IETF Logo Mail Archive

Re: [TLS] the idea of using multiple keys with multiple certificate authorities in a TLS session.

Shahin Noursalehi <mixoftix@gmail.com> Sat, 07 February 2015 08:29 UTC

Return-Path: <mixoftix@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F15601A890B for <tls@ietfa.amsl.com>; Sat, 7 Feb 2015 00:29:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.326
X-Spam-Level: ***
X-Spam-Status: No, score=3.326 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DEAR_SOMETHING=1.973, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FRT_BELOW2=2.154, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2AlfzS8v0vOO for <tls@ietfa.amsl.com>; Sat, 7 Feb 2015 00:29:22 -0800 (PST)
Received: from mail-la0-f44.google.com (mail-la0-f44.google.com [209.85.215.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC8CE1A88E4 for <tls@ietf.org>; Sat, 7 Feb 2015 00:29:21 -0800 (PST)
Received: by labge10 with SMTP id ge10so5292563lab.12 for <tls@ietf.org>; Sat, 07 Feb 2015 00:29:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=xw6Im2rH91bl7kUU757ZN/qD4t10qGHQ2v6t1rCZWTY=; b=CZPPK3PRUqsU28X1CiU4manmPk4PYFG1PcV4/Vkclba/9l6vtSAguLHa49AiSWydkl fUGl4CACyj71GZ+BLNpr9RRq2JgVazvMnqmr9w8+mHOFJtnsVZotGr61U6410MCfkuzw 2vhDvD80ZVpv9nB80ZV+eyL27WEnKb81N7vrGIprMVl1ehcIkzQm9jF0X334KpzHzX6b y48VDiQRGpu96dj/eF3OMsNSrmbBwnKPT06c4+7n42Dnx11NaRM3JMEnFjeCrgGD+tAJ /CT8FQwieXEF1lMCRWno0RznktQGQfFLlTd4mlP8aV94c7anAI1zuNIzSV0D39Ffvg0A ql/Q==
MIME-Version: 1.0
X-Received: by 10.112.53.137 with SMTP id b9mr6470550lbp.66.1423297760379; Sat, 07 Feb 2015 00:29:20 -0800 (PST)
Received: by 10.112.156.8 with HTTP; Sat, 7 Feb 2015 00:29:20 -0800 (PST)
In-Reply-To: <CA6569EF-931B-4787-85DC-8A39EA7EB8F0@gmail.com>
References: <CADrAmL6xOMOauSHuTR8BUK7i4NG2Zx3H90dA6k36YMu81pVW0A@mail.gmail.com> <3FE6EA13-AF0F-4838-9F1F-CB0DEC158225@gmail.com> <CA6569EF-931B-4787-85DC-8A39EA7EB8F0@gmail.com>
Date: Sat, 07 Feb 2015 11:59:20 +0330
Message-ID: <CADrAmL4mKQOZfZ1-D47s4ciC6H_9hwv6YCQKNP1FCbdF8S_ODg@mail.gmail.com>
From: Shahin Noursalehi <mixoftix@gmail.com>
To: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/les4V1UBvPhrAHMIDSyT5MOp_JU>
X-Mailman-Approved-At: Sun, 08 Feb 2015 00:51:00 -0800
Cc: abadi@cs.ucsc.edu, tls@ietf.org, ChristopherA@alacritymanagement.com
Subject: Re: [TLS] the idea of using multiple keys with multiple certificate authorities in a TLS session.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Feb 2015 08:29:24 -0000

sorry, I am new in ietf. it seems I should reply-all.

Thanks for all valid comments & updates,,

about migration from TLS 1.2 to 1.3 and higher, while we focus on the
value of "pre_master_secret", the idea is still valid:

master_secret = PRF(multiple_pre_master_secret, "handshake master secret",
hash(handshake))

I think this could simply makes itself compatible with old versions of
TLS too. new versions of TLS in client side could understand it from the
amount of received public keys (from server) after beginning the
handshake phase and then run the proper routines. I have implemented
this idea in lab. I only see an over-load in key-exchange phase.

The goal of getting multiple certificate authorities involved in a TLS
session is *mitigating the problems of implementation* - not more
privacy by improvement in maths behind TLS. as you know better, human
mistakes/ attacks based on social engineering always threatens a good
implementation.

Anyway, this would be an optional process - so abides by the policies
of QoS too. After 2014, enterprises may look for a method that reduces
the risk of being victim of "fake SSL certificate issuers" or those
who "put a backdoor in RSA key-pairs". When we have sensitive data,
the cost among benefits is nothing. Sometimes a simple email in
internet among a patient and a physician that contains some critical
health information may jeopardize his/her life style and can not
roll-back.

~ Shahin



On 2/7/15, Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> wrote:
> To obtain your multi-certificate guarantee as an extension to the standard
> TLS 1.3 (EC)DHE exchanges, you do not need multiple pre-master secrets. The
> server could send multiple Certificate and CertificateVerify messages, all
> of which sign the same handshake, that is, the same client and server
> keyshares. So, unless all the signing keys were compromised, the attacker
> cannot hijack the connection (since he cannot tamper with the server's
> keyshare).
>
> So a single PMS = KDF(g^xy + .....(handshake hash)....)
> but multiple server signatures over the handshake with different signing
> keys.
>
> However, I would be wary of changing the TLS state machine in so substantial
> a way without sufficient formal analysis.
>
>
> On 06 Feb 2015, at 18:07, Karthikeyan Bhargavan
> <karthik.bhargavan@gmail.com> wrote:
>
>> This scheme seems to assume an RSA key exchange which no longer exists in
>> TLS 1.3.
>>
>> To adapt the multiple PMS design to (EC)DHE would require more work, and
>> it is not clear what the benefit would be.
>>
>> -Karthik
>>
>> On 05 Feb 2015, at 10:17, Shahin Noursalehi <mixoftix@gmail.com> wrote:
>>
>>> Dear Sir/Madam,
>>>
>>> Refer to discussions around TLS 1.3 in Linkedin group "Cryptographers
>>> and Cryptanalysts", contributor experts agree on the idea of using
>>> multiple keys with multiple certificate authorities in a TLS session.
>>> So if one certificate authority is compromised hopefully the others
>>> are not. The suggested solution would be like the process bellow:
>>>
>>> Refer to the way that TLS generates the *master_secret*:
>>>
>>> master_secret = PseudoRandomFunction(pre_master_secret, "master
>>> secret", ClientHello.random + ServerHello.random)
>>>
>>> We could generate multiple peer-to-peer pre_master_secret(s) for each
>>> public-key that we receive from the server and XOR them all together.
>>> So, our offered method of calculation of master_secret will convert
>>> to:
>>>
>>> master_secret = PseudoRandomFunction(multiple_pre_master_secret,
>>> "master secret", ClientHello.random + ServerHello.random)
>>>
>>> where:
>>>
>>> multiple_pre_master_secret = XOR(pre_master_secret_1,
>>> pre_master_secret_2, .. pre_master_secret_n)
>>>
>>> and aim at preventing basic attacks that are known against
>>> one-time-pad, we could add a circular-bit-rotation(m) to the
>>> calculation above - each time we do an XOR:
>>>
>>> multiple_pre_master_secret = ROT(XOR(pre_master_secret_1,
>>> pre_master_secret_2, .. pre_master_secret_n), m)
>>>
>>> Please let us know about your point of views, then we could continue
>>> discussing the TLS.
>>>
>>> With best regards
>>>
>>> Shahin Noursalehi
>>>
>>>
>>> Reference:
>>>
>>> https://www.linkedin.com/groups/what-are-new-methods-attack-3901854.S.5958888203401314306
>>>
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>
>

v2.23.0 | Report a Bug | By Email