IETF Logo Mail Archive

[TLS] Pull request for 1RTT Handshake

Eric Rescorla <ekr@rtfm.com> Thu, 03 July 2014 14:54 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC2E21A0162 for <tls@ietfa.amsl.com>; Thu, 3 Jul 2014 07:54:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kb3GjjZpTO9X for <tls@ietfa.amsl.com>; Thu, 3 Jul 2014 07:54:44 -0700 (PDT)
Received: from mail-we0-f179.google.com (mail-we0-f179.google.com [74.125.82.179]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 513EF1A00F8 for <tls@ietf.org>; Thu, 3 Jul 2014 07:54:44 -0700 (PDT)
Received: by mail-we0-f179.google.com with SMTP id w62so370292wes.38 for <tls@ietf.org>; Thu, 03 Jul 2014 07:54:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=FX24DUatI1O8wE4VGFe8C4RO9VumIjxHBoavwApR9dk=; b=GEH6Qj/dmmcpWN+yIqMHEymbSyswk3JG2OLCagewXcwaZQoW9TrJFbYzsfhBE4K2JH +xxWJniYVFIt2T8NP8+GOyJTbnWhVpN9qU4cw4mzAl4fDSDz0vNmZRk/JipxAwmbx4m+ x5Q6P0yY1AXDFI8TT2TZAQsX/BxHI/QcKoZe1KOchzPnKHVbUXpAdriykKWQ3fSLLPAN VJShpv3H5cSrUQXsnby9WfOSxNEn/aCcodoMmLbeEGKUGTbXgUoNMwZHDvt/Lbq37RWS xVbYhVfXAClXt70zQ0LKAFwr3SFjcgq/rTbGvlBfPOCwrDwc8tevIw68KQwAsvYPsFpJ h+6w==
X-Gm-Message-State: ALoCoQmSDvnFx9lsIe7U/qWMeoDhwGzTa93VwD1XFMA+Lxhan3x50OlwwZl1n3HPubhs2yqTMxbV
X-Received: by 10.194.110.10 with SMTP id hw10mr5469577wjb.81.1404399280286; Thu, 03 Jul 2014 07:54:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.57.202 with HTTP; Thu, 3 Jul 2014 07:54:00 -0700 (PDT)
X-Originating-IP: [2620:101:80fc:232:d111:1560:5df9:5c3d]
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 03 Jul 2014 07:54:00 -0700
Message-ID: <CABcZeBNTJZo+ua6eV8H1Pwb2MqzD=o20=s+XkiQUL9fftspJrQ@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="089e010d870c39a49f04fd4b30e1"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/x9a-XxO4ax3meclLNOU3IuHoyCM
Subject: [TLS] Pull request for 1RTT Handshake
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jul 2014 14:54:47 -0000

I've just put up a pull request that makes the first cut changes from
the consensus from Denver for 1-RTT handshake without SNI
protection. As we discussed, I'm leaving the door open for SNI
protection, but since these are separable work items, and this is
already a fairly signficant change I wanted to get the 1-RTT stuff
down first.

The PR can be found at:

  https://github.com/tlswg/tls13-spec/pull/52

It's still kind of rough and there are a bunch of open issues (and
most likely several mistakes) but I think it's clear what direction
it's going in.

I wanted to explicitly called out some known open issues in the draft,
both so I can get feedback/discussion on these and so that people know
they haven't been forgotten:

- Based on the mailing list and interim discussion and a bunch of
  private conversations, I wrote this up as requiring named DHE groups
  (and assuming we will want named ECDHE groups). This makes things
  quite a bit simpler and seemed like a good idea anyway. I recognize
  that I'm a bit ahead of the list consensus here, but my sense is
  that this was the emerging consensus.  If there are major objections
  to this change, I can rework things otherwise, but I believe it will
  make things more confusing.

- I have partly removed dh_rsa and dh_dss because they get in the way
  of having a common handshake pattern and nobody seemed to want
  them. Assuming nobody screams I will do a separate PR to remove them
  entirely.

- We need to take care that we don't introduce a downgrade issue in
  the 2-RTT flow (Figure 2) where the server tells the client he has
  sent an incorrect CKE. There are some open issues noted in the draft
  about how to do this exactly. Comments welcome.

- MT convinced me that the client should be able to make multiple
  ClientKeyExchange offers for different parameter sets, so I did
  that.

- The EarlyData mechanism is a bit overgeneral as opposed to an
  explicit ClientKeyExchange extension, but it seems like it's going
  to be useful when we do SNI encryption and 0-RTT.

- I haven't assumed we are going to incorporate ECDHE, but that
  seems like it's likely coming. Similarly, I expect to incorporate
  the triple handshake fix separately.

- I haven't added any support for the server-offered extensions
  that were proposed in Denver. That seems separable.

I intend to merge this into the draft on Friday. As should be clear
from the draft and the comments above, there are still open issues to
resolve, so even when it's merged in some of this is obviously
provisional. With that said, if there's stuff that looks clearly wrong
or there is an open issue that isn't properly identified, please let
me know.

Thanks,
-Ekr

P.S. Thanks to all the people who helped with earlier versions of
this, in particular Wan-Teh Chang Daniel, Kahn Gillmor, Andy
Lutomirski, Andrei Popov, Tom Ritter, Rich Salz, and Martin
Thomson.

v2.23.0 | Report a Bug | By Email