IETF Logo Mail Archive

Re: [TLS] Extensions "supported_groups" and "key_share" in TLS 1.3

Xuelei Fan <xuelei.fan@vimino.com> Fri, 27 November 2015 01:28 UTC

Return-Path: <xuelei.fan@vimino.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5693D1A00A4 for <tls@ietfa.amsl.com>; Thu, 26 Nov 2015 17:28:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.877
X-Spam-Level:
X-Spam-Status: No, score=0.877 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FRT_BELOW2=2.154, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fFuj1W8tgsoc for <tls@ietfa.amsl.com>; Thu, 26 Nov 2015 17:28:36 -0800 (PST)
Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82CF31A00A8 for <tls@ietf.org>; Thu, 26 Nov 2015 17:28:36 -0800 (PST)
Received: by oiww189 with SMTP id w189so54450130oiw.3 for <tls@ietf.org>; Thu, 26 Nov 2015 17:28:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vimino-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=mo7HkFEnARfrNDLxoP7cY8Aqnk763LilHgdkt117868=; b=G3QWT5LGCxsWxv52bz9r0eA5qe7Q/Nf7mx2xMmyeqArNG+s6S9hssGd/n4Hm1/WEsH Xk71XODUh74LvaRjx/DUpHPPKaVzRDXhIlv1/+iqt2fJulFg3xZIGnOzYwHhjK5yLhew o8ZXw16yW2B7zuE5xJp8oDNMCpF+ZhJ/z3wFFGw4GlqRrVwlfm9vvZQwdZKmSdbKooYn S1Ic1eii1StrO9XpvM93CIpdt8BJoB4XaJFjvBNZZNKcTwzTe/iG3oiqZ5VynYuhtIlM O2eB4soZ+5ZTCYMfTDdwSKOsmsNyGYJrdEUV4SU9JxoBWnvqmDTP2i+ZT4jEOiIMRQEw PCug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=mo7HkFEnARfrNDLxoP7cY8Aqnk763LilHgdkt117868=; b=Sr74HxHz287ZxDngQ9PaRRJXdvUbl9u7GbqI5uFSJ6FhfQ+9H8x6sJ9Wre+0P4L3BD +svUh0c/QUbScL/oBQosbcpoqQy2F1otttMo8N/TDEZGtZcQ5jl1NIxqMU8ssOKEQKb5 wtS0XoIWOa8LgzWe1Vn7rmVapInZM0AxCCy66AaMAIvQ2z/kh571Tx/PyO15pUTe5KDK A4Ivq8/1tGAake0GAWUvWHfR+dPknjCgEs3C6XiAmnEk/TWOlXwfw2vWhlYdw520zagU v+LpA5IH+V43MVLeBsaka7pCbH40jZQL7oDYPdgABhC7bE7wfhRb/AcfvLsAn0RWook+ v3eA==
X-Gm-Message-State: ALoCoQmrIll098Dw6ziyAHsjAuTYPFJcqRdDPA3kbkTQrWP9FaZYzgr8AKoll7KfFnJdmgo/0kHd
MIME-Version: 1.0
X-Received: by 10.202.208.83 with SMTP id h80mr31030326oig.74.1448587715917; Thu, 26 Nov 2015 17:28:35 -0800 (PST)
Received: by 10.76.171.103 with HTTP; Thu, 26 Nov 2015 17:28:35 -0800 (PST)
X-Originating-IP: [148.87.19.218]
In-Reply-To: <20151126191525.GB3728@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAAgBOhuOPB=jxO=WWHmy_y7ARY5qfdK2x4xC9t-Z-vn0UU5Paw@mail.gmail.com> <20151126142632.GA3582@LK-Perkele-V2.elisa-laajakaista.fi> <CAAgBOhtG7vKx6Bro9+Qp2Gbcz8sitatYKEL=R5tW8ix7rSeMqw@mail.gmail.com> <20151126191525.GB3728@LK-Perkele-V2.elisa-laajakaista.fi>
Date: Fri, 27 Nov 2015 09:28:35 +0800
Message-ID: <CAAgBOhvRY+TPKb-Bwtpm_uGKJwJyaY7pDZfd38MrucOhSC_oEg@mail.gmail.com>
From: Xuelei Fan <xuelei.fan@vimino.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="001a113d2ed63bd08505257b9c79"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/n-vdcRXhQhOEFlDvoHpYeIQExJc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Extensions "supported_groups" and "key_share" in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Nov 2015 01:28:39 -0000

On Fri, Nov 27, 2015 at 3:15 AM, Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Thu, Nov 26, 2015 at 11:37:12PM +0800, Xuelei Fan wrote:
> > > This wouldn't work if one had to downnegotiate TLS 1.2. That is going
> to
> > > happen A LOT.
> > >
> > > I think, "supported_groups" extension still can be sent for TLS 1.2,
> but
> > can be ignored for TLS 1.3.  And "key_share" extension can be extended to
> > support TLS 1.2 and previous versions.
>
> Given the slowness even _security_ _fix_ extensions get deployed,
> planning any sort of transition is not IMO a good idea.
>
> Agreed.

If  "supported_groups" extension is only for compatibility, it can be
not-mandatory.  However, if it is defined to define the supported groups
and preferences (see bellow), it can be mandatory.


> > > Also, one can support curve, but not prefer to send share on it (the
> > > server can call for it, at cost of extra RTT).
> > >
> > The scenarios may be not effective because of the extra RTT.  As if the
> > client want to negotiate the curve, it may be more effective to provide
> the
> > key information in the beginning.  Or, maybe the generation of the key
> > exchange information is more expensive?
>
> Yes, generating key exchanges can be expensive (even if it is cheaper
> for each group then performing the actual key exchange). Especially for
> P-384, P-521 and larger DH groups.
>
> Also, the shares can get large if many are sent. "Xmas tree" client
> keyshare is 3384 bytes by quick calculation (whereas the one containing
> P-256 and X25519 is just 109). That's many times the rest of the
> ClientHello, and might already cause problems.
>
> Better plan might be to guess, as the cost of wrong guess is mostly
> just 1 RTT.
>
> Agreed.


> > > Plus, some of the curves are of special purpose and won't ever have
> > > shares.
> > >
> > I missed this point.  Is it possible to update the shares to tolerate the
> > special purpose?  For example, allowing empty shares.
>
> The current grammar does not allow empty value, so it is free. But
> considering one needs supported_groups for backward compat., one can
> just rely on that to signal that group is supported but no share is
> given.
>
> >
> > > Also, IIRC, if client has no shares, it omits key_share. If server
> wants
> > > FS cipher suite, it then has to signal retry.
> > >
> > That's may be the point I missed, too.  Where and when the shares come
> > from?  Looks like there are two cases:
> > 1. client generate the shares and wrap them in the initial ClientHello
> > message.
> > 2. client omits the key_share, but still request for (EC)DHE cipher
> suites.
> > If server want to negotiate (EC)DHE cipher suite, need an extra RTT.
> > Client generate the shares on server request.
>
> I actually looked at the Editors's Copy. The description is a mess: It
> seemingly first requires key_share extension, even for the first
> ClientHello... Now, that extension can't be empty... And then proceeds
> to say to omit it if client has no shares to send... Which looks like
> it is mutually contradictionary.
>
> > I think the cases answer my confusing of the two extensions.  Suppose, if
> > the shares can be optional, maybe it is easier to use key_share only.  If
> > client has no shares, using key_share with no shares (function as
> > supported_groups); if client has shares, using key_share with shares.
>
> I think two extensions are needed for backward compatiblity: One needs
> to use supported_groups, but one can't extend it, so two extension it
> is.
>
> TLS 1.3 (without 0-RTT) is supposed to be possible to downnegotiate at
> least to TLS 1.2.
>
> Version down-negotiation is OK, but define "supported_groups" extension as
mandatory may be too strong, unless there are other considerations (See
bellow).


> > > > The "supported_groups" extension defines the groups, while the
> > > "key_share"
> > > > extension defines both the groups and the key exchange information.
> Both
> > > > extension has its own preferences for the supported named groups.
> It's
> > > > easy to get conflicted if the two preferences are not consistent.
> The
> > > > "key_share" extension contains the information of the supported named
> > > > groups.  So, the information can be used to indicate the client
> supported
> > > > named groups.  Maybe, for TLS 1.3, it is not necessary to use the
> > > > "supported_groups" extension any more.
> > >
> > > The only way to be conflicted would be to send key share for group not
> in
> > > supported_groups. Sending supported_group for group not in key_shares
> is
> > > not a conflict[1].
> > >
> > The preferences may be not consistent, too.  For example, the
> > supported_groups prefer ffdhe2048, but the key_share prefer ffdhe4096.
> > Using two preferences would make the implementation inconsistent between
> > vendors if no clearly specification about the preference of the two.
>
> Only supported_groups are perference-ordered. Key_shares is unordered,
> with special exception for retry (the added group always goes last).
>
>
In section 6.3.2.3:
    client_shares
         A list of offered KeyShareEntry values in descending order of
client preference.

I think, key_share is ordered too.  If considering both key_share and
supported_groups together, looks like there are two options:
1. key_share defines the preferences and supported named groups, which is
overlap with supported_groups. supported_groups is used for version
down-negotiation purpose. Don't define supported_groups as mandatory any
more.

For this case, empty key_share vector can be used to indicate to request
server choice shares.

2. key_share won't defines the preferences any more.  The named groups in
key_share MUST exist in supported_groups extensions.  supported_groups is
used to define the supported named groups and preference, and key_share is
used to define the shares.  Both are mandatory.

For this case, key_share can be omitted to indicate to request server
choice shares.


> > > [1] In fact, I expect many clients to send shares for P-256 and X25519,
> > > plus offer P-384 and X448 (without shares unless requested).
> > >
> > >
> > I like this scenarios more.  It might be more clear if TLS 1.3 support
> > this scenarios, but not the scenarios that sending shares before
> > requested.  For the TLS vendors, client implementation may only consider
> > one option. While a server implementation need to consider both, the
> effort
> > doubles.
>
> Basically, with some groups, sending on request is the only workable
> option, given how slow or large some shares are.
>
> Now, if PQ key exchanges were added, things would get worse, because
> those methods tend to either have large keys or slow key exchange/
> generation.
>
> Agreed.

Thanks,
Xuelei


>
>
> -Ilari
>

v2.23.0 | Report a Bug | By Email