Re: [TLS] OPTLS: Signature-less TLS 1.3
Eric Rescorla <ekr@rtfm.com> Sun, 02 November 2014 22:34 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D9CC1A1A3F for <tls@ietfa.amsl.com>; Sun, 2 Nov 2014 14:34:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.723
X-Spam-Level:
X-Spam-Status: No, score=0.723 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uAHqwwsk_LHQ for <tls@ietfa.amsl.com>; Sun, 2 Nov 2014 14:34:17 -0800 (PST)
Received: from mail-wg0-f46.google.com (mail-wg0-f46.google.com [74.125.82.46]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64AD31A0687 for <tls@ietf.org>; Sun, 2 Nov 2014 14:34:17 -0800 (PST)
Received: by mail-wg0-f46.google.com with SMTP id x13so9885854wgg.19 for <tls@ietf.org>; Sun, 02 Nov 2014 14:34:16 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=csj2apvuKM9qli+4AJZnCvGk94lfQvqGfBYotWXYTnE=; b=LWqBk9ZkW4wDhncQ/Vwwz8r6JuxIz+dv7awynmpV4E0iE6Hl4CVWMioQAEOsekm6Lp fLd5BUGA2A97ZanuhXOlb3PXees3ydkfN2IntV028AzM4TtTQiRCxyN4xjOP5oqN7nK2 7aVGEENe8Yb0aibsIfqu0Ki1qE083ti9t8cdIE8RR0ppGfyR50cKiSIY4lu4dcAJMafW NrxB6JpcatAKTFzNwhzX7GGmUVGN3KIRlNUCmHhMHR2qjExQQFjXihpGAhLlsTEGYUz0 iotAvM4DQk0xGvnYVi648KLBTHDSlRml6WZtkJG5OmuX8Xf2XtJazIiDlJqiPDE/jf/t CQcw==
X-Gm-Message-State: ALoCoQl0yb10iIpDnAeHdAXgPN51BA55xD9lB4/kyDQJD5sFbuEln3oMsGAFWnYq0L+379cg0G7t
X-Received: by 10.180.108.43 with SMTP id hh11mr11828654wib.80.1414967655989; Sun, 02 Nov 2014 14:34:15 -0800 (PST)
MIME-Version: 1.0
Received: by 10.216.49.198 with HTTP; Sun, 2 Nov 2014 14:33:34 -0800 (PST)
In-Reply-To: <CADi0yUMM6C=NpvFsc67J6Dc6uEO3OZ490tFWhAYmD362mC+D4A@mail.gmail.com>
References: <CADi0yUObKsTvF6bP=SxAwYA05odyWdzR1-sWutrDLUeu+VJ1KQ@mail.gmail.com> <CABcZeBNQBC1XXFR5sGo=V8WmxmL5thaBpeHSasy3SordbqNRTQ@mail.gmail.com> <CADi0yUMM6C=NpvFsc67J6Dc6uEO3OZ490tFWhAYmD362mC+D4A@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 02 Nov 2014 14:33:34 -0800
Message-ID: <CABcZeBNKpTMg+xhMK5TnO_W99MotoPw+_m9yrTqTUSwqyPpUPA@mail.gmail.com>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Content-Type: multipart/alternative; boundary="089e0122950a8117580506e7d47a"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/m0uqDPvzlSicXwLB5Spr2_z6g4k
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] OPTLS: Signature-less TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Nov 2014 22:34:19 -0000
On Sun, Nov 2, 2014 at 2:05 PM, Hugo Krawczyk <hugo@ee.technion.ac.il> wrote: > These are good questions as they point to some of the choices we need to > consider before defining the actual key derivation mechanisms in the protocol. > Below are some responses. Thanks for your explanations. > On Sat, Nov 1, 2014 at 3:44 AM, Eric Rescorla <ekr@rtfm.com> wrote: > > > > 3. WRT client auth, I think we've generally decided that the client's > > certificate ought to be encrypted. Given that, I wonder if it would be easier > > for the client to just do a digital signature over the transcript and/or > > an authenticator derived from the secret. Generally, the additional > > cost of the RSA signature isn't a huge problem for most clients and > > those which do should be able to quickly move to EC-based keys. > > > I don't see the advantage of signatures in this case. It is possible to design a > hybrid protocol with signature authentication at the client side and static DH > at the server but I wouldn't do that without a clear advantage over the more > uniform approach using static DH on both sides. In any case, doing static DH at > the client should not be a problem, it is already doing it to authenticate the > server and compute keys. Thinking this through some more, if the client is doing certificate authentication, it is already provisioned with a long-term signature key and the corresponding certificate. In order to do static DH for authentication, it must either: - Generate a new "static" DH key on the fly and sign it. - Have some long-term storage where it stuffs the static DH key and its signature. The first option is obviously more computationally expensive than not doing so (though as I said above, not dramatically so if you are doing EC). As you suggest, this isn't an issue for servers since they are doing a lot of handshakes and can amortize the computation. However, because the client may be slow but not do a lot of exchanges, it may be an issue for clients. The second option may be trivial, if the client already has some generic key storage mechanism (e.g., one in software) though it's of course more work for the programmer. However, if the client has a non-generic key storage mechanism, such as a smart card with their key, then this becomes a significant problem, as it may not be able to store a DH key and/or use it for the kind of key derivation that would be required here. In that case, the client must find somewhere to store the DH key, which may entail significant effort. This last point points us to a larger issue we need to consider here, which is as follows. In TLS as it currently stands (both in 1.2 and the current TLS 1.3 draft), you can implement a system where the authentication keys are stored in hardware and an attacker who compromises either the client and the server cannot steal a credential which he can then use to establish new sessions [Note that if he steals the session cache, he can use it to resume old sessions.] In particular, because each signature is tied to a specific exchange, the attacker cannot reuse signed ephemeral values to impersonate the server. However, in a system where the server signs a long-term DH value, it may be the case that that value cannot be stored in the same hardware module that you are using for your signature key (purely for implementation reasons having to do with the interface the module exposes). In that case, the DH secret will be stored in software and compromise of the server potentially leaks a credential which can be used to impersonate the server for a significant period of time, where that time is dictated by the maximum amount of client-side clock error the server is willing to tolerate, so probably measured in days to weeks (and more if you are concerned about the time resetting attack Watson, Ilari, and I were discussing.) I haven't decided yet sure how serious an issue this is, but it's probably worth addressing explicitly. -Ekr
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Rene Struik
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Rene Struik
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Ilari Liusvaara
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Manuel Pégourié-Gonnard
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hanno Böck
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Peter Gutmann
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Andy Lutomirski
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Andy Lutomirski
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Salz, Rich
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Salz, Rich
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Dan Brown
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk