Re: [TLS] New Version Notification for draft-bzwu-tls-ecdhe-keyshare-00.txt

" 武炳正(允中) " <bingzheng.wbz@alibaba-inc.com> Tue, 28 April 2015 02:53 UTC

Return-Path: <bingzheng.wbz@alibaba-inc.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40F931ACE27 for <tls@ietfa.amsl.com>; Mon, 27 Apr 2015 19:53:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.5
X-Spam-Level: *
X-Spam-Status: No, score=1.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, CHARSET_FARAWAY_HEADER=3.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dk82U1AwhzLr for <tls@ietfa.amsl.com>; Mon, 27 Apr 2015 19:53:19 -0700 (PDT)
Received: from out4133-114.mail.aliyun.com (out4133-114.mail.aliyun.com [42.120.133.114]) by ietfa.amsl.com (Postfix) with ESMTP id AB1C51ACE26 for <tls@ietf.org>; Mon, 27 Apr 2015 19:53:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alibaba-inc.com; s=default; t=1430189597; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; bh=J+lTpbOMZ9Gn/PbxydsZ1aqrVOZEeRhTyP/1UOAxNP4=; b=xAJjmJXt6b/IMRtyU1O2siHvh9rFbK28xDi/njNvFNvktvcGtJNabOiuq/6tqrKmj0/PmSTzl6E63mwsRoJQcDuiHm29+6BSPeIErURZkX242Grw91qGmCq8Za/xILXMdN15hS3lmpxKkNT/1pRhOzKv6qjaudvmtlgSLJQJ2Cc=
X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R281e4; FP=0|-1|-1|-1|0|-1|-1|-1; HT=r41g03048; MF=bingzheng.wbz@alibaba-inc.com; PH=DS; RN=2; RT=2; SR=0;
Received: from ali074145n(mailfrom:bingzheng.wbz@alibaba-inc.com ip:42.120.74.185) by smtp.aliyun-inc.com(127.0.0.1); Tue, 28 Apr 2015 10:53:13 +0800
From: "=?GBK?B?zuSx/tX9KNTK1tAp?=" <bingzheng.wbz@alibaba-inc.com>
To: "'Ilari Liusvaara'" <ilari.liusvaara@elisanet.fi>
References: <20150427023926.28938.22369.idtracker@ietfa.amsl.com> <008e01d080e5$a2db6de0$e89249a0$@alibaba-inc.com> <20150427173533.GA910@LK-Perkele-VII>
In-Reply-To: <20150427173533.GA910@LK-Perkele-VII>
Date: Tue, 28 Apr 2015 10:53:13 +0800
Message-ID: <001c01d0815e$783cbde0$68b639a0$@alibaba-inc.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQINWeqB9X5GafILLq6JDjmchKPzTALdk8vxAddxaV6cwlu5sA==
Content-Language: zh-cn
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/lprVXNoU69BdavrH9Gl5ne0VgCI>
Cc: tls@ietf.org
Subject: Re: [TLS] New Version Notification for draft-bzwu-tls-ecdhe-keyshare-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: =?GBK?B?zuSx/tX9KNTK1tAp?= <bingzheng.wbz@alibaba-inc.com>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2015 02:53:20 -0000


> -----Original Message-----
> From: Ilari Liusvaara [mailto:ilari.liusvaara@elisanet.fi]
> Sent: Tuesday, April 28, 2015 1:36 AM
> To: 武炳正(允中)
> Cc: tls@ietf.org
> Subject: Re: [TLS] New Version Notification for
> draft-bzwu-tls-ecdhe-keyshare-00.txt
> 
> On Mon, Apr 27, 2015 at 08:28:16PM +0800, 武炳正(允中) wrote:
> >
> > https://datatracker.ietf.org/doc/draft-bzwu-tls-ecdhe-keyshare/
> >
> > This extension allows a TLS client to carry ECDHE keyshare in ClientHello
> message, so as to reduce the full handshake latency of 1RTT.
> >
> > Please kindly review it. Any comments are welcomed.
> 
> Taking a quick look (not considering if this a good idea or not):
> 
> > In fact the new version, TLS verion 1.3 [draft] which works in
> > progress, supports only ECDHE for key exchange.
> 
> This is just wrong. In TLS 1.3 editor's copy and in latest draft, non-ECC DHE is
> supported (2k, 3k, 4k and 8k).

Thanks for reminding.
Maybe a 'type' should be added in each ClientKeyShareOffer, to indicate different Diffie-Hellman exchange.
And change this extension's name from ECDHE-keyshare to DH-keyshare.

> 
> (The value list seems to be out-of-sync with ffdhe draft, which also has 6k).
> 
> > ECParameters    curve_params;
> 
> I consider supporting arbitrary curves here a bad idea. Why not just use values
> out of EC Named Curve Registry (16-bit)?
> 
> (That's the way TLS 1.3 does it).

I tried to change as less as possible, to avoid unnecessary trouble, both in protocol or implementation.

> 
> > So I have not find any security problem about this extension yet.
> 
> Another problem:
> 
> Defintion of extended_master_secret (security fix!) refers to
> ClientKeyExchange. The relevant part would have to be redefined (I guess
> taking session_hash after ServerKeyExchange would work).

I think so too.
I will add this in the draft after reading this extension carefully.
> 
> (Let's not get into working around THS by key checks).
> 
> 
> 
> -Ilari


Thanks for your comments again
Bingzheng Wu