IETF Logo Mail Archive

Re: [TLS] Semi-Static Diffie-Hellman Key Establishment for TLS 1.3

Tony Putman <Tony.Putman@dyson.com> Tue, 10 April 2018 09:17 UTC

Return-Path: <prvs=631ed1a45=Tony.Putman@dyson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FB1D1273E2 for <tls@ietfa.amsl.com>; Tue, 10 Apr 2018 02:17:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tf1eeU3EtbHy for <tls@ietfa.amsl.com>; Tue, 10 Apr 2018 02:17:40 -0700 (PDT)
Received: from esa3.dyson.c3s2.iphmx.com (esa3.dyson.c3s2.iphmx.com [68.232.139.42]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B481712420B for <tls@ietf.org>; Tue, 10 Apr 2018 02:17:39 -0700 (PDT)
X-IronPort-SPF: SKIP
X-IronPort-AV: E=McAfee;i="5900,7806,8858"; a="30850055"
X-IronPort-AV: E=Sophos; i="5.48,431,1517875200"; d="scan'208,217"; a="30850055"
Received: from unknown (HELO uk-dlp-smtp-01.dyson.global.corp) ([62.189.202.16]) by esa3.dyson.c3s2.iphmx.com with ESMTP; 10 Apr 2018 10:28:46 +0100
Received: from uk-dlp-smtp-01.dyson.global.corp (uk-dlp-smtp-01.dyson.global.corp [127.0.0.1]) by uk-dlp-smtp-01.dyson.global.corp (Service) with ESMTP id 6FE48FA10; Tue, 10 Apr 2018 07:37:01 +0000 (GMT)
Received: from UK-MAL-CAS-02.dyson.global.corp (unknown [10.1.108.3]) by uk-dlp-smtp-01.dyson.global.corp (Service) with ESMTP id 583B2FA02; Tue, 10 Apr 2018 07:37:01 +0000 (GMT)
Received: from UK-MAL-CAS-04.dyson.global.corp (10.1.108.112) by UK-MAL-CAS-02.dyson.global.corp (10.1.108.3) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 10 Apr 2018 10:17:18 +0100
Received: from UK-MAL-MBOX-01.dyson.global.corp ([fe80::3975:cbc9:490b:523a]) by UK-MAL-CAS-04.dyson.global.corp ([10.1.108.112]) with mapi id 14.03.0319.002; Tue, 10 Apr 2018 10:17:16 +0100
From: Tony Putman <Tony.Putman@dyson.com>
To: Eric Rescorla <ekr@rtfm.com>
CC: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Semi-Static Diffie-Hellman Key Establishment for TLS 1.3
Thread-Index: AQHTtMcJWeEnis9wG0CY/StJz+XTI6PD/QqAgAKL6FCAAHbSgIAy56sQ
Date: Tue, 10 Apr 2018 09:17:16 +0000
Message-ID: <140080C241BAA1419B58F093108F9EDC1DBF4FA2@UK-MAL-MBOX-01.dyson.global.corp>
References: <CABcZeBON1KiUUFx9h863APxB31Poy-czNpYS1+HwZjyQxn6wEw@mail.gmail.com> <b76b0d82-5714-4e1e-82ff-3f8af59c2c3e@Spark> <140080C241BAA1419B58F093108F9EDC1678CD1A@UK-MAL-MBOX-02.dyson.global.corp> <CABcZeBNowz0irFwU-hJkrbV=zJhW4Vgtn5=e6zvm_NU2ZAG7_g@mail.gmail.com>
In-Reply-To: <CABcZeBNowz0irFwU-hJkrbV=zJhW4Vgtn5=e6zvm_NU2ZAG7_g@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.1.108.27]
Content-Type: multipart/alternative; boundary="_000_140080C241BAA1419B58F093108F9EDC1DBF4FA2UKMALMBOX01dyso_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/twWbc-n9n5BdbOS1ZoIip6tdNTY>
Subject: Re: [TLS] Semi-Static Diffie-Hellman Key Establishment for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Apr 2018 09:17:43 -0000

I've been thinking about this on and off.

From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Eric Rescorla
Sent: 08 March 2018 23:25
I think that this and draft-putman are not competing, but rather that they serve different use cases
Agreed. It sounds like you have a set of use cases where you know how to predistribute the server key? This is the part we found challenging in the web context.

Yes, the use case I was addressing was identical to external PSK, so the server key is distributed in the same way as the external PSK is distributed (for example, factory provisioning).

But in the web context, it occurs to me that the server key could be distributed in the URL. An method similar to (or even a repurposing of) the username/password option could be used when chaining from one web site to another. For example, one site could link to another using the URL https://<keyid>:<ECDH public key>@<host>. This would allow the client to make its first request to the new site using 0-RTT traffic.

A number of issues:
1) What if the public key has been retired? The client should include alternative authentication methods so that the handshake could proceed, though of course the request would have to be repeated once the connection was established.

2) This allows an attacker to leverage a vulnerability in one site to impersonate another. To mitigate this, the handshake could include Certificate/CertificateVerify messages in server's response to provide independent authentication.

3) Does this work at web scale? I can't answer: not my area of expertise. Proxies would have to be smarter, but provided the client includes non-3DH authentication methods in the ClientHello, then the failure cases will not cause any additional RTTs in setting up the connection.

Is it worth tackling these issues to save one RTT when connecting to a new host? Again, I don't know, but I think it's a question worth asking.

Tony


Dyson Technology Limited, company number 01959090, Tetbury Hill, Malmesbury, SN16 0RP, UK.
This message is intended solely for the addressee and may contain confidential information. If you have received this message in error, please immediately and permanently delete it, and do not use, copy or disclose the information contained in this message or in any attachment.
Dyson may monitor email traffic data and content for security & training.

v2.23.0 | Report a Bug | By Email