Re: [TLS] OPTLS: Signature-less TLS 1.3
Hugo Krawczyk <hugo@ee.technion.ac.il> Thu, 13 November 2014 04:03 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33DB81A1B4D for <tls@ietfa.amsl.com>; Wed, 12 Nov 2014 20:03:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t5yS_7A6ddDV for <tls@ietfa.amsl.com>; Wed, 12 Nov 2014 20:02:57 -0800 (PST)
Received: from mail-lb0-x22b.google.com (mail-lb0-x22b.google.com [IPv6:2a00:1450:4010:c04::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 079341A1B49 for <tls@ietf.org>; Wed, 12 Nov 2014 20:02:57 -0800 (PST)
Received: by mail-lb0-f171.google.com with SMTP id b6so10387712lbj.2 for <tls@ietf.org>; Wed, 12 Nov 2014 20:02:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=fIw3rWd3TSNfVmSQM+zvP0n+q1L6R9SaiUw9rUQOrCo=; b=uBrElkZFQjab4VXdhAKrUm2UM6WP7hL6P1fYI528inFGCD3AdT7xj5F4tTWA9KVIFZ gmRWzfqbri4PvPv/Icpwes3CRcvTbYH10YXkbk1J7qw/H5KPGWTaQIqQbEv0pokZE6ms RhrQZGhhVnwy+ClJEx0VUMv8WxTtFI2ak9NN9WkI/GJ6WYnOQ08To8vA6j4iBrAWWz3u y3MVVtu1s/CD2WbmVGY7KI7QaMCcLhEIjgSRP+KwSC4arDZqX6g5slR0Qia6+BzfZ68W bMfp+zdEFotOwJ/Zsl/G7rGBlmZkOkuik+uonE3wHewT93DNgfxCl3UWjRz7klgaixAz bwVw==
X-Received: by 10.112.199.100 with SMTP id jj4mr25592238lbc.71.1415851375341; Wed, 12 Nov 2014 20:02:55 -0800 (PST)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.25.78.20 with HTTP; Wed, 12 Nov 2014 20:02:25 -0800 (PST)
In-Reply-To: <20141111203740.GN3412@localhost>
References: <CABkgnnXWAZ78ir-62cnsZM080GAFzScNSv52SKGAc6ZRYM+++w@mail.gmail.com> <CACsn0c=nh1yDUcYGYSMBhUs0OnJJJeOh5CRT3qyz8ZEVQsdokA@mail.gmail.com> <54615526.5020504@fifthhorseman.net> <20141111005220.GG3412@localhost> <8C76E955-0942-4343-B044-8E490C6264FB@gmail.com> <20141111021201.GH3412@localhost> <5461A3DD.4030102@fifthhorseman.net> <CADi0yUO4Q8=FkmAXH0na2gd6MADb4JSCGUGju7mYYm-qxqEKQw@mail.gmail.com> <20141111173325.GK3412@localhost> <4008860D-58A7-4A48-A4FC-A5823D94B791@gmail.com> <20141111203740.GN3412@localhost>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Wed, 12 Nov 2014 23:02:25 -0500
X-Google-Sender-Auth: FoZo9tDg7s-nlY4O1le-ph1oasw
Message-ID: <CADi0yUOELWqkOrrYh24Kcaiz8h27DxC=a5X4piLwxyr2N-1SqQ@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: multipart/alternative; boundary="001a11c2a9964836c40507b596bb"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/C_s4pMl6UBm6cd3kEqLZN5Z84K8
Cc: Hoeteck Wee <hoeteck@alum.mit.edu>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] OPTLS: Signature-less TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Nov 2014 04:03:00 -0000
>From the discussions in this list and some offline conversations it is clear that people like OPTLS for its features but are concerned with the issue of "delegation", namely, the need for the server to create certificates for static DH keys g^s by signing (using the RSA key in the server's certificate) the key g^s, the validity period (T1,T2) and possibly some other information. I'll call this signature a sub-certificate or subcert (some suggested calling this a proxy certificate but I prefer not to use established terminology since I am not sure what the exact semantics/connotations of these terms). Here is a summary of the concerns and some of the available techniques to deal with them. * The delegation concerns do NOT exist in a model where the attacker either gets full control of the private signing key (e.g., steals it) or otherwise has no access to it. Indeed, in this case either the key is secure and the attacker cannot produce subcerts or the key is fully compromised and one cannot possibly provide server security (in this or any previous version of TLS). * Thus, delegation concerns only arise when assuming an attacker that cannot steal the signing key but can get temporary access to a signing device and create a few signatures on arbitrary data. In such case, the attacker can generate subcerts for keys g^s for which it knows the secret key s, hence allowing him to impersonate the server against any client accepting this subcert. * I am not sure how common the above "partial exposure" problem is in practice but note that if the signing key was only used to generate TLS 1.3 subcerts then it could be well guarded since it would be used rarely and never needed online. This would be the case if servers equipped themselves with signature certificates solely used for this purpose (rather than using the same certificate in protocols like TLS 1.2 that require online signatures). NOTE: One way of using a TLS 1.3 RSA key would be to generate a bunch of subcerts for g^s values in all the EC groups that the server supports and then DESTROY the signing key. (This is equivalent, functionally and security-wise, to getting DH certificates for all these groups without requiring the CA to issue DH certificates at all!) * Assuming that servers will not want to get certificates for use with TLS 1.3 only (why not?), then we need to address the above subcert forgery scenario where the atacker gets limited access to the signing key. An imperfect but effective solution is to only issue subcerts with short validity period, i.e. where the difference T2-T1 is small. In this case the attacker with temporary access to the signing key can only create a limited number of subcerts covering a limited time span. Operational note: It is the servers' responsibility to create such short-lived subcerts but it is the clients' responsibility to check the subcerts are indeed short-lived (otherwise an attacker can generate a long-lived subcert that the client will accept). * Clients with clocks with significant deviations from the correct time will have trouble accepting valid subcerts and may be induced to accept old (or into-the-future) subcerts. I can imagine this to be a problem. But is it enough to abandon the benefits of a ECDH-based solution like OPTLS? * The acceptable validity periods can be fixed by the protocol or can be part of the "negotiation" where the client will say which validity-period lengths are acceptable to him and the server will send an error message if it does not support such periods. Or the server can simply send the subcert with the shortest validity period which is still valid and the client accept it depending on his clock and policy. Note: One could accommodate, in principle, a period length of 0, meaning a subcert that is only valid instantaneously; in other words, this would be a per-session signature on g^s that will also include the client nonce. * There is no need to have a revocation mechanism for subcerts. The rule is that subcerts are not accepted once the RSA certificate is expired or revoked. Hence, the revocation of the RSA certificate implies revocation of all subcerts signed with it. FINAL NOTE: The above issues will be eventually solved with servers getting certificates for use with TLS 1.3 (either ECDH certificates or signature certificates used as explained in the first NOTE above). Hugo On Tue, Nov 11, 2014 at 3:37 PM, Nico Williams <nico@cryptonector.com> wrote: > On Tue, Nov 11, 2014 at 09:47:23AM -1000, Yoav Nir wrote: > > > On Nov 11, 2014, at 7:33 AM, Nico Williams <nico@cryptonector.com> > wrote: > > > That the "sub-cert" needs either a revocation scheme (not likely) or a > > > short lifetime. The latter puts this on a par with session resumption, > > > thus making one (well, me) wonder what the advantage to the static DH > > > concept would be. > > > > There is a revocation scheme. If the private ECDH key is lost, you > > revoke the certificate, thereby invalidating the delegation. > > Ah, good point! > > > > We could put static DH keys in DNSSEC and learn them that way, which > > > would get us 0rt. > > > > Another possibility is to place the ECDH public key in a certificate > > extension. This gives it a lifetime as long as the certificate, and it > > doesn’t matter whether the “regular” certificate public key is RSA or > > ECDSA or anything else. > > Sure, certs could have multiple subject public keys. That'd be a very > nice. A cert could have an encryption key, a different signature key, > and a key agreement key. > > > It removes the need to use signatures at all by the server. Not even > > once. > > Yes. I like this. > > Nico > -- >
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Rene Struik
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Rene Struik
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Ilari Liusvaara
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Manuel Pégourié-Gonnard
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hanno Böck
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Peter Gutmann
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Andy Lutomirski
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Andy Lutomirski
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Salz, Rich
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Salz, Rich
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Dan Brown
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk