Re: [TLS] A la carte handshake negotiation
Kyle Rose <krose@krose.org> Wed, 22 July 2015 08:50 UTC
Return-Path: <krose@krose.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A667D1ACD71 for <tls@ietfa.amsl.com>; Wed, 22 Jul 2015 01:50:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WlCqVAdzmqVa for <tls@ietfa.amsl.com>; Wed, 22 Jul 2015 01:50:10 -0700 (PDT)
Received: from mail-wi0-x233.google.com (mail-wi0-x233.google.com [IPv6:2a00:1450:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2AD61ACD29 for <tls@ietf.org>; Wed, 22 Jul 2015 01:50:09 -0700 (PDT)
Received: by wibxm9 with SMTP id xm9so153018836wib.0 for <tls@ietf.org>; Wed, 22 Jul 2015 01:50:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=rcoMoGH1rgM+SBt32sq1WQKATK0GnM6b9y0YpAeODeA=; b=nrzS2j24sOU2hfvq+YPlwU39m7bsAq9JUIZIiZuh3PkvIYC8Ef57BXPNYwNMSss25b ufC0TRJwa4iarFheptv/KYfzGRFbLc6zXoDPbQ/Ohzjiz1LixIiETpC7R91sfIDLe5kC FJlkXW7xph7T2TaDTPG80VF2gH1bcF3r79PVE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=rcoMoGH1rgM+SBt32sq1WQKATK0GnM6b9y0YpAeODeA=; b=R3Bv2uvUmzcytqY3kP0VKpDjPwU9YkP+XMmhLEZeqrRrAGzP3hvAqkLpmmhdklKlCI G750RPf1kiXkD90qfmFF3Njpk9itTOrTCGmjQ8rPnxQeYY4bpdcUNNVgAKR3/X9xeXhf YvxyG9YkxRF2cMwuvAIljWKhR67ZFY8IY2HVM0YkKEijtg1SHIHsTy6zmnPpJk7rcSx1 BM9QEGUuXckZz1tUiv/6xfuUFZ+e3wf3nZoRTDeOV1IKwhMLTcGv1Hn/7NNujKibCqUg j30euR+2eoPv2HUWRaQ5S9VUWHDML/s5px/PWD786rPHTR9n3+QMLOFkmcleHFrnynqJ ftyw==
X-Gm-Message-State: ALoCoQnU851HZ7d+7F7A6A64vSVAtXIJwX0+SiW5Wz8TdAoFCd1FAqcZ7GlMFVT96ll5TeWdJpO1
MIME-Version: 1.0
X-Received: by 10.180.73.244 with SMTP id o20mr4364248wiv.31.1437555008431; Wed, 22 Jul 2015 01:50:08 -0700 (PDT)
Received: by 10.28.88.66 with HTTP; Wed, 22 Jul 2015 01:50:08 -0700 (PDT)
X-Originating-IP: [2001:67c:370:176:e898:8358:a694:653c]
In-Reply-To: <201507212202.21120.davemgarrett@gmail.com>
References: <201506111558.21577.davemgarrett@gmail.com> <CABcZeBPJUXdhER3qLiq0e_wK4bxCxw6D+Oq+3ZFXGeo6Bn1sXw@mail.gmail.com> <201507191622.47921.davemgarrett@gmail.com> <201507212202.21120.davemgarrett@gmail.com>
Date: Wed, 22 Jul 2015 04:50:08 -0400
Message-ID: <CAJU8_nUHMQAMKs15uVz=wsO4VnDp+chKPP36Q7QeR8hhD5vorQ@mail.gmail.com>
From: Kyle Rose <krose@krose.org>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/rMIywSQPTlIKBqAZQQShCDYXCs4>
Subject: Re: [TLS] A la carte handshake negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2015 08:50:12 -0000
I'd like to see the bits of the cipher suite associated entirely with ephemeral data tied together roughly by security margin, to avoid combinations that don't make sense (e.g., straw men of RSA384 + AES256 or AES256 + CRC32). This means: the type/size of the (EC)DHE group and the symmetric cipher (and possibly the MAC, if it's anything other than "GCM"). So, you'd potentially have something like ECDHE256-AES256-GCM DHE2048-AES256-GCM DHE1536-AES128-GCM etc. The signature algorithm (ECDSA, RSA, etc.) would be entirely separate. This isn't like the old days when the RSA key was used to exchange the keys: in the FS world, RSA is never used for key agreement, so RSA/ECDSA is used only to authenticate the server and is therefore orthogonal to the cipher suite negotiated above... and it's also implicit from the set of certificates the server has available. This unfortunately means we can't really tie the signature security margin to the cipher suite (going back to the RSA384 straw man), but since it's a pre-existing credential nothing can be done by the client other than to hang up if it's spooked by that. To fix this, we'd really need to go down the road of specifying the key size in the cipher suite, e.g. RSA2048 or ECDSA25519, which I'm not sure anyone wants. Does anyone want that? I ask because there are a ton of servers with 1024-bit RSA keys negotiating AES256-GCM, which tells an attacker exactly what to focus on. (In theory: a tire iron is still probably faster than factoring RSA1024.) The nice thing about the above approach is that IMO it actually makes things simpler for an implementer: the cipher suite list becomes a lot smaller but still covers most of the options, avoiding the complexity of full a la carte, while the signature algorithm is implicit for the server. So, we're not at libsodium level of simplicity, but closer. The one thing I'm having trouble pinning down is PSK. I fear it's not a separate dimension, because it replaces both signature and KEX. Kyle
- Re: [TLS] A la carte handshake negotiation Hubert Kario
- [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Viktor Dukhovni
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Eric Rescorla
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Viktor Dukhovni
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Viktor Dukhovni
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Viktor Dukhovni
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Aaron Zauner
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Aaron Zauner
- Re: [TLS] A la carte handshake negotiation Viktor Dukhovni
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Viktor Dukhovni
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- [TLS] ECDH_anon I-D (was: A la carte handshake ne… Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Salz, Rich
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Salz, Rich
- Re: [TLS] A la carte handshake negotiation David Benjamin
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation David Benjamin
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Viktor Dukhovni
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Eric Rescorla
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Eric Rescorla
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Hubert Kario
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Eric Rescorla
- Re: [TLS] A la carte handshake negotiation Hubert Kario
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Hubert Kario
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation David Benjamin
- Re: [TLS] A la carte handshake negotiation David Benjamin
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation David Benjamin
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Daniel Kahn Gillmor
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation David Benjamin
- Re: [TLS] A la carte handshake negotiation Daniel Kahn Gillmor
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Peter Gutmann
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Manuel Pegourie-Gonnard
- Re: [TLS] A la carte handshake negotiation Eric Rescorla
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Kyle Rose
- Re: [TLS] A la carte handshake negotiation Martin Thomson
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Peter Gutmann
- Re: [TLS] A la carte handshake negotiation Kyle Rose
- Re: [TLS] A la carte handshake negotiation Peter Gutmann