IETF Logo Mail Archive

Re: [TLS] Static DH timing attack

Lanlan Pan <abbypan@gmail.com> Wed, 16 September 2020 02:09 UTC

Return-Path: <abbypan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28E723A0C9C for <tls@ietfa.amsl.com>; Tue, 15 Sep 2020 19:09:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y-TSjgRWIoI4 for <tls@ietfa.amsl.com>; Tue, 15 Sep 2020 19:09:27 -0700 (PDT)
Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32E623A0C6E for <tls@ietf.org>; Tue, 15 Sep 2020 19:09:27 -0700 (PDT)
Received: by mail-qt1-x835.google.com with SMTP id h6so4974416qtd.6 for <tls@ietf.org>; Tue, 15 Sep 2020 19:09:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dM2K9ymragbfBTUz+BulW8q0kU744IRkhImRL2MZAVM=; b=sgN6qSsjPU1ED8vyXC657OwlML4Q2U8U7nTOMD2n3yrvmvUjpmUsoXXmsmMzEvmNnZ gj/XKcn9C5qYgVloitO0psxHodlzfPVNY/PxML6F4haW0kHBFKcOsylyG7rngWr6v7Si 0L25iuBRZ7/lDoATkqoqtGQWEiNGlWU2VDxqRWjbrUCC0aXliAuVP67PxPbozBVjq1rM li0CYub48eJ6g5Y4G/rnDD+Fghwgk6CCMCFxksAE4SlNCN5kKjt0q6zqtOIqybFD8mH7 szVDvKkNdhWdI8mQrNAwqJbn6wl4fGcAsJ3KtYZO0/VT7nMSmKd0bLGXJTZc3nkHfv99 iKoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dM2K9ymragbfBTUz+BulW8q0kU744IRkhImRL2MZAVM=; b=eU8GqRIsjZPWWlXFxleoNzwjpBQxXclM36iTwzSzScm1xDHeY0j5I9rAJO7SnRuCMB qfpw0+pLPDL5dEcthPHPHeHiFo/C7K/vrIaxitPf7+/8f+4WZMOmu2f9pELBP1N8l7gB 7ODnFT88WCxjy+l5thB20/MjtIAOm617gx0OEpZyQ4Gjva7ipqvHRbJg2jb9wM9BlZW6 fikWCez5Lw4px3Iabn1lhDi55WlBi1B8pl3lqafEnyhu0uAhfW0GVzJF9RYV5oX60WAa 4NLAqn9xzqYgVHHzqQnHIirwKTwB46PK0pzkQFtIDEnkwUmRoAcCr+0gghiE3upSuOjE B3eQ==
X-Gm-Message-State: AOAM531a03NoiTTWSjMHiQIBCDcmB9xrfl8YqromYtHII4CBRCHNAPh3 Uq/+dmTZ3k1uIJYXKW60BVEK6NLd8FNqGM9l2TM0sOnRIuh71A==
X-Google-Smtp-Source: ABdhPJzvztnU2KFDBuN6JAP9L72pYs21vOLZ5SP0Uz2R4Szg8M6A0+ibNFMPZZhqLTV5AudL2tYyaTQ1uY3/x5f3fMQ=
X-Received: by 2002:ac8:4e49:: with SMTP id e9mr8918260qtw.167.1600222166180; Tue, 15 Sep 2020 19:09:26 -0700 (PDT)
MIME-Version: 1.0
References: <5595BB40-3AFD-4327-B7B7-5E63FFC594DD@akamai.com> <c67ad3e62c4d49dbb17eb29b6fc7ff20@blackberry.com>
In-Reply-To: <c67ad3e62c4d49dbb17eb29b6fc7ff20@blackberry.com>
From: Lanlan Pan <abbypan@gmail.com>
Date: Wed, 16 Sep 2020 10:09:13 +0800
Message-ID: <CANLjSvW+psVsRcef1h6BsQqVudTT9n=yn098y7JfmZqV8uS5og@mail.gmail.com>
To: Dan Brown <danibrown@blackberry.com>
Cc: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c6e87505af64c1a5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/n-Qz9DwviKyitwE5lFuV3H6Bd_A>
Subject: Re: [TLS] Static DH timing attack
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2020 02:09:29 -0000

Dan Brown <danibrown@blackberry.com> 于2020年9月10日周四 下午11:18写道:

> *From:* TLS <tls-bounces@ietf.org> *On Behalf Of *Salz, Rich
> > Do we need a short RFC saying “do not use static DH” ?
>
>
>
> Don’t TLS 0-RTT and ESNI/ECH via HPKE use a type of (semi)static ECDH? If
> so, then an RFC to ban static (EC)DH in TLS would need to be very clear
> about not referring to these use cases of static ECDH.
>

"should not use (semi)static DH  for session key agreement scenario" ?
"may use (semi)static ECDH for no forward security requirement  0-RTT
scenario" ?


>
> My 2c. What about combining static ECDH (instead of signatures) with
> ephemeral ECDH, e.g. for more fully deniable authentication?  (ECMQV does
> this.)  (Perhaps this is also similar to the KEMTLS proposal for PQC,
> https://ia.cr/2020/534 - still need to study that.)
>
>
> ------------------------------
> This transmission (including any attachments) may contain confidential
> information, privileged material (including material protected by the
> solicitor-client or other applicable privileges), or constitute non-public
> information. Any use of this information by anyone other than the intended
> recipient is prohibited. If you have received this transmission in error,
> please immediately reply to the sender and delete this information from
> your system. Use, dissemination, distribution, or reproduction of this
> transmission by unintended recipients is not authorized and may be unlawful.
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.15.0 | Report a Bug | By Email