[TLS] Initial draft of DH-based key exchange
Eric Rescorla <ekr@rtfm.com> Mon, 23 March 2015 13:37 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24BC51A8A5E for <tls@ietfa.amsl.com>; Mon, 23 Mar 2015 06:37:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qyi-tIOY8cjJ for <tls@ietfa.amsl.com>; Mon, 23 Mar 2015 06:37:24 -0700 (PDT)
Received: from mail-wi0-f181.google.com (mail-wi0-f181.google.com [209.85.212.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C69E31A89ED for <tls@ietf.org>; Mon, 23 Mar 2015 06:37:23 -0700 (PDT)
Received: by wibdy8 with SMTP id dy8so47680500wib.0 for <tls@ietf.org>; Mon, 23 Mar 2015 06:37:22 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=MXI7QsM01YR6hRDsD5n2wFi8QkE9I8DxQXTmvEhZdQ4=; b=HPU4/mVXG8vDjnBMDW9fOlxfdUD/+EnL9JWuqAUzai20en579T+2ylIYUJXEsb5lBc sufupreBhmOO5tCzuBguCtXo79EFq98wjqii2CRlP6p0avuthflfq9TLJyLyX8CSzY2J 3d8PlzHbKoxdFs6DCZBUJPUzv0BI7SSRyteXSJrEvK2Bhfkvd0q6Eez6JO/zuYGregH4 02CyDWinANrF0K81GLJbtmW0oV8Qqn3XjmLbJdUoSnz9bl+gxtyteH4ViI1YMvByndVy CS+rUe/vCBUP4mP95+pg/RNwIU73a5pTh5X/1vjSu1eC3nxKYtgXx7EnNxUWgUFEKgH1 CLHA==
X-Gm-Message-State: ALoCoQknH1VYeANMaCpbRgdMqo/RvODrQVEaSlCFQv0I61bep4oXFYnWP+AZ4fhmAQZG0SpBHAhC
X-Received: by 10.180.218.200 with SMTP id pi8mr19628211wic.71.1427117842039; Mon, 23 Mar 2015 06:37:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.205.198 with HTTP; Mon, 23 Mar 2015 06:36:41 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 23 Mar 2015 08:36:41 -0500
Message-ID: <CABcZeBNmufvfJ_2Nvw1YwvwGZ2u1=WvL45rPGJXARN1tAxOEfw@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a1135e462071cf30511f4c471"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/u073t1Cuw4zhb6KJ3jQGSfcgPSU>
Subject: [TLS] Initial draft of DH-based key exchange
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 13:37:26 -0000
Folks, At the interim discussed transitioning to a DH-based handshake (rather than a signature-based one) like that proposed by Hugo Krawczyk and Hoeteck Wee. The major rationale for this change is that any 0-RTT mode is inherently DH-based and so if we make that our basic mode, then we can simplify the protocol logic and key derivation model. This model also allows us to pull in PSK modes under the same basic structure. However, in the near term it's clear that servers will continue to have RSA and ECDSA certificates rather than (EC)DH certificates, so we need some way to reuse those credentials. The two major options are: - An offline signature of the server's DH share. - An online signature of the server's DH share that's tied to the handshake in some way. The WG sentiment was generally favorable to exploring this avenue but there was also airly strong WG sentiment that we didn't presently want to do an offline signatures. This leaves with a model in which the client initially learns the server's semi-static DH share through an online-signed 1-RTT handshake but then can cache it for use with future connections. As an outcome of the interim, I was asked to write up an initial draft of what this would all look like and post it to the list. You can find such a draft at: Git branch: https://github.com/ekr/tls13-spec/tree/WIP_dh_based Text file: https://github.com/ekr/tls13-spec/blob/ietf92_materials/draft-ietf-tls-tls13-dh-based.txt HTML diff: https://github.com/ekr/tls13-spec/blob/ietf92_materials/draft-ietf-tls-tls13-dh-based-diff.html Please note that this is a very rough draft and no doubt contains a number of major errors (and certainly has seen no security review). Please point these out to me if you find them, especially if they impede understanding. Assuming that people are happy with this general direction, I will clean it up and turn it into a PR. A number of other notes: - There is generally not support here for 0-RTT. I am developing that on a separate branch (based on that branch) and will be cleaning it up and posting it in the next few days. You will, however, probably notice some hooks for 0-RTT that don't do anything yet. - In Section 7.3.7 there is a discussion about using the same DH share for the semi-static and epehemeral server keys. This is an important part of getting performance comparable between the 1-RTT mode and the current 1-RTT mode. We discussed this extensively at the interim and I believe that Hugo and Hoeteck consider this safe, but any information to the contrary would be very useful at this point. - The key schedule in Section 8.1 is probably going to change, but that shouldn't impede understanding. - During the interim we also discussed moving to HKDF. This branch includes a draft version of that change as well as using separate HKDF invocations to generate each traffic key. As usual comments welcome; I look forward to discussing this in Dallas. -Ekr
- [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Nikos Mavrogiannopoulos
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Salz, Rich
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Salz, Rich
- Re: [TLS] Initial draft of DH-based key exchange Dave Garrett
- Re: [TLS] Initial draft of DH-based key exchange Nikos Mavrogiannopoulos
- Re: [TLS] Initial draft of DH-based key exchange Nikos Mavrogiannopoulos
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Paterson, Kenny
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Russ Housley
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara