Re: [TLS] What would make TLS cryptographically better for TLS 1.3
Nico Williams <nico@cryptonector.com> Fri, 01 November 2013 23:40 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D557E11E817D for <tls@ietfa.amsl.com>; Fri, 1 Nov 2013 16:40:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[AWL=-0.543, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_64=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oUw0HgavDRdp for <tls@ietfa.amsl.com>; Fri, 1 Nov 2013 16:40:35 -0700 (PDT)
Received: from homiemail-a104.g.dreamhost.com (mailbigip.dreamhost.com [208.97.132.5]) by ietfa.amsl.com (Postfix) with ESMTP id EBCAE11E8136 for <tls@ietf.org>; Fri, 1 Nov 2013 16:40:34 -0700 (PDT)
Received: from homiemail-a104.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a104.g.dreamhost.com (Postfix) with ESMTP id 5FE432005D105; Fri, 1 Nov 2013 16:40:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=m9Ot+IpRn81TFz BJzNlSes5S/As=; b=AdE/8rqiTVW6IQ4FjL3kk/8X0iXZuPHs4UeFkroEZSHccB wKK305iOk66tnLyP8npruNvuafZoXu09oiMEitCyZRQ50a5YAwWdVz5N8WZeAK0W C3OWYtcLzar+THyv75L/XmjPKtkxxkmwfIRUhosTGK4Ub56NEDG6cop972Y3w=
Received: from gmail.com (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a104.g.dreamhost.com (Postfix) with ESMTPSA id 043A62005D104; Fri, 1 Nov 2013 16:40:33 -0700 (PDT)
Date: Fri, 01 Nov 2013 18:40:31 -0500
From: Nico Williams <nico@cryptonector.com>
To: Robert Ransom <rransom.8774@gmail.com>
Message-ID: <20131101234028.GH32733@gmail.com>
References: <CACsn0cnS7LWo+AN1maw-KYGhWXY1BLNPNOjiL-Y3UU3zG-Je_Q@mail.gmail.com> <20131031230955.GB32733@gmail.com> <CABqy+sof-NtSmZwTNN-x9Ekppz4PYMu2Pr3KjaEUdT7Wzxe7mQ@mail.gmail.com> <4e1772ced74d9347c88a66b123f8878f.squirrel@www.trepanning.net> <20131101231342.GG32733@gmail.com> <CABqy+sq=qdy1AH6CbHi55y--5svdc5A=upE0zsLsd2c4jZyH4g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABqy+sq=qdy1AH6CbHi55y--5svdc5A=upE0zsLsd2c4jZyH4g@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] What would make TLS cryptographically better for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Nov 2013 23:40:40 -0000
On Fri, Nov 01, 2013 at 04:34:24PM -0700, Robert Ransom wrote: > The server should be allowed to send up to 32 bytes of nonce. Some > servers will want to conceal the lifetime of their keypair by > generating nonces using a counter encrypted or hashed with a secret, > using the cheapest encryption or hash function available; this may be > TEA, AES, SHA-256, or something else, depending on the hardware. Some > servers will want to use a fast RNG to generate nonces. 32 bytes > should be enough to prevent even a random (or hash-derived) nonce from > repeating; anything less than that may not be enough for some servers. The point of smaller/fewer nonces is two-fold: - if anyone was using 32 bytes of Dual_EC DRBG output before and it went unnoticed because, hey, that's what it's there fore, well, now it may be more noticeable if they do that sort of thing and spread those magic 32 bytes over several nonces Yes, this is fighting yesterday's war. But anyways. - less subliminal channel bandwidth (same thing) Subliminal channels are very difficult to eliminate. Merely reducing their bandwidth ought to help. If, for example, there's only a 16 bytes total of nonces in the handshakes (8 bytes for each of the client and server), and the cipher+mode in use doesn't need random IVs, then TLS connections would have no subliminal channels post-handshake, and hopefully the channel in the handshakes is very small (there's still bogus extensions and such to consider, but those at least can stand out). Worth it? I think so. Nico --
- [TLS] What would make TLS cryptographically bette… Watson Ladd
- Re: [TLS] What would make TLS cryptographically b… Nico Williams
- Re: [TLS] What would make TLS cryptographically b… Dan Harkins
- Re: [TLS] What would make TLS cryptographically b… Nikos Mavrogiannopoulos
- Re: [TLS] What would make TLS cryptographically b… Robert Ransom
- Re: [TLS] What would make TLS cryptographically b… Nico Williams
- Re: [TLS] What would make TLS cryptographically b… Robert Ransom
- Re: [TLS] What would make TLS cryptographically b… Robert Ransom
- Re: [TLS] What would make TLS cryptographically b… Dan Harkins
- Re: [TLS] What would make TLS cryptographically b… Watson Ladd
- Re: [TLS] What would make TLS cryptographically b… Nico Williams
- Re: [TLS] What would make TLS cryptographically b… Robert Ransom
- Re: [TLS] What would make TLS cryptographically b… Nico Williams
- Re: [TLS] What would make TLS cryptographically b… Dan Harkins
- Re: [TLS] What would make TLS cryptographically b… Robert Ransom
- Re: [TLS] What would make TLS cryptographically b… Robert Ransom
- Re: [TLS] What would make TLS cryptographically b… Dan Harkins
- Re: [TLS] What would make TLS cryptographically b… Robert Ransom
- Re: [TLS] What would make TLS cryptographically b… Watson Ladd
- [TLS] removal of nonces [was: What would make TLS… Nikos Mavrogiannopoulos
- Re: [TLS] What would make TLS cryptographically b… Andy Lutomirski
- Re: [TLS] What would make TLS cryptographically b… Nico Williams
- Re: [TLS] removal of nonces [was: What would make… Nico Williams
- Re: [TLS] What would make TLS cryptographically b… Robert Ransom
- Re: [TLS] What would make TLS cryptographically b… Ralf Skyper Kaiser
- Re: [TLS] What would make TLS cryptographically b… Ralf Skyper Kaiser
- Re: [TLS] What would make TLS cryptographically b… Nikos Mavrogiannopoulos
- Re: [TLS] What would make TLS cryptographically b… Yoav Nir
- Re: [TLS] What would make TLS cryptographically b… Robert Ransom
- Re: [TLS] What would make TLS cryptographically b… Ralf Skyper Kaiser
- Re: [TLS] What would make TLS cryptographically b… Ralf Skyper Kaiser
- Re: [TLS] What would make TLS cryptographically b… Watson Ladd
- Re: [TLS] What would make TLS cryptographically b… Yoav Nir
- Re: [TLS] What would make TLS cryptographically b… Ralf Skyper Kaiser
- Re: [TLS] What would make TLS cryptographically b… Martin Rex
- Re: [TLS] What would make TLS cryptographically b… Ralf Skyper Kaiser
- Re: [TLS] What would make TLS cryptographically b… Jeff Jarmoc
- Re: [TLS] What would make TLS cryptographically b… Nico Williams
- Re: [TLS] What would make TLS cryptographically b… Yoav Nir
- Re: [TLS] What would make TLS cryptographically b… Johannes Merkle
- Re: [TLS] What would make TLS cryptographically b… Dan Harkins
- Re: [TLS] What would make TLS cryptographically b… Yoav Nir
- Re: [TLS] What would make TLS cryptographically b… Santosh Chokhani
- Re: [TLS] What would make TLS cryptographically b… Ralf Skyper Kaiser