Re: [TLS] Industry Concerns about TLS 1.3

Colm MacCárthaigh <colm@allcosts.net> Thu, 22 September 2016 23:50 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5F4212B444 for <tls@ietfa.amsl.com>; Thu, 22 Sep 2016 16:50:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MWCaKRNCChaI for <tls@ietfa.amsl.com>; Thu, 22 Sep 2016 16:50:18 -0700 (PDT)
Received: from mail-yw0-x22c.google.com (mail-yw0-x22c.google.com [IPv6:2607:f8b0:4002:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36AA912B293 for <tls@ietf.org>; Thu, 22 Sep 2016 16:50:18 -0700 (PDT)
Received: by mail-yw0-x22c.google.com with SMTP id i129so103900099ywb.0 for <tls@ietf.org>; Thu, 22 Sep 2016 16:50:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=PygermtnpxxY4IGthTh6nxBDwYbirHG+508OljFYZ8I=; b=s7iYVrCl+1A2BSMsh/ttMOitKySzzR5T+XGdSW1bbLzk2Jc8V2eOA+O0K78k++d3eL 5aQjydvH5gbLPthYuHuzqZbbz/EMHodsNc8GDMnLB/YKZrGbRR9ZyImYSpx1CWWnFjhz arig3Qhrcp1cE4m5C70pNblZyZAFrF+hdpF+uadvT1wt+rFNjJK7ueJcUmE8jfJgRyby hskfrltmJ0jhh3m/5Xo7PLM8kUAt0K+SMEQJpk6KPE0AisuvgocZ2iw6hKafqHQu7kNR HgTG0Gx2DRT9u2JUJquulPfVt85TgAfGBeu3BHe0ZJkHMS2NfRNjhLiTm7dGCtpuOIF/ PqpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=PygermtnpxxY4IGthTh6nxBDwYbirHG+508OljFYZ8I=; b=mt87Nyfi3EDN6bSRM57tkwCfDtcdbaqthmg6s1Xyqn8Ui92xnX1stsittAd1EluoEj Rtw/9881MNqmEA7kcjqULAjtYpN63eoTVVeuULgh3+FyvZPk6PNhlVDWogwCTL61+7+C r6eAXHwx06weqFimy1U3Uu+Phs0BVafI+WVPtlHQcM87KsOo8QIbLOxVV7OykvikFl12 LNlnRc8kbzhzT7s5zvkBQwLNzOlgtZlFRWLsBVIur0yP827qhAe4ih57AfC7eFH4JrDH XaaWKvsy0rH6BpFBN9wTdCLCVDPAh4CyelIkBBor32zGD5X2/Xw0F7h5ce0tCJ7fz0Zy aavQ==
X-Gm-Message-State: AE9vXwNZBtnW0NkKzpihItECGBUkPyL87Mm8ofLM3SqpdvA3nEl0paC7CLi3eqaF/yHyUVp50oaOVeP9BLV2Kg==
X-Received: by 10.13.199.132 with SMTP id j126mr3545687ywd.150.1474588217526; Thu, 22 Sep 2016 16:50:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.113.84 with HTTP; Thu, 22 Sep 2016 16:50:16 -0700 (PDT)
In-Reply-To: <CADi0yUPZzLrPize4eKpASdM=2nm1h1T2UXs7_sdk2eDv=ku_2w@mail.gmail.com>
References: <DM5PR11MB1419B782D2BEF0E0A35E420DF4C90@DM5PR11MB1419.namprd11.prod.outlook.com> <CADi0yUPZzLrPize4eKpASdM=2nm1h1T2UXs7_sdk2eDv=ku_2w@mail.gmail.com>
From: =?UTF-8?Q?Colm_MacC=C3=A1rthaigh?= <colm@allcosts.net>
Date: Thu, 22 Sep 2016 16:50:16 -0700
Message-ID: <CAAF6GDfTCgaxvgb8cRu9iA3SoK208SKjJcC_DM_skWA93bG1xg@mail.gmail.com>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Content-Type: multipart/alternative; boundary=001a114e541ce5812f053d215241
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/sangU_r8WLsQASb_vPIbGhNxUv0>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Industry Concerns about TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Sep 2016 23:50:19 -0000

On Thu, Sep 22, 2016 at 4:41 PM, Hugo Krawczyk <hugo@ee.technion.ac.il>;
wrote:

> If the problem is the use of forward secrecy then there is a simple
> solution, don't use it.
> That is, you can, as a server, have a fixed key_share for which the secret
> exponent becomes the private key exactly as in the RSA case. It does
> require some careful analysis, though.
>

I think that this may be possible for TLS1.3 0-RTT data, but not for other
data where an ephemeral key will be generated based also on a parameter
that the client chooses.

-- 
Colm