IETF Logo Mail Archive

Re: [TLS] Initial draft of DH-based key exchange

Nikos Mavrogiannopoulos <nmav@redhat.com> Mon, 23 March 2015 15:42 UTC

Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CD011A8F4B for <tls@ietfa.amsl.com>; Mon, 23 Mar 2015 08:42:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HxOdlPhNWFib for <tls@ietfa.amsl.com>; Mon, 23 Mar 2015 08:42:35 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA9C11A89B8 for <tls@ietf.org>; Mon, 23 Mar 2015 08:42:35 -0700 (PDT)
Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (Postfix) with ESMTPS id D8960BACA8; Mon, 23 Mar 2015 15:05:49 +0000 (UTC)
Received: from dhcp-2-127.brq.redhat.com (dhcp-2-127.brq.redhat.com [10.34.2.127]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t2NF5lmD019607 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Mon, 23 Mar 2015 11:05:49 -0400
Message-ID: <1427123147.19595.62.camel@redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 23 Mar 2015 16:05:47 +0100
In-Reply-To: <CABcZeBNmufvfJ_2Nvw1YwvwGZ2u1=WvL45rPGJXARN1tAxOEfw@mail.gmail.com>
References: <CABcZeBNmufvfJ_2Nvw1YwvwGZ2u1=WvL45rPGJXARN1tAxOEfw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/mxOMcgkR6EfPyemOwZSHoNMxrwc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Initial draft of DH-based key exchange
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 15:42:38 -0000

On Mon, 2015-03-23 at 08:36 -0500, Eric Rescorla wrote:
> Folks,
> At the interim discussed transitioning to a DH-based handshake (rather
> than a signature-based one) like that proposed by Hugo Krawczyk and
> Hoeteck Wee. The major rationale for this change is that any 0-RTT
> mode is inherently DH-based and so if we make that our basic mode,
> then we can simplify the protocol logic and key derivation model. This
> model also allows us to pull in PSK modes under the same basic
> structure.
[...]
> The WG sentiment was generally favorable to exploring this avenue but
> there was also airly strong WG sentiment that we didn't presently want
> to do an offline signatures. This leaves with a model in which the
> client initially learns the server's semi-static DH share through
> an online-signed 1-RTT handshake but then can cache it for use with
> future connections.

Wasn't that discussed in the list before? My impression was that the
outcome of that discussion was not to add that.

Anyway, a first question that comes to mind, is why this isn't defined
as separate ciphersuites? Why does it even have to be TLS 1.3 related?
Static DH parameters is an experiment that failed years ago. What has
changed since then that we believe now it is going to work? You even
dropped the static DH ciphersuites from TLS 1.3. Please make that part
optional so you don't doom the whole TLS 1.3 protocol enhancements if
no-one switches to static DH keys (in the document they are described as
semi-static DH keys - but there is no definition of what that means).

A second question is why HKDF? Why is it even there? Is there any issue
with the current TLS PRF and we need another? Is there a valid reason to
bloat implementations with shipping multiple KDFs? This kind of changes
shouldn't be done without thought, as it is now there cannot be any code
sharing between TLS 1.2 and 1.3 and we risk having implementers stay
with TLS 1.2 for the next decade.

regards,
Nikos

v2.23.0 | Report a Bug | By Email