Re: [TLS] I-D: CipherSuites for Kerberos + DH
Rick van Rein <rick@openfortress.nl> Tue, 13 October 2015 03:01 UTC
Return-Path: <rick@openfortress.nl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 435191B2F70 for <tls@ietfa.amsl.com>; Mon, 12 Oct 2015 20:01:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zqsrQHU5LeDd for <tls@ietfa.amsl.com>; Mon, 12 Oct 2015 20:01:32 -0700 (PDT)
Received: from lb3-smtp-cloud6.xs4all.net (lb3-smtp-cloud6.xs4all.net [194.109.24.31]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6FF61B2F66 for <tls@ietf.org>; Mon, 12 Oct 2015 20:01:31 -0700 (PDT)
Received: from airhead.local ([83.161.146.46]) by smtp-cloud6.xs4all.net with ESMTP id UT1T1r00E10HQrX01T1UF4; Tue, 13 Oct 2015 05:01:29 +0200
Message-ID: <561C7405.8000501@openfortress.nl>
Date: Tue, 13 Oct 2015 05:01:25 +0200
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Ilari Liusvaara <ilariliusvaara@welho.com>, Watson Ladd <watsonbladd@gmail.com>
References: <561A0ED6.1000505@openfortress.nl> <20151011121701.GA26616@LK-Perkele-V2.elisa-laajakaista.fi> <CACsn0c=0dFpaRyiSsErVg_2cuco6M8mMgMS3YHLpxYEuH_82kw@mail.gmail.com> <561B419D.4010009@openfortress.nl> <20151012103650.GA28213@LK-Perkele-V2.elisa-laajakaista.fi>
In-Reply-To: <20151012103650.GA28213@LK-Perkele-V2.elisa-laajakaista.fi>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/xulouzhrk5SfwLyKh98UEzqf18o>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] I-D: CipherSuites for Kerberos + DH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Oct 2015 03:01:34 -0000
Hello Ilara / Watson / TLS WG, Thanks again, If I was to do things like the current proposal (as opposed to overloading DHE-PSK), I would put in hash of entiere client and server first flights. Now I see what you mean. Indeed, the master secret used in Finished does not take it into account in TLS 1.2, except under RFC 7627. > > > The SKE security issue (SKE isn't bound to the ciphersuite) has surfaced > at least three times: > > 1) The DHE/ECDHE confusion. > 2) FREAK > 3) Logjam Thanks, those are very good reasons indeed :) >> Watson> I would suggest piggybacking on the PSK mode, using the key Kerberos >> Watson> provides at both ends as the PSK key. This would address all of these >> Watson> issues in TLS 1.3 > I think he means stuffing the key from kerberos as PSK input in > (EC)DHE-PSK ciphersuite. That is not going to work for this. PSK communicates untyped blobs, which makes the server take a leap of faith, and so it is pretty much limited to internal use. I'm working on getting Kerberos to crossover between realms, and TLS-KDH might become the killer app for that. The key-handling approach of PSK got me thinking though (pre-master = DH-shared-secret + preshared-key). It is a strikingly simple method to make (EC)DH orthogonal to the authentication exchange. It means all the DH-specifics can go... perhaps 75% of my text! >> Ilari> - Even use of DH is questionable. >> >> This is mod-exp DH, on account of its need for very large keys, right? >> >> I would love to take it out, and only leave ECDH; I put up mod-exp DH >> initially because it might be desired for backward compatibility. If >> I hear no warm-felt desire for mod-exp DH I will gladly remove it. > > Backward compatiblity? I don't think you need such thing with proposal > like this. I am now preparing a new form, with ClientCertificate := krbTicket and CertificateVerify := krbAuthenticator. That seems to integrate really well with the rest of TLS, also for 1.3. * the Authenticator hashes all prior messages and stores them in "checksum", leading to the requested binding * the CertificateRequest can ask for various forms of authentication, even mixing Kerberos and X.509 * there will be Kerberos-only CipherSuites (mutual exclusion, so this authenticates the server) but it can also work with TLS_ECDHE_RSA_ et al * the TicketRequirementFlags will be a TLS Extension during ClientHello / ServerHello Rather different -- so a new text is coming up. -Rick
- [TLS] I-D: CipherSuites for Kerberos + DH Rick van Rein
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Ilari Liusvaara
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Watson Ladd
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Eric Rescorla
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Paul Wouters
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Hugo Krawczyk
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Rick van Rein
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Ilari Liusvaara
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Benjamin Kaduk
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Rick van Rein
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Rick van Rein
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Benjamin Kaduk
- Re: [TLS] I-D: CipherSuites for Kerberos + DH Watson Ladd