Re: [TLS] TLS 1.2 Long-term Support Profile draft posted

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Wed, 16 March 2016 19:27 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4337A12DADB for <tls@ietfa.amsl.com>; Wed, 16 Mar 2016 12:27:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7ayJUKDiyBVY for <tls@ietfa.amsl.com>; Wed, 16 Mar 2016 12:27:24 -0700 (PDT)
Received: from emea01-db3-obe.outbound.protection.outlook.com (mail-db3on0697.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe04::697]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF07F12DAD1 for <tls@ietf.org>; Wed, 16 Mar 2016 12:27:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=gTiEGNz1VNPzxVLqqFIlnOSeUnpiJYwug5TjsxU8Muo=; b=o1yghhJhI90TnzK0VjG9zjN5mk7CFliRvJPKy19a6nOvYq29tF5cTWnA2EuW2jOjH9DpnSSQLZSnkZxoEsEJu6q8GmSwFNfh0/JRDHUdtSQiQ6WFe6U8s/TOBhsgH6UMJ6U4Dx7P0f19Z27Y07rF3QHIdMz9XG+xnObFebXPt18=
Received: from DB5PR03MB1813.eurprd03.prod.outlook.com (10.166.171.146) by DB5PR03MB1816.eurprd03.prod.outlook.com (10.166.171.149) with Microsoft SMTP Server (TLS) id 15.1.434.16; Wed, 16 Mar 2016 19:26:59 +0000
Received: from DB5PR03MB1813.eurprd03.prod.outlook.com ([10.166.171.146]) by DB5PR03MB1813.eurprd03.prod.outlook.com ([10.166.171.146]) with mapi id 15.01.0434.019; Wed, 16 Mar 2016 19:26:59 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Watson Ladd <watsonbladd@gmail.com>
Thread-Topic: [TLS] TLS 1.2 Long-term Support Profile draft posted
Thread-Index: AdF/gGiJXC2ZI/lER3iVToFYg5p2egAFHsAAAAb9CQAAAL3XAAABgj0A
Date: Wed, 16 Mar 2016 19:26:59 +0000
Message-ID: <D30F5F9C.66E8A%kenny.paterson@rhul.ac.uk>
References: <9A043F3CF02CD34C8E74AC1594475C73F4C2374E@uxcn10-tdc05.UoA.auckland.ac.nz> <CACsn0cks1tvdcYkVRj9r3TZe1GEcNA5f2x14PQntk3j1Ws+rPg@mail.gmail.com> <D30F5342.66E5C%kenny.paterson@rhul.ac.uk> <CACsn0cn_MyJO3dSzq8gZDdWg5OjizRXZMn_B7YZyAVCBrE0W_g@mail.gmail.com>
In-Reply-To: <CACsn0cn_MyJO3dSzq8gZDdWg5OjizRXZMn_B7YZyAVCBrE0W_g@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.1.160122
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=rhul.ac.uk;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [92.3.218.210]
x-ms-office365-filtering-correlation-id: e81974de-fb27-4b89-6460-08d34dd0f1ac
x-microsoft-exchange-diagnostics: 1; DB5PR03MB1816; 5:9ySmMMySbK+NaJ98NVDTBX0OuihfROVNgN7NwV+nSiBUHgGRRkBHEnkPQTDgz2ah/c7BJvT5MwH/736tCL9RhFM/O/GXmYwGM+qbHBmqN0Myx2tX58tvzufm4svJZfTls+lZAcT7cBqcbR/AQ+jXCQ==; 24:Y2oKSdcJLT379C4Of1Gnz5O8hNsV7dKQtdimnmhdk4ckW3/T8VPF0Nkr7YVKro3UxNz81yOEHTGDnrcuErsq2pUYnOANykEpUgBlMnfkO8c=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB5PR03MB1816;
x-microsoft-antispam-prvs: <DB5PR03MB18166FFA7C8BC513512E7AB5BC8A0@DB5PR03MB1816.eurprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046); SRVR:DB5PR03MB1816; BCL:0; PCL:0; RULEID:; SRVR:DB5PR03MB1816;
x-forefront-prvs: 08831F51DC
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(377454003)(479174004)(24454002)(3280700002)(5008740100001)(81166005)(15975445007)(2900100001)(10400500002)(189998001)(5002640100001)(2950100001)(3660700001)(36756003)(110136002)(586003)(77096005)(74482002)(122556002)(86362001)(93886004)(19580395003)(19580405001)(102836003)(6116002)(3846002)(87936001)(92566002)(1411001)(50986999)(4001350100001)(11100500001)(4326007)(66066001)(1220700001)(54356999)(1096002)(83506001)(2906002)(5004730100002)(76176999); DIR:OUT; SFP:1101; SCL:1; SRVR:DB5PR03MB1816; H:DB5PR03MB1813.eurprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="utf-8"
Content-ID: <EC2BA4C7433389448675A15B7BC85A95@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Mar 2016 19:26:59.1421 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5PR03MB1816
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/nJP18nl4LLtOgkI-d4mmi43-Upo>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.2 Long-term Support Profile draft posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2016 19:27:27 -0000

Hi

On 16/03/2016 18:44, "Watson Ladd" <watsonbladd@gmail.com>; wrote:

>On Wed, Mar 16, 2016 at 11:22 AM, Paterson, Kenny
><Kenny.Paterson@rhul.ac.uk>; wrote:
>> Hi
>>
>> On 16/03/2016 15:02, "TLS on behalf of Watson Ladd"
>><tls-bounces@ietf.org
>> on behalf of watsonbladd@gmail.com>; wrote:
>>
>> <snip>
>>
>>>The analysis of TLS 1.3 is just wrong. TLS 1.3 has been far more
>>>extensively analyzed then TLS 1.2. It's almost like you don't believe
>>>cryptography exists: that is a body of knowledge that can demonstrate
>>>that protocols are secure, and which has been applied to the draft.
>>
>> This is patently untrue. There is a vast body of research analysing TLS
>> 1.2 and earlier. A good survey article is here:
>>
>> https://eprint.iacr.org/2013/049
>
>There's a vast literature, but much of it makes simplifying
>assumptions or doesn't address the complete protocol.

Correct, but that does not make it irrelevant or valueless. Or are you
actually saying that it does? Quite a sweeping presumption; see
immediately below.

>The first really
>complete analysis was miTLS AFAIK.

Yes, and even there the analysis was done step by step, spread out over a
series of papers which gradually built up the complexity of the code-base
being handled. And, in parallel, various other groups were doing hand
proofs of abstractions of the core protocol. And I believe it's fair to
say - from having discussed it extensively with the people involved - that
the miTLS final analysis benefitted a lot from the experience gained by
the teams doing the hand proofs, going right back to a paper in 2002 by
Jonsson and Kaliski Jr.

My point is that the TLS 1.2 "final" analysis represented by the miTLS
work was the culmination of a long line of research involving many people
and influenced by many sources.

> Furthermore, a lot of the barriers
>to analysis in TLS 1.2 got removed in TLS 1.3.

Unfortunately, some of them may be coming back again. But again, this has
nothing to do with the argument you were making.

>The question is not how
>many papers are written, but how much the papers can say about the
>protocol as implemented. And from that perspective TLS 1.3's Tamarin
>model is a fairly important step, where the equivalent steps in TLS
>1.2 got reached only much later.

The timing is entirely irrelevant to the argument you were making.

I agree though that it's about the depth and reach of the analysis. And
from this perspective, I'd say that TLS 1.3 is still way behind TLS 1.2,
despite the very nice analyses done by Sam and Thyla (and their
collaborators), by Hugo & Hoeteck, and by Felix & co.

I could go further, but I expect that, by now, only you and I are actually
reading this.

>It's true 0-RTT isn't included: so don't do it. But I think if we
>subset (not add additional implementation requirements) TLS 1.3
>appropriately we end up with a long-term profile that's more useable
>than if we subset TLS 1.2, and definitely more than adding to the set
>of mechanisms. I think claims that TLS 1.3 outside of 0-RTT is likely
>to have crypto weaknesses due to newness are vastly overstated.

I didn't make that claim.

Cheers

Kenny

>-- 
>"Man is born free, but everywhere he is in chains".
>--Rousseau.

"If I have seen further it is by standing on the shoulders of Giants"
-- Newton, in a letter to Robert Hooke