Re: [TLS] A la carte handshake negotiation
David Benjamin <davidben@google.com> Fri, 26 June 2015 19:02 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B790C1A1BEA for <tls@ietfa.amsl.com>; Fri, 26 Jun 2015 12:02:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.511
X-Spam-Level:
X-Spam-Status: No, score=0.511 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OXuSmcFqc3Df for <tls@ietfa.amsl.com>; Fri, 26 Jun 2015 12:02:47 -0700 (PDT)
Received: from mail-ig0-x234.google.com (mail-ig0-x234.google.com [IPv6:2607:f8b0:4001:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FA731A6EDE for <tls@ietf.org>; Fri, 26 Jun 2015 12:02:43 -0700 (PDT)
Received: by igblr2 with SMTP id lr2so19334670igb.0 for <tls@ietf.org>; Fri, 26 Jun 2015 12:02:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=A7qaJvXmGg9RZNk7nF2KAdkzzpo7fpevZCJdeLSlqt4=; b=pbSG5DbNHzurdfYXN41orLnUEN69q6vuBtqigKg5xYy5bJ79hdBx/mUfLEYtll1j1y oYs7tJZqkBN32kZUz+n2jRjFYD+zMhDqVcTCyT/POv+uqg0wB/pWU0L4yRuq++dg4TSu cG52VeP1IKD+nTs2e6ewbLuf9rLYJxY8M9H+ei9plBGQOatogDJlmbD9gSzHpwC3iYmh VJeUOqB2RVaJRCaQymbEkPKHNMm7uihlJTd1X5jcCdekWcKL/zFiWXxNtmyFbuQVWi6c ZB5nw3UZcAHX7zZokk/xQoB1sudsw0AGGK8UQFj8lHzojqk7HrsZ3JlDkcdyl7rGZCM6 8lIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=A7qaJvXmGg9RZNk7nF2KAdkzzpo7fpevZCJdeLSlqt4=; b=O5rqgfiUv095QUpxMllI0eAChEqLreQgyOVOlIR+q/D0q7whHvEdHi3xzaV4RrHd+J A7EZw1TpQ6Zu5AH4/zKEhhTJ0U/PtNHZIwRmHTjz5fJ1ATx8GdCMudKKMVAHqEHTqolg yiv+70xFo8eKAtF8uMOVPRjnowT2sku2RaNzwG7CzV/KK6m9qXJ5y7yGTtELJTh7Sr69 U6k3GfovHyQ0p38Pi7LR/EkbQXopZc4AK/2WyO6B4SqlRBuQBzMlsGgio6EaH5T/r0Lp oie622mgEw6tqKyKoSCRE3JxBm1c+ABy4e1GGLEXshQv45sMUAVVL077wQXiaelmxMWj GClg==
X-Gm-Message-State: ALoCoQlLINQC+pRuyMYLOa8ukDFT9YKNBHWlSS9cCyPJzmbkTv4SlipVowSN5AHKYEqb/W0eNwwA
X-Received: by 10.107.130.153 with SMTP id m25mr3884379ioi.92.1435345362125; Fri, 26 Jun 2015 12:02:42 -0700 (PDT)
MIME-Version: 1.0
References: <201506111558.21577.davemgarrett@gmail.com> <20150616233111.GD6117@localhost> <201506170131.17179.davemgarrett@gmail.com>
In-Reply-To: <201506170131.17179.davemgarrett@gmail.com>
From: David Benjamin <davidben@google.com>
Date: Fri, 26 Jun 2015 19:02:32 +0000
Message-ID: <CAF8qwaCew287OLCdrgdKXbzbc+xWmT4eYWKfLJXLbTvEFVBJWA@mail.gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>, Nico Williams <nico@cryptonector.com>
Content-Type: multipart/alternative; boundary="001a113fc24c70d13c05197062a0"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/te7qSbloHioDN_-XhKYX-HhNUKg>
X-Mailman-Approved-At: Sun, 28 Jun 2015 11:30:38 -0700
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] A la carte handshake negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2015 19:02:48 -0000
On Wed, Jun 17, 2015 at 1:31 AM Dave Garrett <davemgarrett@gmail.com> wrote: > [snip] > Ok, I revised the drafts and forked the anon deprecation changeset. > > Main draft proposal: > > https://github.com/davegarrett/tls13-spec/blob/alacarte/draft-ietf-tls-tls13.md#cipher-suites-in-tls-13 > > Version with deprecated anon suites: > > https://github.com/davegarrett/tls13-spec/blob/alacarte-noanonsuites/draft-ietf-tls-tls13.md#anonymous-key-exchange > > Note that both totally deprecate all DH(E) suites, as that's one of the > goals here. (due to weak DH params, old Java choking, & etc.) Thus, all > suites must be ECDHE prefixed for TLS 1.3 support under these proposals > (with the exception of plain PSK). All ECDHE suites would be capable of > negotiating either ECDHE or DHE using string groups via the extension. > > PSK & anon will need a litany of new ECDHE suites to be defined. There is > currently no ECDHE AEAD anon suite, thus none supporting TLS 1.3 (among the > reasons I pursued the idea of merging it into PSK). > > I'm fine with relegating the anon deprecation idea to the bin if we agree > to define all the new suites we need to maintain support. Getting > ECDHE_anon into the ChaChaPoly draft would be a start. > I have the same concerns with this version as before. I don’t believe it lowers the risk of accidental interop failure---if anything, it makes it worse. This scheme is still a problem for Chrome on Windows XP. This proposal effectively makes ECDSA (and ECDHE) MTI for any clients doing the standard PKI-based handshake. Whether or not this is desirable, it certainly should be spelled out clearly in the spec. Imagine how implementations look. Most allow configuring the cipher suite list. This now interacts subtly with configuring 1.3 ciphers, and we have the same interop risks of a parallel extension. What if the consumer, for whatever reason, omitted the ECDHE_ECDSA variant of some AEAD but included ECDHE_RSA? Now 1.2 servers work, 1.3 ones don’t. Alright, so what if we internally checked for consistency? That’s fine, but we could just as easily have checked for consistency between 1.2 cipher suites and a new 1.3 mechanism. A separate extension avoids any mixing of semantics and gives a clean break from the old pre-multiplied scheme. As for what this extension contains, I don’t have strong opinions over whether we go a la carte---pruning down to the GCMs and CHACHA would also address the explosion---but if we bother, it seems a list of AEAD or AEAD+PRF is correct. The key exchange is already consistently separated from the bulk cipher in TLS. It's a waste to ignore the one clear boundary that we actually have. If the worry is state-machine bugs due to PKI and PSK key exchanges being different, we won’t guard against them by separating ECDHE_PSK_WITH_AES_128_GCM_SHA256 from ECDHE_ECDSA_WITH_AES_128_GCM_SHA256. No one would make ECDHE_PSK_WITH_AES_128_GCM_SHA256 use a codepath from ECDHE_PSK_WITH_CHACHA20_POLY1305, so sufficiently similar cipher suites will be funneled together anyway. David
- Re: [TLS] A la carte handshake negotiation Hubert Kario
- [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Viktor Dukhovni
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Eric Rescorla
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Viktor Dukhovni
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Viktor Dukhovni
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Viktor Dukhovni
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Aaron Zauner
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Aaron Zauner
- Re: [TLS] A la carte handshake negotiation Viktor Dukhovni
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Viktor Dukhovni
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- [TLS] ECDH_anon I-D (was: A la carte handshake ne… Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Salz, Rich
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Salz, Rich
- Re: [TLS] A la carte handshake negotiation David Benjamin
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation David Benjamin
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Viktor Dukhovni
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Eric Rescorla
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Eric Rescorla
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Hubert Kario
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Eric Rescorla
- Re: [TLS] A la carte handshake negotiation Hubert Kario
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Hubert Kario
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation David Benjamin
- Re: [TLS] A la carte handshake negotiation David Benjamin
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation David Benjamin
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Daniel Kahn Gillmor
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation David Benjamin
- Re: [TLS] A la carte handshake negotiation Daniel Kahn Gillmor
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Peter Gutmann
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Nico Williams
- Re: [TLS] A la carte handshake negotiation Manuel Pegourie-Gonnard
- Re: [TLS] A la carte handshake negotiation Eric Rescorla
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Dave Garrett
- Re: [TLS] A la carte handshake negotiation Kyle Rose
- Re: [TLS] A la carte handshake negotiation Martin Thomson
- Re: [TLS] A la carte handshake negotiation Ilari Liusvaara
- Re: [TLS] A la carte handshake negotiation Peter Gutmann
- Re: [TLS] A la carte handshake negotiation Kyle Rose
- Re: [TLS] A la carte handshake negotiation Peter Gutmann