Re: [TLS] Initial draft of DH-based key exchange
Eric Rescorla <ekr@rtfm.com> Mon, 23 March 2015 16:14 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6F731AC41C for <tls@ietfa.amsl.com>; Mon, 23 Mar 2015 09:14:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nNseFttmGfQ9 for <tls@ietfa.amsl.com>; Mon, 23 Mar 2015 09:14:38 -0700 (PDT)
Received: from mail-we0-f170.google.com (mail-we0-f170.google.com [74.125.82.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B7561AC40D for <tls@ietf.org>; Mon, 23 Mar 2015 09:14:37 -0700 (PDT)
Received: by wegp1 with SMTP id p1so141912286weg.1 for <tls@ietf.org>; Mon, 23 Mar 2015 09:14:36 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=AFhw3XJLtoV7QDgek2xSqyQd8dFoopxwg9omjfMmnDU=; b=lSM0IMJvBIfis6vHvHXoU+X7pTKhG6gA5pZQPLgJ9RLtpWySlQc8paCnIz9nM1aXdR GLCWy4KO8tsReH9hFIxZ5FqAm1WdHTVuZ3v/rVEH+rzaaaroUlheyjv9MbdLkHTy0BOm JPF1UKYiinhSgRLnrTBv8XIvinEJMzhrs/Z7LRqv6ZvIQEsgauhw4j5BqRkJCZGbBMaV 33kaBMC/3ze4SprfbeaxOygpfaCB+j4vQ6/XgcTPyJYVFVnMiX3EqHnmy6SipI0dKoTd 51yos3+dypU+hSJbgutFP6N1F0rjWelGC6Gh0Qddp9uetNs6O86aoMav52HViRVz4IYm xB7A==
X-Gm-Message-State: ALoCoQljDew6GCYQDszFbEZBXgl5q/vRH9sokInH25hrfPLP9qZgWmguL1nfv2WpyGuz23y56bRv
X-Received: by 10.194.120.230 with SMTP id lf6mr183866380wjb.78.1427127276253; Mon, 23 Mar 2015 09:14:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.205.198 with HTTP; Mon, 23 Mar 2015 09:13:56 -0700 (PDT)
In-Reply-To: <1427123147.19595.62.camel@redhat.com>
References: <CABcZeBNmufvfJ_2Nvw1YwvwGZ2u1=WvL45rPGJXARN1tAxOEfw@mail.gmail.com> <1427123147.19595.62.camel@redhat.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 23 Mar 2015 11:13:56 -0500
Message-ID: <CABcZeBPX8vUG8rxXsfgKy1HVhKA05F2wMzgaUqeRxeEasfeP=w@mail.gmail.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
Content-Type: multipart/alternative; boundary="089e0115fe2459c8320511f6f6a2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/nOXmXO6iXDmcdprhocnknjHdeuo>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Initial draft of DH-based key exchange
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 16:14:42 -0000
On Mon, Mar 23, 2015 at 10:05 AM, Nikos Mavrogiannopoulos <nmav@redhat.com> wrote: > On Mon, 2015-03-23 at 08:36 -0500, Eric Rescorla wrote: > > Folks, > > At the interim discussed transitioning to a DH-based handshake (rather > > than a signature-based one) like that proposed by Hugo Krawczyk and > > Hoeteck Wee. The major rationale for this change is that any 0-RTT > > mode is inherently DH-based and so if we make that our basic mode, > > then we can simplify the protocol logic and key derivation model. This > > model also allows us to pull in PSK modes under the same basic > > structure. > [...] > > The WG sentiment was generally favorable to exploring this avenue but > > there was also airly strong WG sentiment that we didn't presently want > > to do an offline signatures. This leaves with a model in which the > > client initially learns the server's semi-static DH share through > > an online-signed 1-RTT handshake but then can cache it for use with > > future connections. > > Wasn't that discussed in the list before? My impression was that the > outcome of that discussion was not to add that. > There was enough interest that we decided to revisit it at the interim in view of the considerations I listed above, and the chairs asked me to draft it up so we could discuss here and in Dallas. As I said above, the WG can of course decide not to proceed in this direction which is why this is a separate branch rather than -06. > Anyway, a first question that comes to mind, is why this isn't defined > as separate ciphersuites? Why does it even have to be TLS 1.3 related? > Static DH parameters is an experiment that failed years ago. What has > changed since then that we believe now it is going to work? You even > dropped the static DH ciphersuites from TLS 1.3. Please make that part > optional so you don't doom the whole TLS 1.3 protocol enhancements if > no-one switches to static DH keys (in the document they are described as > semi-static DH keys - but there is no definition of what that means). > Well, what's being done here is qualitatively different in three ways: 1. The DH keys aren't in DH certificates (though one supposes they could be), rather they are attested to by the server signing key. 2. The semi-static DH keys are expected to be quite short-lived (possible because of point #1). Hence 'semi-static'. 3. We are doing a separate ephemeral-ephemeral DH exchange to provide PFS. The argument for not making it a cipher suite is that doing things this way allows us to have a unified protocol logic whereas that's not true if it's a separate option. A second question is why HKDF? Why is it even there? Is there any issue > with the current TLS PRF and we need another? Is there a valid reason to > bloat implementations with shipping multiple KDFs? As I said separately [0], there was some sentiment in the interim that HKDF was a more modern primitive. As above, I can easily back this out and use the existing PRF if that's what people prefer. -Ekr [0] https://www.ietf.org/mail-archive/web/tls/current/msg15625.html
- [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Nikos Mavrogiannopoulos
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Salz, Rich
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Salz, Rich
- Re: [TLS] Initial draft of DH-based key exchange Dave Garrett
- Re: [TLS] Initial draft of DH-based key exchange Nikos Mavrogiannopoulos
- Re: [TLS] Initial draft of DH-based key exchange Nikos Mavrogiannopoulos
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Paterson, Kenny
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Russ Housley
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara