IETF Logo Mail Archive

Re: [TLS] New draft: draft-rescorla-tls13-new-flows-01

Eric Rescorla <ekr@rtfm.com> Wed, 19 February 2014 21:54 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C476E1A0226 for <tls@ietfa.amsl.com>; Wed, 19 Feb 2014 13:54:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vwKPRKv0DRdJ for <tls@ietfa.amsl.com>; Wed, 19 Feb 2014 13:54:50 -0800 (PST)
Received: from mail-ve0-f180.google.com (mail-ve0-f180.google.com [209.85.128.180]) by ietfa.amsl.com (Postfix) with ESMTP id D88651A01C1 for <tls@ietf.org>; Wed, 19 Feb 2014 13:54:49 -0800 (PST)
Received: by mail-ve0-f180.google.com with SMTP id db12so1040852veb.39 for <tls@ietf.org>; Wed, 19 Feb 2014 13:54:46 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; bh=M9/Vz5Uj0s/YJqDMnVkscxPe7Z9eBL7FaEX8uFPKF+U=; b=DyTrZH4MimCOF+Cw1JWQ7nPcOB2nw9vz7eDGLm7NJCD3IjO6twQuScizuoanQYywPx mL9Rhi8cPo7sF3ib7+ZEjl9mFPtwvwTKe8MavWZSeH1/2KqVbxQe4Fg/xr9FdyTrJRNx bH/uBr2svn9t//bXpq17h7BDTTf0szkS4V8npGE+mip1GNRo2lBqKw6E05C5cDIzqTg0 mNvqtyrADdzgL4g85AeOdpSYKTvwMvJzcgbc8TfR04EFPAtuKLW+nEFrnSY02LZLxEAx vuGZp8FrAsvdB7t6nS2DclI5V2qEgdfMbt8r8GUVADtUhvPi6WOhphWiY+3NKdWscUr6 MtrQ==
X-Gm-Message-State: ALoCoQncA9pSxrBJIY0vSFqAtDeGgs70IDUSFLxKOF6kz5QB3EI4tbaIZQ8T/SMUmc41kTpKs/pv
X-Received: by 10.52.69.132 with SMTP id e4mr1623173vdu.91.1392846886255; Wed, 19 Feb 2014 13:54:46 -0800 (PST)
MIME-Version: 1.0
Received: by 10.58.198.12 with HTTP; Wed, 19 Feb 2014 13:54:06 -0800 (PST)
X-Originating-IP: [74.95.2.173]
In-Reply-To: <CABcZeBNUjg_Y3MKtRrAMmYAeYFLM1QyHvr1DCbOfA6MB2tJOYQ@mail.gmail.com>
References: <CABcZeBNUjg_Y3MKtRrAMmYAeYFLM1QyHvr1DCbOfA6MB2tJOYQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 19 Feb 2014 13:54:06 -0800
Message-ID: <CABcZeBOiheBZzs=OQB7ABYqZdUX4OKayg9M-VQtcRPDX3_craA@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="20cf307abd91e1ecd104f2c96ff6"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/qh08NxYsgFR5slZ5i5h5koWSam0
Subject: Re: [TLS] New draft: draft-rescorla-tls13-new-flows-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Feb 2014 21:54:52 -0000

One more point that someone made to me offline.

The flows in this document make multiple use of the same DH/ECDH
share (i.e., pairing the client's ECDH share with two separate server
shares.) This is in some respects like static DH and so we should
provide appropriate security guidance. There's already some such
guidance in RFC 5246 Section F.1.1.3:

http://tools.ietf.org/html/rfc5246#appendix-F.1.1.3


We might also consider whether it makes sense to specify a fixed
set of DH parameters (a la IKE and in the spirit of the specified
curves in RFC 4492), thus avoiding any need for people to
validate. That seems like something that might be valuable for
all versions of TLS.

Do we need anything else?

-Ekr








On Wed, Feb 19, 2014 at 12:40 PM, Eric Rescorla <ekr@rtfm.com> wrote:

> Folks,
>
> I have prepared a new version of the TLS 1.3 flows document which
> should appear in the repository shortly and in the meantime can be
> found at:
>
> https://github.com/tlswg/tls13-spec/blob/master/draft-rescorla-tls-1.3.txt
>
> This version fleshes out a "recommended" set of flows:
>
> - 2-RTT where the client has no knowledge of the
>   server's capabilities.
>
> - 1-RTT where the client knows the server's semi-permanent
>   DHE/ECDHE key pair.
>
> - 0-RTT where the client and the server have shared anti-replay
>   state.
>
> There are still a number of open issues, but this should be clear
> enough to see the direction I am trying to go. These flows are
> structured so that the 1-RTT case is the base case with the 2-RTT and
> 0-RTT versions being variants of the basic 1-RTT handshake. All
> variants encrypt the client extensions that are not required
> to define the cryptographic processing (e.g., SNI is encrypted
> but curve negotiation is not).
>
> I think the high order bit here is whether we want to have
> encrypted SNI, because that dictates the position of the DHE
> exchanges with respect to the server's messages.
>
> There are three options here:
>
> - Never
> - Sometimes
> - Always
>
> The flows in this draft take the position of "Always" which is
> simple. "Never" is actually simpler. "Sometimes" is the most
> complicated.  There are two cases where we could shave off latency if
> we were willing to disclose the SNI to passive attackers (and in cases
> where the client and server have never talked before.) My sense of
> recent discussion is that people feel it's important to have modes
> that protect SNI even if those are not the only modes. However, that
> means that if we want to have non-SNI protecting modes, they are
> additional complexity. Please let me know if I have misread the WG
> here.
>
>
> Here are some other things to keep in mind as you read the document.
>
> - Per my sense of the list, I have totally removed static RSA.  If
> people strongly object to that, please speak up and let me know.
>
> - There has been no real security analysis of this material other than
> at the hand-wavy level. We clearly need that, but the first thing we
> need is to be clear on whether this is approximately the right set of
> points in the complexity/performance/privacy tradeoff space and then
> make sure that the security properties are correct. So, if you see
> something that looks wrong or even grievously wrong, don't panic (but
> do point it out).
>
>
> - There is no currently defined support for any kind of resumption.
> We need to decide if resumption is still an important feature in light
> of the trend towards more PFS and faster processors.  I'm particularly
> looking for input from the IoT/DICE guys here.
>
> - We will probably need to work out some of the details for DTLS, but
> I wanted to get TLS nailed down first.
>
> - We also need to do some work on the symmetric crypto, e.g., to make
> encrypt-then-MAC the default, perhaps to deprecate some ciphers,
> compression, etc. I haven't forgotten that, but I want to deal with
> the handshakes first.
>
> - As before, this incorporates ideas from a lot of different people
> (and many times the same idea from different people). If you think
> you should acknowledged in the text and/or acknowledgements
> differently, please let me know.
>
> Thanks and comments welcome
> -Ekr
>
>
>
>
>
>
>
>
>
>
>
>

v2.23.0 | Report a Bug | By Email