IETF Logo Mail Archive

Re: [TLS] Potential New Handshake Flows for TLS 1.3

Watson Ladd <watsonbladd@gmail.com> Wed, 06 November 2013 04:16 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9ADF021E80F9 for <tls@ietfa.amsl.com>; Tue, 5 Nov 2013 20:16:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.26
X-Spam-Level:
X-Spam-Status: No, score=-2.26 tagged_above=-999 required=5 tests=[AWL=-0.260, BAYES_00=-2.599, J_CHICKENPOX_75=0.6, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EpdenSGnKWKa for <tls@ietfa.amsl.com>; Tue, 5 Nov 2013 20:16:33 -0800 (PST)
Received: from mail-wi0-x234.google.com (mail-wi0-x234.google.com [IPv6:2a00:1450:400c:c05::234]) by ietfa.amsl.com (Postfix) with ESMTP id B54BA21E8104 for <tls@ietf.org>; Tue, 5 Nov 2013 20:16:30 -0800 (PST)
Received: by mail-wi0-f180.google.com with SMTP id ey11so3099092wid.1 for <tls@ietf.org>; Tue, 05 Nov 2013 20:16:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=4x55lPcGHd6zbUFB5JNuZFUXJX/8WIqjYbcIqlrEsC0=; b=sahfZRVoUT788pJH6j2shcxh7+HKUhorJNP0MW/o02KJkpqatNxsQkJ9O6qdDe0dKU ZAZu+RnzBoJTSNKo2uB95VZ1eV/Bl3y/VAgMWvVPYxjryisYtTptX8MJ6GFD0kakkmkQ DHayDJyqp8UfWyFlL7DEYUwigsaQEfEWe6ElJROg1FvZQehYbRfPSDlNbbr3jxPmOU+h liSxiazZVDrz8LLV7hhYfKqLJ+e3Y10usLJI6ld8n79sTT68LMc4VvWZrgNeFPgNjQrL 0vL6BDD+WB38+Ywp8xyrGQ4lIpxMTUyge5xG0V/YvCOhnwEI+RRSTN+OO2fMjU2W8RbB L65w==
MIME-Version: 1.0
X-Received: by 10.180.106.133 with SMTP id gu5mr19734943wib.0.1383711389615; Tue, 05 Nov 2013 20:16:29 -0800 (PST)
Received: by 10.194.242.131 with HTTP; Tue, 5 Nov 2013 20:16:29 -0800 (PST)
In-Reply-To: <CAK3OfOifhK8KZL_1PRa1R-YHguHf+ZtMZJFG2nNxn7KOiWFDUA@mail.gmail.com>
References: <CABcZeBPcJW7juru-RsYM+_of8xTd8Nk0xRJApztcmoEh3r-EoQ@mail.gmail.com> <CACsn0ckySgQBQBsa0HtTKXCt4-23MQ6z+4KUYVhM0+3=xuwzpg@mail.gmail.com> <CAK3OfOifhK8KZL_1PRa1R-YHguHf+ZtMZJFG2nNxn7KOiWFDUA@mail.gmail.com>
Date: Tue, 05 Nov 2013 20:16:29 -0800
Message-ID: <CACsn0ckFFzhsmaBaXXNb7eeDA7DhSGw6JZdFR9_4KQYLrroNcQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: text/plain; charset="UTF-8"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Potential New Handshake Flows for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2013 04:16:33 -0000

On Tue, Nov 5, 2013 at 8:01 PM, Nico Williams <nico@cryptonector.com> wrote:
> On Tue, Nov 5, 2013 at 9:38 PM, Watson Ladd <watsonbladd@gmail.com> wrote:
>> Is there a technical reason we can't have the client send an ECDH key,
>> server respond with ECDH key and signature of client
>> and server keys, and then use that key for a transmission in the response.
>> This has one round trip latency, and is secure under standard assumptions.
>
> Sure, but this is optimistic; there has to be a fallback if the server
> doesn't like the client's proposed curve/group/whatever.  The client
> could send multiple DH keys, but...  Also, might as well always use
> key agreement (which isn't quite the same as PFS, since what should be
> ephemeral keys might get reused).
>
> So, at least for initial [and therefore non-resumption] connections
> there must be at least an option for a 1.5 round trip handshake.  Note
> that a 1.5 round-trip handshake does not add a round-trip's worth of
> latency to when the client can start sending application records -- it
> only adds local crypto's worth of latency.
Solution: the client says what it will accept and offer, and the
server goes first. Actually,
I don't like that idea because we have to have the server present an
authentication of the handshake.
The fact that we need this is utterly horrid: there should be so few
options that
the chances of success are very good.

Seriously, why don't we resolve to do it right this time? Yes,
backwards compatibility matters, but at this point
it will break because RC4 is dead, and so is AtE without seriously clever fixes.
>
>> The second issue is that historically the handshaking has been a
>> plague upon the security: We should chop out handshakes,
>> not add them, to simplify the analysis. This assumes we keep the
>> bloated message+extension format here.
>
> The key to this is negotiating key agreement, DH groups/curves, KDFs,
> hash functions, server authentication methods, and symmetric (and
> authenticated) ciphers+modes separately, in as compact a way as
> possible (variable-length bitmasks, with a registry of bit numbers).
> With optimal initial assignments (optimal for assignment-time
> conditions anyways, or near future) this might yield really, really
> small hellos.
Will anyone not using AES_GCM, AES_SHA256, or the ECDHE variants
thereof, please explain to the list
what your reason is?
>
> Nico
> --



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email