IETF Logo Mail Archive

[TLS] ECDH_anon I-D (was: A la carte handshake negotiation)

Dave Garrett <davemgarrett@gmail.com> Fri, 12 June 2015 18:38 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABB761ACE9E for <tls@ietfa.amsl.com>; Fri, 12 Jun 2015 11:38:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id de-iCMe2tbE0 for <tls@ietfa.amsl.com>; Fri, 12 Jun 2015 11:38:01 -0700 (PDT)
Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5BAB1ACEA2 for <tls@ietf.org>; Fri, 12 Jun 2015 11:38:00 -0700 (PDT)
Received: by qkhg32 with SMTP id g32so20973682qkh.0 for <tls@ietf.org>; Fri, 12 Jun 2015 11:38:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=wJZ2E+OZJZX9lVf9MmPnWqGEoCjWhVsDSgpunEWvsxs=; b=F7Eeqg+x3ho3BvBtToyowL+yyNCeC1V65jrtvk2OzXiS4/4NKNY3J5f6wmK5BcrSZE WZd4KCtMY2nzoU06Yr2dEEZBJXmurEy+RsuJyL/ZSuJlSfigYtQaWQgNcAju1CmTU4zD UkKE0fQs7cE5+KdhPEhKd41ESoaReI67oD4TlTQJWSS3QeIqKwuEUd8cGSCT4RDIp8CN y1OgTI2MvQqPhW3r4BuTgGuFTBZCHEdwCBZFuzmGKFtWBGuQmxagIYuL6HtDm+Qg1DDs 6iAuZuJA6xP9/5sCxPwXKN+0Wi7ZtfLYES2m1FU5E/s5rL1qLwyaCvp7bEi/bD3E16gU Bufw==
X-Received: by 10.55.31.29 with SMTP id f29mr550514qkf.27.1434134280136; Fri, 12 Jun 2015 11:38:00 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by mx.google.com with ESMTPSA id b191sm2014733qka.14.2015.06.12.11.37.59 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 12 Jun 2015 11:37:59 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Fri, 12 Jun 2015 14:37:57 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <201506111558.21577.davemgarrett@gmail.com> <201506121236.18304.davemgarrett@gmail.com> <20150612165558.GZ2050@mournblade.imrryr.org>
In-Reply-To: <20150612165558.GZ2050@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201506121437.58527.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/q3W45pLWX4rRxucLla1HR2K334U>
Subject: [TLS] ECDH_anon I-D (was: A la carte handshake negotiation)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jun 2015 18:38:02 -0000

On Friday, June 12, 2015 12:55:59 pm Viktor Dukhovni wrote:
> On Fri, Jun 12, 2015 at 12:36:17PM -0400, Dave Garrett wrote:
> > AES CBC already cannot be used with TLS 1.3+, as it now requires AEAD ciphers only.
[...]
> The DH AEAD ciphersuite set includes two DH_anon members.  For ECDH
> AEAD there are none.
> 
> > TLS_ECDH_anon_WITH_AES_256_GCM_SHA384 is in this expired draft:
> > https://tools.ietf.org/html/draft-williams-tls-anon-ecdh-modern-cipher-01
> 
> Yes, I asked Nico to help fill the gap.  I guess this did not go
> very far.
[...]
> > Just properly publishing a "ECDH_anon" RFC would be preferable,
> > however.

Resurrecting this draft seems like a good idea, regardless of TLS 1.3.

https://tools.ietf.org/id/draft-williams-tls-anon-ecdh-modern-cipher-01.html

It defines:
==============================
TLS_ECDH_anon_WITH_AES_128_GCM_SHA256
    This is anonymous key agreement with ephemeral ECDH keys, with AES-128 in GCM mode, and SHA256 as the hash function for the TLS PRF.
TLS_ECDH_anon_WITH_AES_128_CCM_SHA256
    This is anonymous key agreement with ephemeral ECDH keys, with AES-128 in CCM mode, and SHA256 as the hash function for the TLS PRF.
TLS_ECDH_anon_WITH_AES_256_GCM_SHA384
    This is anonymous key agreement with ephemeral ECDH keys, with AES-256 in GCM mode, and SHA384 as the hash function for the TLS PRF.
TLS_ECDH_anon_WITH_AES_256_CCM_SHA384
    This is anonymous key agreement with ephemeral ECDH keys, with AES-256 in CCM mode, and SHA384 as the hash function for the TLS PRF.
==============================

If we're to update this draft, I think we should really change the "ECDH" to "ECDHE" here. It would make specifying which suite prefixes are permitted a lot simpler and less prone to confusion, as the current naming is inconsistent. All ephemeral should have the 'E' on the end, regardless of how it's provided.

Also, adding new ECC anon versions for other ciphers in the same document, like ARIA-GCM [RFC6209] and CAMELLIA-GCM [RFC6367], might be warranted.


Dave

v2.23.0 | Report a Bug | By Email