[TLS] Comments on various things on agenda (Was: Re: TLS Interim - update and agenda)
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Sun, 08 March 2015 18:03 UTC
Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 778901A0097 for <tls@ietfa.amsl.com>; Sun, 8 Mar 2015 11:03:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.399
X-Spam-Level: *
X-Spam-Status: No, score=1.399 tagged_above=-999 required=5 tests=[BAYES_50=0.8, J_CHICKENPOX_66=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9sDhALOveYYR for <tls@ietfa.amsl.com>; Sun, 8 Mar 2015 11:03:13 -0700 (PDT)
Received: from emh06.mail.saunalahti.fi (emh06.mail.saunalahti.fi [62.142.5.116]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC1A91A0087 for <tls@ietf.org>; Sun, 8 Mar 2015 11:03:12 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh06.mail.saunalahti.fi (Postfix) with ESMTP id 6033869968 for <tls@ietf.org>; Sun, 8 Mar 2015 20:03:10 +0200 (EET)
Date: Sun, 08 Mar 2015 20:03:10 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: "tls@ietf.org" <tls@ietf.org>
Message-ID: <20150308180310.GA10911@LK-Perkele-VII>
References: <CAOgPGoCcexve9+C2bNSGVWUksZCva66OWbf8nrxkg0PquOpZ_w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAOgPGoCcexve9+C2bNSGVWUksZCva66OWbf8nrxkg0PquOpZ_w@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/jjKnkbSlP9CjHVfzVx92Ky6HdVE>
Subject: [TLS] Comments on various things on agenda (Was: Re: TLS Interim - update and agenda)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Mar 2015 18:03:15 -0000
On Tue, Mar 03, 2015 at 04:06:22PM -0800, Joseph Salowey wrote: > > The agenda for the interim is available here: > > http://www.ietf.org/proceedings/interim/2015/03/10/tls/agenda/agenda-interim-2015-tls-1 Since I won't be participating, here are some comments and thoughts about items on the agenda: Backwards compatibility: ------------------------ Is this about what is needed for compatiblity with past TLS versions? If so, the things that I think need preserving are: - ClientHello record header, message header and overall format. - ClientHello being the only mandatory message in its flight. - ServerHello record header, message header and version field (first two bytes). - Signature TBS must not cause undesirable interactions with signature TBS in past versions. - The first byte of record header needs to remain subprotocol id (for muxing TLS with other stuff) - If finished messages get removed or changed to be just markers, deriving replacement TLS-unique value. - Having drop-in replacement for TLS-Extractor. The first three are about downnegotiation being possible without delay, the fourth is about cross-protocol interactions, and the last three are about application compatiblity. Other than theses, I don't see much backwards compat concerns. In practicular, the handshake changes tend to screw everything that isn't aware of TLS 1.3 but tries to interpret it. Or is this about dealing with the 1%+ TLS 1.3 intolerance? 0-RTT: ------ Although basic 0-RTT is essentially just strapping AEAD cipher to IES (asymmetric encryption using DHFs) using parameters preprovisioned by the server (or just plain AEAD if resuming), there are more subtle things: - Can replay protection be realistically provoded? - If replay protection can't be provoded, authenticating the early data is just plain dangerous. - Authentication here is very easy to get wrong, even if one somehow gets replay protection. - Even without authentication, this could be useful for protocol banner exchange, speeding up protocol startup (and replaying protocol banners does not seem to be useful for attackers). Tickets/Resumption/PSK: ----------------------- - Tickets or resumption should not compomise FS (by storing MS). - Can resumption be ratcheded even for re-resumptions (so re-resumption doesn't put resumed sessions at risk)? - Tying resumption to PSK might cause issues with PSK identity selection. - PSK identity selection can require 2RTT in some cases supported by TLS 1.2 (plus new messages and changes to messages). - PSK adds a fair chunk of complexity. OPTLS: ------ OPTLS can be viewed as two-level key scheme. The usual benefits of two-level key schemes: 1) Potential for speed enhancement by quickly rotating weaker keys (weaker crypto is usually faster). 2) Better isolation of higher key. 3) Allowing quick rotation of lower key. The drawbacks are that now one has a key that can sign quite damaging things, and this mechanism increases complexity (by having second certificate mechanism that works in different way). However, the higher-level key might be more protectable than sole key (it may be possible to apply more checks). If attacker just steals the higher key, you are as screwed as currently. As for revocation of lower key, it should be noted that in present WebPKI, realistic revocation times are a day or two. Of course, trying to push validity period down, one runs into issues with clock skew (no secure time protocol!). Also, if one tries to enhance performance, OPTLS inherently ties the lower key strength with encryption strength, so if one uses weak key, the encryption will also be weak (encryption strength and strength of upper key are decoupled like with sole keys, in contrast to the usual myth). Also, I am not seeing solid peformance advantages (without HECC, which currently is not usable). In short, the worst downsides I see are: - Extra complexity - Revocation/expiry of lower-level keys. - More things to potentially go wrong in development. - Does not seem to provode solid peformance advantages. Update/Rekey: ------------- Rekeying needs to be stateless, so not to cause too much extra complexity to TLS stacks and especially to applications. In practicular, this means: - Simultaneous rekeys are handled properly. - ACKs can be delayed by an arbitrary amount (since no extra flights can be added). - Rekey must not cause race conditions with TLS-Extractor. Authentiation via update is very hairy due to application-level issues it can cause (even if restricted to happen only once per connection). Key hierarchy/derivation: ------------------------- - Handshake master secret [hMS] - Application CtS master secret [cMS] (derives from hMS) - Application StC master secret [sMS] (derives from hMS) - Extractor master secret [eMS] (derives from hMS) - Resumption Premaster Secret [rPMS] (derives from hMS) The earliest possible points of derivation (any earlier runs into known problems): - hMS: After Hellos&Shares - cMS: After Hellos&Shares - sMS: After Hellos&Shares - eMS: After EncryptedExtensions - rPMS: After entiere handshake However, it might be better to derive cMS and sMS at respective finished messages (or placeholders thereof), since that is just before messages with those keys should start appearing (any earlier is an error). Signature format/orthogonal negotiation: ---------------------------------------- Is orthogonal negoiation about decoupling encryption, key exchange and signatures from each other? If so, recently I have heard of quite nasty comments about inability of TLS to do that (these choices seem independent enough, to avoid the "chinese menu problems"). Regarding signature format, isn't the current rule that the key specifies the signature format (and then there is capability advertisment)? Any reason that doesn't still work? OHOH, CFRG might come up with some new signature format (e.g. something based on EdDSA), should prepare for that. I think the changes to add new signature format are: - Codepoint for signature negotiation - Format identifier for signature+hash combo (OID in case of X.509 or RPK). MTI cipher suites: ------------------ I see there being only two realistic AEAD ciphers: - AES-GCM (if you have hardware support) - Chacha20-Poly1305-AEAD (no need for hardware support) Regarding key exchanges: ECDHE: * NIST curves available (but violate crypto best practices) * Brainpool curves available (but are slow) * CFRG curves are not yet available (missing details, but I would be surprised if one isn't Curve25519 as-is) DHE: * Very slow. Scales badly. Regarding signatures: ECDSA: * Quite crappy (behind the times even when invented, for apparently classified reasons). RSA: * Slow to sign. Scales badly. <whatever CFRG comes up with>: * Not yet. -Ilari
- [TLS] TLS Interim - update and agenda Joseph Salowey
- Re: [TLS] TLS Interim - update and agenda Yoav Nir
- Re: [TLS] TLS Interim - update and agenda Benjamin Beurdouche
- Re: [TLS] TLS Interim - update and agenda Sean Turner
- Re: [TLS] Comments on various things on agenda (W… Dave Garrett
- [TLS] Comments on various things on agenda (Was: … Ilari Liusvaara
- Re: [TLS] Comments on various things on agenda (W… Eric Rescorla
- Re: [TLS] Comments on various things on agenda (W… Dave Garrett
- Re: [TLS] Comments on various things on agenda (W… Stephen Farrell
- Re: [TLS] Comments on various things on agenda (W… Aaron Zauner
- Re: [TLS] Comments on various things on agenda (W… Dave Garrett
- Re: [TLS] Comments on various things on agenda (W… Aaron Zauner
- Re: [TLS] Comments on various things on agenda (W… Stephen Checkoway
- Re: [TLS] Comments on various things on agenda (W… Blumenthal, Uri - 0558 - MITLL
- [TLS] MTI policy & practice (Was: Re: Comments on… Dave Garrett
- Re: [TLS] MTI policy & practice (Was: Re: Comment… Aaron Zauner
- Re: [TLS] MTI policy & practice (Was: Re: Comment… Dave Garrett
- Re: [TLS] Comments on various things on agenda (W… Yoav Nir
- Re: [TLS] MTI policy & practice (Was: Re: Comment… Aaron Zauner
- Re: [TLS] MTI policy & practice (Was: Re: Comment… Dave Garrett
- Re: [TLS] MTI policy & practice (Was: Re: Comment… Aaron Zauner
- Re: [TLS] MTI policy & practice (Was: Re: Comment… Dave Garrett
- Re: [TLS] MTI policy & practice (Was: Re: Comment… Watson Ladd
- Re: [TLS] MTI policy & practice (Was: Re: Comment… Dave Garrett
- Re: [TLS] Comments on various things on agenda (W… Brian Sniffen
- Re: [TLS] Comments on various things on agenda (W… Dave Garrett
- Re: [TLS] Comments on various things on agenda (W… Sean Turner