IETF Logo Mail Archive

Re: [TLS] the idea of using multiple keys with multiple certificate authorities in a TLS session.

Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Fri, 06 February 2015 17:08 UTC

Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 961B11A701C for <tls@ietfa.amsl.com>; Fri, 6 Feb 2015 09:08:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.127
X-Spam-Level: **
X-Spam-Status: No, score=2.127 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DEAR_SOMETHING=1.973, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FRT_BELOW2=2.154, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9oKYVokdI552 for <tls@ietfa.amsl.com>; Fri, 6 Feb 2015 09:08:01 -0800 (PST)
Received: from mail-we0-x22c.google.com (mail-we0-x22c.google.com [IPv6:2a00:1450:400c:c03::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9F3E1A7013 for <tls@ietf.org>; Fri, 6 Feb 2015 09:08:00 -0800 (PST)
Received: by mail-we0-f172.google.com with SMTP id x3so9382181wes.3 for <tls@ietf.org>; Fri, 06 Feb 2015 09:07:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5JAOakBoo34t9NbxS1zD6PSDvDtROTXCGfyVk/10CX4=; b=pJ7wnYGO+MUUp9TOMkIyn0OfuNTfAcpgUKSVPVAEJiLl71dNCNizkltLYMUnGSTYsl 2o2YRHz+pxKsdh0MuGix8mYCd1QcqoTRJ9BqeXmMJ9bOOXNqHXpevVl26H1knE8yOYvF BMJclkl/Hwh6/J1GKMr+gLBkWV0OxxWJQiuYr4GHDdqBwyfEvNRRCk6OPaWQj5nuX0AO XuRvj37OQ/Nlvt8ohgzrttGljqOsYB1feIuFLpdt5wIuoiqG5Qe4Y14x6bE8gvPRrPA5 MiZRt7vVvh8NgQvis13EOFCddGtGqr1c8PF1LTOzo6axBtF/DeovlFZ8niQoQnA43gqL 1WRg==
X-Received: by 10.194.10.68 with SMTP id g4mr9846409wjb.5.1423242479704; Fri, 06 Feb 2015 09:07:59 -0800 (PST)
Received: from [192.168.1.44] (41.92.69.86.rev.sfr.net. [86.69.92.41]) by mx.google.com with ESMTPSA id fi10sm2229946wib.13.2015.02.06.09.07.58 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 06 Feb 2015 09:07:58 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
In-Reply-To: <CADrAmL6xOMOauSHuTR8BUK7i4NG2Zx3H90dA6k36YMu81pVW0A@mail.gmail.com>
Date: Fri, 06 Feb 2015 18:07:57 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <3FE6EA13-AF0F-4838-9F1F-CB0DEC158225@gmail.com>
References: <CADrAmL6xOMOauSHuTR8BUK7i4NG2Zx3H90dA6k36YMu81pVW0A@mail.gmail.com>
To: Shahin Noursalehi <mixoftix@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/zpPMqKYFnnV_pMoEl0WkP3zNJGg>
Cc: abadi@cs.ucsc.edu, tls@ietf.org, ChristopherA@alacritymanagement.com
Subject: Re: [TLS] the idea of using multiple keys with multiple certificate authorities in a TLS session.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Feb 2015 17:08:03 -0000

This scheme seems to assume an RSA key exchange which no longer exists in TLS 1.3.

To adapt the multiple PMS design to (EC)DHE would require more work, and it is not clear what the benefit would be.

-Karthik

On 05 Feb 2015, at 10:17, Shahin Noursalehi <mixoftix@gmail.com> wrote:

> Dear Sir/Madam,
> 
> Refer to discussions around TLS 1.3 in Linkedin group "Cryptographers
> and Cryptanalysts", contributor experts agree on the idea of using
> multiple keys with multiple certificate authorities in a TLS session.
> So if one certificate authority is compromised hopefully the others
> are not. The suggested solution would be like the process bellow:
> 
> Refer to the way that TLS generates the *master_secret*:
> 
> master_secret = PseudoRandomFunction(pre_master_secret, "master
> secret", ClientHello.random + ServerHello.random)
> 
> We could generate multiple peer-to-peer pre_master_secret(s) for each
> public-key that we receive from the server and XOR them all together.
> So, our offered method of calculation of master_secret will convert
> to:
> 
> master_secret = PseudoRandomFunction(multiple_pre_master_secret,
> "master secret", ClientHello.random + ServerHello.random)
> 
> where:
> 
> multiple_pre_master_secret = XOR(pre_master_secret_1,
> pre_master_secret_2, .. pre_master_secret_n)
> 
> and aim at preventing basic attacks that are known against
> one-time-pad, we could add a circular-bit-rotation(m) to the
> calculation above - each time we do an XOR:
> 
> multiple_pre_master_secret = ROT(XOR(pre_master_secret_1,
> pre_master_secret_2, .. pre_master_secret_n), m)
> 
> Please let us know about your point of views, then we could continue
> discussing the TLS.
> 
> With best regards
> 
> Shahin Noursalehi
> 
> 
> Reference:
> 
> https://www.linkedin.com/groups/what-are-new-methods-attack-3901854.S.5958888203401314306
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email