos Mavrogiannopoulos <nmav@redhat.com> wrote: > On Mon, 2015-03-23 at 08:36 -0500, Eric Rescorla wrote: > > Folks, > > At the interim discussed transitioning to a DH-based handshake (rather > > than a signature-based one) like that proposed by Hugo Krawczyk and > > Hoeteck Wee. The major rationale for this change is that any 0-RTT > > mode is inherently DH-based and so if we make that our basic mode, > > then we can simplify the protocol logic and key derivation model. This > > model also allows us to pull in PSK modes under the same basic > > structure. > [...] > > The WG sentiment was generally favorable to exploring this avenue but > > there was also airly strong WG sentiment that we didn't presently want > > to do an offline signatures. This leaves with a model in which the > > client initially learns the server's semi-static DH share through > > an online-signed 1-RTT handshake but then can cache it for use with > > future connections. > > Wasn't that discussed in the list before? My impression was that the > outcome of that discussion was not to add that. > The objections to the original proposal were related to the use of offline signatures to sign a semi-static DH key. This is not an option in ekr's draft. Neither the draft accommodates DH certificates. All server's authentication is based on regular (online) TLS signatures except if the client has cached a semi-static key from the server as needed to support 0-RTT. In the latte case authentication must be done via the possession of the semi-static DH secret by the server (a 0-RTT flow cannot be authenticated via signatures). > > Anyway, a first question that comes to mind, is why this isn't defined > as separate ciphersuites? Why does it even have to be TLS 1.3 related? > Static DH parameters is an experiment that failed years ago. What has > changed since then that we believe now it is going to work? You even > Two important things change in TLS 1.3: - Forward secrecy (PFS) is now mandatory. - The protocol accommodate a 0-RTT mode. These two changes can only be implemented via Diffie-Hellman transforms (in theory, any CCA-secure public key encryption can be used but (EC)DH is the only currently practical instantiation in this setting). In particular, 0-RTT requires supporting semi-static DH keys for the server. All that ekr draft does is to build a protocol where PFS is supported, 0-RTT is supported, semi-static keys are supported, and TLS-type signatures are supported in any case where the client does not have a cached semi-static key of the server. The beauty of it, if I can say so, is that all these modes are just subsets of a single protocol with a single crypto logic and uniform specification (which also covers uniformly PSK and resumption). The alternative is to keep TLS 1.2 and add to it the semi-static case as a patch, hence requiring essentially implementing all that is now in ekr's draft (for PFS and 0-RTT) plus all the mechanics of 1.2. From the cryptographic analysis point of view this would mean analyzing two separate protocols as well as making sure these two protocols do not have any bad interaction when put together. > dropped the static DH ciphersuites from TLS 1.3. Please make that part > optional so you don't doom the whole TLS 1.3 protocol enhancements if > no-one switches to static DH keys (in the document they are described as > semi-static DH keys - but there is no definition of what that means). > > A second question is why HKDF? Why is it even there? Is there any issue > with the current TLS PRF and we need another? Is there a valid reason to > bloat implementations with shipping multiple KDFs? This kind of changes > shouldn't be done without thought, as it is now there cannot be any code > sharing between TLS 1.2 and 1.3 and we risk having implementers stay > with TLS 1.2 for the next decade. > HKDF is just a way of structuring the use of TLS PRF (HMAC-PRF) in a way that supports a uniform, hierarchical key derivation scheme which is common to all the modes of the protocol as discussed above (including PSK, Export, resumption, etc.) and which accommodates deriving keys from possibly non-uniform secrets such as DH values, passphrases, etc. In particular, it sets no requirements or assumptions in the form of the secret/entropy source from which keys are derived, hence freeing the protocol instantiation from things like point representation in an elliptic curve (it will work with compressed representation, uncompressed ones, etc). I believe these are all huge benefits at all levels: design, analysis, specification, implementation, maintenance of the protocol (future changes/additions). I cannot comment on code sharing though, although I hope we do not ruin the future by tying ourselves too much to the past. Hugo > > regards, > Nikos > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Nikos Mavrogiannopoulos
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Salz, Rich
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Salz, Rich
- Re: [TLS] Initial draft of DH-based key exchange Dave Garrett
- Re: [TLS] Initial draft of DH-based key exchange Nikos Mavrogiannopoulos
- Re: [TLS] Initial draft of DH-based key exchange Nikos Mavrogiannopoulos
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Paterson, Kenny
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Russ Housley
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara