Re: [TLS] Privacy considerations - identity hiding from eavesdropping in (D)TLS

"Viktor S. Wold Eide" <viktor.s.wold.eide@gmail.com> Thu, 27 August 2015 08:37 UTC

Return-Path: <viktor.s.wold.eide@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44C5A1B39C1 for <tls@ietfa.amsl.com>; Thu, 27 Aug 2015 01:37:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7cyzxR6YwiWW for <tls@ietfa.amsl.com>; Thu, 27 Aug 2015 01:37:41 -0700 (PDT)
Received: from mail-io0-x230.google.com (mail-io0-x230.google.com [IPv6:2607:f8b0:4001:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B82F1B36F4 for <TLS@ietf.org>; Thu, 27 Aug 2015 01:37:41 -0700 (PDT)
Received: by iodt126 with SMTP id t126so49221175iod.2 for <TLS@ietf.org>; Thu, 27 Aug 2015 01:37:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=HvNLDXTG+1tNyMnoMF5CjQrwCyM4Wqe4ZFncDpE53NI=; b=cXwW2rUe1zDCk1tgnJq4SsEm/3L+62yI0YcYC8zXFDcm4D4tGOhHKUYqRvRJwmuzaD FyDXOtyqSDXiYqRW0AX0nkHO1Orsf0c8t25ud01qOFY2p7l6p78G483GNg+4B14zqpa0 1XfDjXRdZx9SyY4OrfipcIU/+QHgV5csTBjgU8zl07MYQIfBJU/+NBX/3wMfP/mhWfAk nT0VD0o4lGVu9dObNtt3T4Oe5PcIlwKf9tiqMOlASbqW7oU7zd+R4Idqdk8jQVCqMtyS 9YVSz7fkEi325MnysEfAsaSlzivQj223LwMEr3MwOLG6gcL3CgWHI7L8KdaKg+hKKNXj W4Jg==
X-Received: by 10.107.151.194 with SMTP id z185mr8663097iod.63.1440664661055; Thu, 27 Aug 2015 01:37:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.84.68 with HTTP; Thu, 27 Aug 2015 01:37:01 -0700 (PDT)
In-Reply-To: <CABcZeBNP8SZeWWVj4_fGxZm-SvYG-cmtQoJ1xBaLLWsLKsNc4Q@mail.gmail.com>
References: <CAL6x8mchyh2Qpqcd5Rv-rXgZ+1_CAbV7vkib+-yU4DEDFx82Yg@mail.gmail.com> <CABcZeBNP8SZeWWVj4_fGxZm-SvYG-cmtQoJ1xBaLLWsLKsNc4Q@mail.gmail.com>
From: "Viktor S. Wold Eide" <viktor.s.wold.eide@gmail.com>
Date: Thu, 27 Aug 2015 10:37:01 +0200
Message-ID: <CAL6x8meDXvt441_ffzTv0gWvt8ydrvwkN3gMhORnTvOD++wJbQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary=001a1140e36a5cde90051e46e13f
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/r56BqzZkAYGw68hBvyRPHVQFAfs>
Cc: "tls@ietf.org" <TLS@ietf.org>
Subject: Re: [TLS] Privacy considerations - identity hiding from eavesdropping in (D)TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2015 08:37:43 -0000

On Mon, Aug 24, 2015 at 11:17 PM, Eric Rescorla <ekr@rtfm.com>; wrote:

>
>
> On Mon, Aug 24, 2015 at 1:56 PM, Viktor S. Wold Eide <
> viktor.s.wold.eide@gmail.com>; wrote:
>
>> Hi,
>>
>> I am looking for a way to achieve identity hiding for DTLS 1.2, which
>> also hopefully can be used in (D)TLS 1.3, when available.
>>
>> From what I understand, for (D)TLS 1.2 it would be possible to perform an
>> anonymous unencrypted handshake and then to renegotiate the connection with
>> authentication within the encrypted channel, e.g., according to the expired
>> draft [1]. From the latest TLS 1.3 draft [2] it appears that renegotiation
>> will be removed in the upcoming 1.3 version.
>>
>> What is likely to be the recommended way to achieve identity hiding for
>> (D)TLS 1.3, if any?
>>
>> [1] Transport Layer Security (TLS) Encrypted Handshake Extension,
>> draft-ray-tls-encrypted-handshake-00, expired in 2012
>> [2] The Transport Layer Security (TLS) Protocol Version 1.3,
>> draft-ietf-tls-tls13-07
>>
>>
> TLS 1.3 encrypts both the client's and server's certificates already.
> The server's certificate is secure only against passive attack. The
> client's is encrypted with a key that the client can authenticate as
> belonging to the server.
>
>
Thanks a lot for the clarification.

Would it be reasonable to include your answer or something similar into the
TLS 1.3 draft, for example in the "Major Differences from TLS 1.2" section?

Best regards
Viktor S. Wold Eide