Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)DHE public values be fresh
Yoav Nir <ynir.ietf@gmail.com> Mon, 02 January 2017 19:43 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15DC81296E4 for <tls@ietfa.amsl.com>; Mon, 2 Jan 2017 11:43:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D2LYblJThLi9 for <tls@ietfa.amsl.com>; Mon, 2 Jan 2017 11:43:46 -0800 (PST)
Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3872A1296E3 for <tls@ietf.org>; Mon, 2 Jan 2017 11:43:46 -0800 (PST)
Received: by mail-wm0-x232.google.com with SMTP id m1so49893898wme.0 for <tls@ietf.org>; Mon, 02 Jan 2017 11:43:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=Uho5tSASUlRBwB3bl4wi66ajqrPdr5djSHh1vJAI1O8=; b=nBUAZq2aL+QK4DhnMZDyBl7ttdVZ55n7DJuR9hK0P7anjlx/h8YSFr41JVkjZjpHnf WWHxkU1IEs6TkL4HMx1SA6XLf7FolfOK91YT2h93Gj0J+n2YisZEZ85W5Q/26d4FwUeo e8KhOWyoplzzhmv/fwVGTPYlclmlPu/WRcQ8LiibBj7Kwx8YzpjLNtMyziKxBV1m8pG1 w+noVbJJvr5hEHVnmRdegroW5faOUkTi/+rojkH9WNDfFYLhUpoZwnMLXcA/6jxb/G/k l41O7a6JAwQbkDmXnnySuuAV2N1X14Id93n5T948kFjKvPf9XiQ0MRA/O0ip81TkEU6E rOaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=Uho5tSASUlRBwB3bl4wi66ajqrPdr5djSHh1vJAI1O8=; b=FvuHAImygY02M3iWX6QMFyZ2YfmajXxgRVAuI1+DYYkRwVz0nYR0XA8UJI4eQCE2kR amht9Veot/IN4c2HDmeJPrhaI+71Rkvme7DMCpGtWdoUW5FXoLH0thd8Qj0thdUqRH/R jFiRhzUxQFM2v0s33IOl5saq2ADHqq7prLibn1FY64ZK9ZcqN0M33d+jtbWHlq1rUhep 5qWQP+v5QmC05UxVx1lLgW/b7oh2KmqQma+fPyUKCfEucnqNGIqdkG6AgzVifF1rRiK0 MeNU3KCJSYSKtHd8ETh0tcTKOoscKf7H7FYq+K8ZQ4cqO55k0H6W2h/GJ+mk0m/lQpOP 4BoA==
X-Gm-Message-State: AIkVDXK1KnwaVc6BUCKBR4Am4vG+XdxWSuac+4mRzDJs86LdSOjlYa7LgCE9PQRrKMkiEQ==
X-Received: by 10.28.46.197 with SMTP id u188mr55807923wmu.61.1483386224701; Mon, 02 Jan 2017 11:43:44 -0800 (PST)
Received: from [192.168.1.14] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id w197sm85883887wmd.11.2017.01.02.11.43.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 02 Jan 2017 11:43:44 -0800 (PST)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <071A0098-8E03-4DCB-AA3F-4AD9424C9493@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_322260F7-545B-4840-A634-EA06EB47DA12"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Mon, 02 Jan 2017 21:43:41 +0200
In-Reply-To: <CABcZeBOa7rNSX-bZgQ4HS02XX0c_bMMfTMPfpmtxyq7DrnpmuA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
References: <CAMfhd9Urd1DWF9yhMdhvx1AcKyB4-E7Qy+tzqz_-1RpXR+Wp1w@mail.gmail.com> <CAFewVt44xm3rgm=n8PpEcqbTvC-Ei2EvoJciL=+m2UnQ-fUm2A@mail.gmail.com> <CAMfhd9Xq4RA6XBqLZtsbWSnMk4SnvZLC9V3_gCH-FzyVBMg4xg@mail.gmail.com> <CADi0yUPSkBhyuX7utW1tsVkkbDc6YgBLie41qWPwbo+X6CpuZA@mail.gmail.com> <1483330131409.25713@cs.auckland.ac.nz> <5542029D-293A-44F5-9A11-62F5C47A4BA5@gmail.com> <CABcZeBOa7rNSX-bZgQ4HS02XX0c_bMMfTMPfpmtxyq7DrnpmuA@mail.gmail.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/my_k851yx1-HwFVmnRtGLzTGJTk>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)DHE public values be fresh
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jan 2017 19:43:48 -0000
> On 2 Jan 2017, at 20:59, Eric Rescorla <ekr@rtfm.com> wrote: > > > > On Mon, Jan 2, 2017 at 8:58 AM, Yoav Nir <ynir.ietf@gmail.com <mailto:ynir.ietf@gmail.com>> wrote: >> >> . >> >> Since I think the utility of this falls off as a reciprocal, I'll try >> making a concrete suggestion for a time limit: 10 seconds. > > I like this number, because that’s the number I chose when I implemented ECDH caching in Check Point’s TLS library. It makes key generation rare enough that it makes no difference for server load in any normal hardware, and frequent enough that if you destroy the keys after they are last used then attackers have a very narrow window of opportunity to get your keys. Especially if they need to get a warrant. IoT may be abnormal hardware in that regard. > > Still, if we want to accommodate the banking industry (or whatever part of it we’ve talked to in Seoul), then they need to be able to tell based on a timestamp which private key was used for that handshake. With 60 seconds key changes are rare enough that there are at most two possibilities which I think is manageable. With 10 seconds clock skew can ruin your system. But I realize I’m bike shedding here. > > Yoav, > > Why do you need a precise clock here? If you're going to retrospectively decrypt, you > are going to need a list of all the private keys, so why can't you just index that by the > public key in the handshake? I’m assuming that the server generates private keys and saves them to a file along with the time period that they were used, and another machine in a different part of the network records traffic. It’s not so much that the clocks need to be accurate, as that they need to be synchronized, and there will still be some misalignment because of (variable) latency. I guess we are making guesses about systems that haven’t been written yet. Yoav
- Re: [TLS] Requiring that (EC)DHE public values be… Martin Rex
- [TLS] Requiring that (EC)DHE public values be fre… Adam Langley
- Re: [TLS] Requiring that (EC)DHE public values be… Stephen Farrell
- Re: [TLS] Requiring that (EC)DHE public values be… Eric Rescorla
- [TLS] cross-domain cache sharing and 0rtt (was: R… Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Eric Rescorla
- Re: [TLS] Requiring that (EC)DHE public values be… Adam Langley
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Adam Langley
- Re: [TLS] Requiring that (EC)DHE public values be… Brian Smith
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Richard Barnes
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt Eric Rescorla
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt Eric Rescorla
- Re: [TLS] cross-domain cache sharing and 0rtt Bill Frantz
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] Requiring that (EC)DHE public values be… Scott Schmit
- Re: [TLS] Requiring that (EC)DHE public values be… Adam Langley
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Hugo Krawczyk
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Dan Brown
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Peter Gutmann
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Hugo Krawczyk
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Yoav Nir
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Eric Rescorla
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Eric Rescorla
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Yoav Nir
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Colm MacCárthaigh
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Adam Langley
- Re: [TLS] cross-domain cache sharing and 0rtt Benjamin Kaduk
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt Martin Thomson
- Re: [TLS] cross-domain cache sharing and 0rtt Benjamin Kaduk
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Adam Langley
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Kurt Roeckx