Re: [TLS] OPTLS: Signature-less TLS 1.3
Eric Rescorla <ekr@rtfm.com> Sat, 01 November 2014 21:46 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EC911A1AEA for <tls@ietfa.amsl.com>; Sat, 1 Nov 2014 14:46:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UgndG4GQzdqG for <tls@ietfa.amsl.com>; Sat, 1 Nov 2014 14:46:31 -0700 (PDT)
Received: from mail-wg0-f49.google.com (mail-wg0-f49.google.com [74.125.82.49]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C3851A1AC8 for <tls@ietf.org>; Sat, 1 Nov 2014 14:46:31 -0700 (PDT)
Received: by mail-wg0-f49.google.com with SMTP id x13so8629664wgg.22 for <tls@ietf.org>; Sat, 01 Nov 2014 14:46:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=8ZnnwFFMpC+qce+5joUFnHawa0YglML9omB0GRLTbRc=; b=QJ6Zl/0qo9WKWiG+oFyrY5GP+ewO2WQbZkNdwD7EMIE5K1kcuD723pwTF+mlF5ITku TavgDWG2AmqglBktG9JP7r2GstWsIReyCyg+Ad1LcS/s2IMgmv3L8s1Q7QFfY6M10xyr L8u3uv810NyFBO/3/skvT+rMpDvOHgK9r0+79ZXxvCk9wdi8orv4W2uNLe0FwnCVTdIn 9KtnaUL/4Mg6iei51yMT/GkHNWSNK5+TgfkChyOh9RhjHs44LIQDYfZBt1yMriYoJqU3 2eK7IHlLnOQGMtcyrwyLRJfveKIvfQS8vHhbFTezBjqk0gGnj4VQ+p18ca3tmyZJqoEk XRng==
X-Gm-Message-State: ALoCoQnKhhs3C9kj4mu3Yrs2zocBVp7ExgMUe0+9PxbfzOfb93s9DXmCEAhFOaqeZqjGC8091etZ
X-Received: by 10.180.107.136 with SMTP id hc8mr5920763wib.78.1414878389774; Sat, 01 Nov 2014 14:46:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.49.198 with HTTP; Sat, 1 Nov 2014 14:45:49 -0700 (PDT)
In-Reply-To: <CACsn0c=c6z5VR3KZ2f6oydVrFxBxzWwpbyVr4Xt5x04NAUiVYQ@mail.gmail.com>
References: <CADi0yUObKsTvF6bP=SxAwYA05odyWdzR1-sWutrDLUeu+VJ1KQ@mail.gmail.com> <614363650.3172177.1414834861225.JavaMail.zimbra@redhat.com> <20141101101611.GA25180@LK-Perkele-VII> <CABcZeBNYpQu=SCorXDa+TEEGVLb7d902LAed5fjDeK-wbafVRw@mail.gmail.com> <CACsn0c=c6z5VR3KZ2f6oydVrFxBxzWwpbyVr4Xt5x04NAUiVYQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 01 Nov 2014 14:45:49 -0700
Message-ID: <CABcZeBNG1q37tZ1JOZEKOm8aAVZc3Ve6C5jkFTdA0fWu_kjn5g@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="e89a8f3bad45d2c6b40506d30b4c"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/o_BSCtLGoZt92z6djjlsvmM59Ms
Cc: "tls@ietf.org" <tls@ietf.org>, Hoeteck Wee <hoeteck@alum.mit.edu>
Subject: Re: [TLS] OPTLS: Signature-less TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Nov 2014 21:46:34 -0000
On Sat, Nov 1, 2014 at 2:07 PM, Watson Ladd <watsonbladd@gmail.com> wrote: > On Sat, Nov 1, 2014 at 7:46 AM, Eric Rescorla <ekr@rtfm.com> wrote: > > > > On Sat, Nov 1, 2014 at 3:16 AM, Ilari Liusvaara > > <ilari.liusvaara@elisanet.fi> wrote: > >> > >> > > PROTOCOL OPTLS: > >> > > > >> > > ClientHello > >> > > ClientKeyShare > >> > > ClientData* [K0] --------> > >> > > ServerHello > >> > > ServerKeyShare > >> > > ServerCertificate* [K1] > >> > > ServerFinished [K2] > >> > > <-------- ServerData* [K2] > >> > > ClientFinished* [K2] --------> > >> > > > >> > > > >> > > Protected Application Data [K3] > >> > > <-------> > >> > > 1-RTT CASE: > >> > > > >> > > The basic 1-RTT case omits the ClientData* field. It includes a > >> > > ClientKeyShare > >> > > g^x and a ServerKeyShare g^y and an optional (encrypted) server > >> > > certificate. > >> > > If the certificate is sent (it can be omitted if the client has > >> > > indicated > >> > > that > >> > > it knows the server key as in the case in the 0-RTT scenario) and is > >> > > encrypted, > >> > > the encryption key K1 is derived from g^{xy}. > >> > > > >> > > Key K2 is an encryption key derived from both g^{xs} and g^{xy}. It > is > >> > > used > >> > > to > >> > > authenticate-encrypt the ServerFinished and ClientFinished messages > >> > > (which > >> > > include a hash of the previous traffic) and to encrypt data from the > >> > > server > >> > > if > >> > > such data is piggybacked to the second message. > >> > > >> > How does the client get the DH (or ECDH) group parameters used by the > >> > server? > >> > >> Presumably from ServerHello (with CKS being optimistic). > >> > >> But the case where client misses all its guesses needs to be handled. > > > > > > Unless I'm missing something, this can be handled the way that we > > currently handle missed guesses, I.e., by having a HelloRetryRequest > > followed by a new ClientHello/ClientKeyShare. Though of course > > the server does need to either keep their RSA private key online > > or periodically generate new signed DH shares for every group. > > > > > >> > >> However, this poses some challenges with respect to revocation. From > what > >> I > >> understand, the parameters are intended to have limited lifetime (much > >> shorter than EE certificates). > >> > >> The reason this is problematic is that one can't really rely on clocks: > >> - Even if you happen to have sub-second accurate clock, a lot of > computers > >> don't. > >> - The time protocols often aren't secured, allowing attacker to play > >> tricks > >> with endpoint time. > > > > > > We're already starting to have that problem because of a desire to move > to > > OCSP > > stapling, which, with staple, effectively gives the server a credential > > which is > > valid only within a fairly narrow window. However, I think you're right > that > > this > > probably limits the range of lifetimes you can use with these signed DH > > keys. > > That's not the problem Illari was talking about: It's not that g^s has > limited lifetime, but that there is no way to know that the lifetime > is expired, so it has long lifetime. NTP is not secure, so we have to > deal with bad clocks. In the case of certificates, this is usually not > so bad as the lifetimes are long. It might not be a problem for this, > as we can occasionally resign, keep s in memory and not be worse off > than today, or say that TLS clients need trusted clocks to avoid > compromise when s is revealed. > Yes. I understand this. My point is that OCSP Stapling is effectively like short-lived certificates (and short-lived DHE shares) in that you have a credential which is valid for a relatively short period of time and which therefore requires that therefore requires tight clock synchronization. And since we're moving towards OCSP stapling and short-lived certs, we've got this problem in any case. Arguably, the situation is slightly better here because the server gets to select the key lifetime and so it can tune it depending on its assessment of client clock accuracy, which is unlikely to be the case with OCSP stapling. -Ekr
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Rene Struik
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Rene Struik
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Ilari Liusvaara
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Manuel Pégourié-Gonnard
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hanno Böck
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Peter Gutmann
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Andy Lutomirski
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Andy Lutomirski
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Salz, Rich
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Salz, Rich
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Dan Brown
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk