Re: [TLS] Initial draft of DH-based key exchange
Nikos Mavrogiannopoulos <nmav@redhat.com> Mon, 23 March 2015 15:42 UTC
Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CD011A8F4B for <tls@ietfa.amsl.com>; Mon, 23 Mar 2015 08:42:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HxOdlPhNWFib for <tls@ietfa.amsl.com>; Mon, 23 Mar 2015 08:42:35 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA9C11A89B8 for <tls@ietf.org>; Mon, 23 Mar 2015 08:42:35 -0700 (PDT)
Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (Postfix) with ESMTPS id D8960BACA8; Mon, 23 Mar 2015 15:05:49 +0000 (UTC)
Received: from dhcp-2-127.brq.redhat.com (dhcp-2-127.brq.redhat.com [10.34.2.127]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t2NF5lmD019607 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Mon, 23 Mar 2015 11:05:49 -0400
Message-ID: <1427123147.19595.62.camel@redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 23 Mar 2015 16:05:47 +0100
In-Reply-To: <CABcZeBNmufvfJ_2Nvw1YwvwGZ2u1=WvL45rPGJXARN1tAxOEfw@mail.gmail.com>
References: <CABcZeBNmufvfJ_2Nvw1YwvwGZ2u1=WvL45rPGJXARN1tAxOEfw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/mxOMcgkR6EfPyemOwZSHoNMxrwc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Initial draft of DH-based key exchange
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 15:42:38 -0000
On Mon, 2015-03-23 at 08:36 -0500, Eric Rescorla wrote: > Folks, > At the interim discussed transitioning to a DH-based handshake (rather > than a signature-based one) like that proposed by Hugo Krawczyk and > Hoeteck Wee. The major rationale for this change is that any 0-RTT > mode is inherently DH-based and so if we make that our basic mode, > then we can simplify the protocol logic and key derivation model. This > model also allows us to pull in PSK modes under the same basic > structure. [...] > The WG sentiment was generally favorable to exploring this avenue but > there was also airly strong WG sentiment that we didn't presently want > to do an offline signatures. This leaves with a model in which the > client initially learns the server's semi-static DH share through > an online-signed 1-RTT handshake but then can cache it for use with > future connections. Wasn't that discussed in the list before? My impression was that the outcome of that discussion was not to add that. Anyway, a first question that comes to mind, is why this isn't defined as separate ciphersuites? Why does it even have to be TLS 1.3 related? Static DH parameters is an experiment that failed years ago. What has changed since then that we believe now it is going to work? You even dropped the static DH ciphersuites from TLS 1.3. Please make that part optional so you don't doom the whole TLS 1.3 protocol enhancements if no-one switches to static DH keys (in the document they are described as semi-static DH keys - but there is no definition of what that means). A second question is why HKDF? Why is it even there? Is there any issue with the current TLS PRF and we need another? Is there a valid reason to bloat implementations with shipping multiple KDFs? This kind of changes shouldn't be done without thought, as it is now there cannot be any code sharing between TLS 1.2 and 1.3 and we risk having implementers stay with TLS 1.2 for the next decade. regards, Nikos
- [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Nikos Mavrogiannopoulos
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Salz, Rich
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Salz, Rich
- Re: [TLS] Initial draft of DH-based key exchange Dave Garrett
- Re: [TLS] Initial draft of DH-based key exchange Nikos Mavrogiannopoulos
- Re: [TLS] Initial draft of DH-based key exchange Nikos Mavrogiannopoulos
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Paterson, Kenny
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Russ Housley
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara