Re: [TLS] Privacy considerations - identity hiding from eavesdropping in (D)TLS

Eric Rescorla <ekr@rtfm.com> Thu, 27 August 2015 11:17 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 605381B2CB0 for <tls@ietfa.amsl.com>; Thu, 27 Aug 2015 04:17:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZbLRbB-C9r77 for <tls@ietfa.amsl.com>; Thu, 27 Aug 2015 04:17:50 -0700 (PDT)
Received: from mail-wi0-f181.google.com (mail-wi0-f181.google.com [209.85.212.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C56B1B2BEF for <TLS@ietf.org>; Thu, 27 Aug 2015 04:17:49 -0700 (PDT)
Received: by wicne3 with SMTP id ne3so599281wic.0 for <TLS@ietf.org>; Thu, 27 Aug 2015 04:17:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=ZEU48+SmP4quW/gKuQSKWVlQh0cGM9HFNIgwpGWAJhk=; b=Hqzbaxa5yHHBSlgb6L3xgubv5tGbfGgOhH4Ng3hPw5DTFMdS4b9Hc6NXgNsn6HIg+d m0EIhc607yxoPbcDn03AR0K/d5cdN47VrhAmvFWeCZR9HBu+EVD659oJ2ERPQyGRrzKN kNH6sYn+vgJnrn495uf5gB+Z6WBVoilKLmHOFTKCLRo17zwIKu1FL9w7Sz6XrrMhn21V /KSPi8BCmDHXrd+fxSokkchz2hY6MwrGlXpwF4g/ZFwoB3nrqE0hC61TnUt8pT5VHAoU A2IRQaJdZA8ltD6WSHh55q3h0gY5Ut1908r3cyu+iEJT+MVmvjaxL+ro7eswI8O3O3GP cB+A==
X-Gm-Message-State: ALoCoQmREkjFj7Ug04HGeDeOTiJR3IAcabyX+S80j6m7nsBmJD85YhlPfqkfvLe5KwyaIN5XWq8b
X-Received: by 10.194.133.73 with SMTP id pa9mr4140613wjb.148.1440674268334; Thu, 27 Aug 2015 04:17:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.179.221 with HTTP; Thu, 27 Aug 2015 04:17:08 -0700 (PDT)
In-Reply-To: <CAL6x8meDXvt441_ffzTv0gWvt8ydrvwkN3gMhORnTvOD++wJbQ@mail.gmail.com>
References: <CAL6x8mchyh2Qpqcd5Rv-rXgZ+1_CAbV7vkib+-yU4DEDFx82Yg@mail.gmail.com> <CABcZeBNP8SZeWWVj4_fGxZm-SvYG-cmtQoJ1xBaLLWsLKsNc4Q@mail.gmail.com> <CAL6x8meDXvt441_ffzTv0gWvt8ydrvwkN3gMhORnTvOD++wJbQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 27 Aug 2015 04:17:08 -0700
Message-ID: <CABcZeBO=X5rmK7=6F=im0sPSt4nVUAyU2hTV+Fb1Jwu4Y0HzuA@mail.gmail.com>
To: "Viktor S. Wold Eide" <viktor.s.wold.eide@gmail.com>
Content-Type: multipart/alternative; boundary=089e011771a9006279051e491e9e
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/y974ga7uxwttoz_6in4-SBja2RY>
Cc: "tls@ietf.org" <TLS@ietf.org>
Subject: Re: [TLS] Privacy considerations - identity hiding from eavesdropping in (D)TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2015 11:17:52 -0000

On Thu, Aug 27, 2015 at 1:37 AM, Viktor S. Wold Eide <
viktor.s.wold.eide@gmail.com>; wrote:

>
> On Mon, Aug 24, 2015 at 11:17 PM, Eric Rescorla <ekr@rtfm.com>; wrote:
>
>>
>>
>> On Mon, Aug 24, 2015 at 1:56 PM, Viktor S. Wold Eide <
>> viktor.s.wold.eide@gmail.com>; wrote:
>>
>>> Hi,
>>>
>>> I am looking for a way to achieve identity hiding for DTLS 1.2, which
>>> also hopefully can be used in (D)TLS 1.3, when available.
>>>
>>> From what I understand, for (D)TLS 1.2 it would be possible to perform
>>> an anonymous unencrypted handshake and then to renegotiate the connection
>>> with authentication within the encrypted channel, e.g., according to the
>>> expired draft [1]. From the latest TLS 1.3 draft [2] it appears that
>>> renegotiation will be removed in the upcoming 1.3 version.
>>>
>>> What is likely to be the recommended way to achieve identity hiding for
>>> (D)TLS 1.3, if any?
>>>
>>> [1] Transport Layer Security (TLS) Encrypted Handshake Extension,
>>> draft-ray-tls-encrypted-handshake-00, expired in 2012
>>> [2] The Transport Layer Security (TLS) Protocol Version 1.3,
>>> draft-ietf-tls-tls13-07
>>>
>>>
>> TLS 1.3 encrypts both the client's and server's certificates already.
>> The server's certificate is secure only against passive attack. The
>> client's is encrypted with a key that the client can authenticate as
>> belonging to the server.
>>
>>
> Thanks a lot for the clarification.
>
> Would it be reasonable to include your answer or something similar into
> the TLS 1.3 draft, for example in the "Major Differences from TLS 1.2"
> section?
>

Sure. It's mostly a changelog now, but I'll try to add something.

-Ekr






> Best regards
> Viktor S. Wold Eide
>
>