Re: [TLS] Privacy considerations - identity hiding from eavesdropping in (D)TLS

[Eric Rescorla <ekr@rtfm.com>]

On Thu, Aug 27, 2015 at 1:37 AM, Viktor S. Wold Eide <
viktor.s.wold.eide@gmail.com> wrote:

>
> On Mon, Aug 24, 2015 at 11:17 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>>
>> On Mon, Aug 24, 2015 at 1:56 PM, Viktor S. Wold Eide <
>> viktor.s.wold.eide@gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I am looking for a way to achieve identity hiding for DTLS 1.2, which
>>> also hopefully can be used in (D)TLS 1.3, when available.
>>>
>>> From what I understand, for (D)TLS 1.2 it would be possible to perform
>>> an anonymous unencrypted handshake and then to renegotiate the connection
>>> with authentication within the encrypted channel, e.g., according to the
>>> expired draft [1]. From the latest TLS 1.3 draft [2] it appears that
>>> renegotiation will be removed in the upcoming 1.3 version.
>>>
>>> What is likely to be the recommended way to achieve identity hiding for
>>> (D)TLS 1.3, if any?
>>>
>>> [1] Transport Layer Security (TLS) Encrypted Handshake Extension,
>>> draft-ray-tls-encrypted-handshake-00, expired in 2012
>>> [2] The Transport Layer Security (TLS) Protocol Version 1.3,
>>> draft-ietf-tls-tls13-07
>>>
>>>
>> TLS 1.3 encrypts both the client's and server's certificates already.
>> The server's certificate is secure only against passive attack. The
>> client's is encrypted with a key that the client can authenticate as
>> belonging to the server.
>>
>>
> Thanks a lot for the clarification.
>
> Would it be reasonable to include your answer or something similar into
> the TLS 1.3 draft, for example in the "Major Differences from TLS 1.2"
> section?
>

Sure. It's mostly a changelog now, but I'll try to add something.

-Ekr






> Best regards
> Viktor S. Wold Eide
>
>