Re: [TLS] Extensions "supported_groups" and "key_share" in TLS 1.3
Xuelei Fan <xuelei.fan@vimino.com> Fri, 27 November 2015 01:28 UTC
Return-Path: <xuelei.fan@vimino.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5693D1A00A4 for <tls@ietfa.amsl.com>; Thu, 26 Nov 2015 17:28:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.877
X-Spam-Level:
X-Spam-Status: No, score=0.877 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FRT_BELOW2=2.154, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fFuj1W8tgsoc for <tls@ietfa.amsl.com>; Thu, 26 Nov 2015 17:28:36 -0800 (PST)
Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82CF31A00A8 for <tls@ietf.org>; Thu, 26 Nov 2015 17:28:36 -0800 (PST)
Received: by oiww189 with SMTP id w189so54450130oiw.3 for <tls@ietf.org>; Thu, 26 Nov 2015 17:28:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vimino-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=mo7HkFEnARfrNDLxoP7cY8Aqnk763LilHgdkt117868=; b=G3QWT5LGCxsWxv52bz9r0eA5qe7Q/Nf7mx2xMmyeqArNG+s6S9hssGd/n4Hm1/WEsH Xk71XODUh74LvaRjx/DUpHPPKaVzRDXhIlv1/+iqt2fJulFg3xZIGnOzYwHhjK5yLhew o8ZXw16yW2B7zuE5xJp8oDNMCpF+ZhJ/z3wFFGw4GlqRrVwlfm9vvZQwdZKmSdbKooYn S1Ic1eii1StrO9XpvM93CIpdt8BJoB4XaJFjvBNZZNKcTwzTe/iG3oiqZ5VynYuhtIlM O2eB4soZ+5ZTCYMfTDdwSKOsmsNyGYJrdEUV4SU9JxoBWnvqmDTP2i+ZT4jEOiIMRQEw PCug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=mo7HkFEnARfrNDLxoP7cY8Aqnk763LilHgdkt117868=; b=Sr74HxHz287ZxDngQ9PaRRJXdvUbl9u7GbqI5uFSJ6FhfQ+9H8x6sJ9Wre+0P4L3BD +svUh0c/QUbScL/oBQosbcpoqQy2F1otttMo8N/TDEZGtZcQ5jl1NIxqMU8ssOKEQKb5 wtS0XoIWOa8LgzWe1Vn7rmVapInZM0AxCCy66AaMAIvQ2z/kh571Tx/PyO15pUTe5KDK A4Ivq8/1tGAake0GAWUvWHfR+dPknjCgEs3C6XiAmnEk/TWOlXwfw2vWhlYdw520zagU v+LpA5IH+V43MVLeBsaka7pCbH40jZQL7oDYPdgABhC7bE7wfhRb/AcfvLsAn0RWook+ v3eA==
X-Gm-Message-State: ALoCoQmrIll098Dw6ziyAHsjAuTYPFJcqRdDPA3kbkTQrWP9FaZYzgr8AKoll7KfFnJdmgo/0kHd
MIME-Version: 1.0
X-Received: by 10.202.208.83 with SMTP id h80mr31030326oig.74.1448587715917; Thu, 26 Nov 2015 17:28:35 -0800 (PST)
Received: by 10.76.171.103 with HTTP; Thu, 26 Nov 2015 17:28:35 -0800 (PST)
X-Originating-IP: [148.87.19.218]
In-Reply-To: <20151126191525.GB3728@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAAgBOhuOPB=jxO=WWHmy_y7ARY5qfdK2x4xC9t-Z-vn0UU5Paw@mail.gmail.com> <20151126142632.GA3582@LK-Perkele-V2.elisa-laajakaista.fi> <CAAgBOhtG7vKx6Bro9+Qp2Gbcz8sitatYKEL=R5tW8ix7rSeMqw@mail.gmail.com> <20151126191525.GB3728@LK-Perkele-V2.elisa-laajakaista.fi>
Date: Fri, 27 Nov 2015 09:28:35 +0800
Message-ID: <CAAgBOhvRY+TPKb-Bwtpm_uGKJwJyaY7pDZfd38MrucOhSC_oEg@mail.gmail.com>
From: Xuelei Fan <xuelei.fan@vimino.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="001a113d2ed63bd08505257b9c79"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/n-vdcRXhQhOEFlDvoHpYeIQExJc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Extensions "supported_groups" and "key_share" in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Nov 2015 01:28:39 -0000
On Fri, Nov 27, 2015 at 3:15 AM, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Thu, Nov 26, 2015 at 11:37:12PM +0800, Xuelei Fan wrote: > > > This wouldn't work if one had to downnegotiate TLS 1.2. That is going > to > > > happen A LOT. > > > > > > I think, "supported_groups" extension still can be sent for TLS 1.2, > but > > can be ignored for TLS 1.3. And "key_share" extension can be extended to > > support TLS 1.2 and previous versions. > > Given the slowness even _security_ _fix_ extensions get deployed, > planning any sort of transition is not IMO a good idea. > > Agreed. If "supported_groups" extension is only for compatibility, it can be not-mandatory. However, if it is defined to define the supported groups and preferences (see bellow), it can be mandatory. > > > Also, one can support curve, but not prefer to send share on it (the > > > server can call for it, at cost of extra RTT). > > > > > The scenarios may be not effective because of the extra RTT. As if the > > client want to negotiate the curve, it may be more effective to provide > the > > key information in the beginning. Or, maybe the generation of the key > > exchange information is more expensive? > > Yes, generating key exchanges can be expensive (even if it is cheaper > for each group then performing the actual key exchange). Especially for > P-384, P-521 and larger DH groups. > > Also, the shares can get large if many are sent. "Xmas tree" client > keyshare is 3384 bytes by quick calculation (whereas the one containing > P-256 and X25519 is just 109). That's many times the rest of the > ClientHello, and might already cause problems. > > Better plan might be to guess, as the cost of wrong guess is mostly > just 1 RTT. > > Agreed. > > > Plus, some of the curves are of special purpose and won't ever have > > > shares. > > > > > I missed this point. Is it possible to update the shares to tolerate the > > special purpose? For example, allowing empty shares. > > The current grammar does not allow empty value, so it is free. But > considering one needs supported_groups for backward compat., one can > just rely on that to signal that group is supported but no share is > given. > > > > > > Also, IIRC, if client has no shares, it omits key_share. If server > wants > > > FS cipher suite, it then has to signal retry. > > > > > That's may be the point I missed, too. Where and when the shares come > > from? Looks like there are two cases: > > 1. client generate the shares and wrap them in the initial ClientHello > > message. > > 2. client omits the key_share, but still request for (EC)DHE cipher > suites. > > If server want to negotiate (EC)DHE cipher suite, need an extra RTT. > > Client generate the shares on server request. > > I actually looked at the Editors's Copy. The description is a mess: It > seemingly first requires key_share extension, even for the first > ClientHello... Now, that extension can't be empty... And then proceeds > to say to omit it if client has no shares to send... Which looks like > it is mutually contradictionary. > > > I think the cases answer my confusing of the two extensions. Suppose, if > > the shares can be optional, maybe it is easier to use key_share only. If > > client has no shares, using key_share with no shares (function as > > supported_groups); if client has shares, using key_share with shares. > > I think two extensions are needed for backward compatiblity: One needs > to use supported_groups, but one can't extend it, so two extension it > is. > > TLS 1.3 (without 0-RTT) is supposed to be possible to downnegotiate at > least to TLS 1.2. > > Version down-negotiation is OK, but define "supported_groups" extension as mandatory may be too strong, unless there are other considerations (See bellow). > > > > The "supported_groups" extension defines the groups, while the > > > "key_share" > > > > extension defines both the groups and the key exchange information. > Both > > > > extension has its own preferences for the supported named groups. > It's > > > > easy to get conflicted if the two preferences are not consistent. > The > > > > "key_share" extension contains the information of the supported named > > > > groups. So, the information can be used to indicate the client > supported > > > > named groups. Maybe, for TLS 1.3, it is not necessary to use the > > > > "supported_groups" extension any more. > > > > > > The only way to be conflicted would be to send key share for group not > in > > > supported_groups. Sending supported_group for group not in key_shares > is > > > not a conflict[1]. > > > > > The preferences may be not consistent, too. For example, the > > supported_groups prefer ffdhe2048, but the key_share prefer ffdhe4096. > > Using two preferences would make the implementation inconsistent between > > vendors if no clearly specification about the preference of the two. > > Only supported_groups are perference-ordered. Key_shares is unordered, > with special exception for retry (the added group always goes last). > > In section 6.3.2.3: client_shares A list of offered KeyShareEntry values in descending order of client preference. I think, key_share is ordered too. If considering both key_share and supported_groups together, looks like there are two options: 1. key_share defines the preferences and supported named groups, which is overlap with supported_groups. supported_groups is used for version down-negotiation purpose. Don't define supported_groups as mandatory any more. For this case, empty key_share vector can be used to indicate to request server choice shares. 2. key_share won't defines the preferences any more. The named groups in key_share MUST exist in supported_groups extensions. supported_groups is used to define the supported named groups and preference, and key_share is used to define the shares. Both are mandatory. For this case, key_share can be omitted to indicate to request server choice shares. > > > [1] In fact, I expect many clients to send shares for P-256 and X25519, > > > plus offer P-384 and X448 (without shares unless requested). > > > > > > > > I like this scenarios more. It might be more clear if TLS 1.3 support > > this scenarios, but not the scenarios that sending shares before > > requested. For the TLS vendors, client implementation may only consider > > one option. While a server implementation need to consider both, the > effort > > doubles. > > Basically, with some groups, sending on request is the only workable > option, given how slow or large some shares are. > > Now, if PQ key exchanges were added, things would get worse, because > those methods tend to either have large keys or slow key exchange/ > generation. > > Agreed. Thanks, Xuelei > > > -Ilari >
- [TLS] Extensions "supported_groups" and "key_shar… Xuelei Fan
- Re: [TLS] Extensions "supported_groups" and "key_… Ilari Liusvaara
- Re: [TLS] Extensions "supported_groups" and "key_… Xuelei Fan
- Re: [TLS] Extensions "supported_groups" and "key_… Ilari Liusvaara
- Re: [TLS] Extensions "supported_groups" and "key_… Dave Garrett
- Re: [TLS] Extensions "supported_groups" and "key_… Eric Rescorla
- Re: [TLS] Extensions "supported_groups" and "key_… Dave Garrett
- Re: [TLS] Extensions "supported_groups" and "key_… Eric Rescorla
- Re: [TLS] Extensions "supported_groups" and "key_… Xuelei Fan
- Re: [TLS] Extensions "supported_groups" and "key_… Eric Rescorla
- Re: [TLS] Extensions "supported_groups" and "key_… Xuelei Fan
- Re: [TLS] Extensions "supported_groups" and "key_… Xuelei Fan
- Re: [TLS] Extensions "supported_groups" and "key_… Xuelei Fan
- Re: [TLS] Extensions "supported_groups" and "key_… Dave Garrett
- Re: [TLS] Extensions "supported_groups" and "key_… Xuelei Fan
- Re: [TLS] Extensions "supported_groups" and "key_… Xuelei Fan
- Re: [TLS] Extensions "supported_groups" and "key_… Dave Garrett
- Re: [TLS] Extensions "supported_groups" and "key_… Xuelei Fan
- Re: [TLS] Extensions "supported_groups" and "key_… Hubert Kario
- Re: [TLS] Extensions "supported_groups" and "key_… Xuelei Fan
- Re: [TLS] Extensions "supported_groups" and "key_… Hubert Kario
- Re: [TLS] Extensions "supported_groups" and "key_… Xuelei Fan
- Re: [TLS] Extensions "supported_groups" and "key_… Hubert Kario
- Re: [TLS] Extensions "supported_groups" and "key_… Xuelei Fan