IETF Logo Mail Archive

Re: [TLS] OPTLS: Signature-less TLS 1.3

Hugo Krawczyk <hugo@ee.technion.ac.il> Thu, 13 November 2014 04:03 UTC

Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33DB81A1B4D for <tls@ietfa.amsl.com>; Wed, 12 Nov 2014 20:03:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t5yS_7A6ddDV for <tls@ietfa.amsl.com>; Wed, 12 Nov 2014 20:02:57 -0800 (PST)
Received: from mail-lb0-x22b.google.com (mail-lb0-x22b.google.com [IPv6:2a00:1450:4010:c04::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 079341A1B49 for <tls@ietf.org>; Wed, 12 Nov 2014 20:02:57 -0800 (PST)
Received: by mail-lb0-f171.google.com with SMTP id b6so10387712lbj.2 for <tls@ietf.org>; Wed, 12 Nov 2014 20:02:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=fIw3rWd3TSNfVmSQM+zvP0n+q1L6R9SaiUw9rUQOrCo=; b=uBrElkZFQjab4VXdhAKrUm2UM6WP7hL6P1fYI528inFGCD3AdT7xj5F4tTWA9KVIFZ gmRWzfqbri4PvPv/Icpwes3CRcvTbYH10YXkbk1J7qw/H5KPGWTaQIqQbEv0pokZE6ms RhrQZGhhVnwy+ClJEx0VUMv8WxTtFI2ak9NN9WkI/GJ6WYnOQ08To8vA6j4iBrAWWz3u y3MVVtu1s/CD2WbmVGY7KI7QaMCcLhEIjgSRP+KwSC4arDZqX6g5slR0Qia6+BzfZ68W bMfp+zdEFotOwJ/Zsl/G7rGBlmZkOkuik+uonE3wHewT93DNgfxCl3UWjRz7klgaixAz bwVw==
X-Received: by 10.112.199.100 with SMTP id jj4mr25592238lbc.71.1415851375341; Wed, 12 Nov 2014 20:02:55 -0800 (PST)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.25.78.20 with HTTP; Wed, 12 Nov 2014 20:02:25 -0800 (PST)
In-Reply-To: <20141111203740.GN3412@localhost>
References: <CABkgnnXWAZ78ir-62cnsZM080GAFzScNSv52SKGAc6ZRYM+++w@mail.gmail.com> <CACsn0c=nh1yDUcYGYSMBhUs0OnJJJeOh5CRT3qyz8ZEVQsdokA@mail.gmail.com> <54615526.5020504@fifthhorseman.net> <20141111005220.GG3412@localhost> <8C76E955-0942-4343-B044-8E490C6264FB@gmail.com> <20141111021201.GH3412@localhost> <5461A3DD.4030102@fifthhorseman.net> <CADi0yUO4Q8=FkmAXH0na2gd6MADb4JSCGUGju7mYYm-qxqEKQw@mail.gmail.com> <20141111173325.GK3412@localhost> <4008860D-58A7-4A48-A4FC-A5823D94B791@gmail.com> <20141111203740.GN3412@localhost>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Wed, 12 Nov 2014 23:02:25 -0500
X-Google-Sender-Auth: FoZo9tDg7s-nlY4O1le-ph1oasw
Message-ID: <CADi0yUOELWqkOrrYh24Kcaiz8h27DxC=a5X4piLwxyr2N-1SqQ@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: multipart/alternative; boundary="001a11c2a9964836c40507b596bb"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/C_s4pMl6UBm6cd3kEqLZN5Z84K8
Cc: Hoeteck Wee <hoeteck@alum.mit.edu>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] OPTLS: Signature-less TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Nov 2014 04:03:00 -0000

>From the discussions in this list and some offline conversations it is clear
that people like OPTLS for its features but are concerned with the issue of
"delegation", namely, the need for the server to create certificates for
static DH keys g^s by signing (using the RSA key in the server's
certificate)
the key g^s, the validity period (T1,T2) and possibly some other
information.
I'll call this signature a sub-certificate or subcert (some suggested
calling
this a proxy certificate but I prefer not to use established terminology
since
I am not sure what the exact semantics/connotations of these terms).

Here is a summary of the concerns and some of the available techniques to
deal
with them.

* The delegation concerns do NOT exist in a model where the attacker either
  gets full control of the private signing key (e.g., steals it) or
otherwise
  has no access to it. Indeed, in this case either the  key is secure and
the
  attacker cannot produce subcerts or the key is fully compromised and one
  cannot possibly provide server security (in this or any previous version
of
  TLS).

* Thus, delegation concerns only arise when assuming an attacker that cannot
  steal the signing key but can get temporary access to a signing device and
  create a few signatures on arbitrary data. In such case, the attacker can
  generate subcerts for keys g^s for which it knows the secret key s, hence
  allowing him to impersonate the server against any client accepting this
  subcert.

* I am not sure how common the above "partial exposure" problem is in
practice
  but note that if the signing key was only used to generate TLS 1.3
subcerts
  then it could be well guarded since it would be used rarely and never
needed
  online. This would be the case if servers equipped themselves with
signature
  certificates solely used for this purpose (rather than using the same
  certificate in protocols like TLS 1.2 that require online signatures).

NOTE: One way of using a TLS 1.3 RSA key would be to generate a bunch of
subcerts for g^s values in all the EC groups that the server supports and
then
DESTROY the signing key. (This is equivalent, functionally and
security-wise,
to getting DH certificates for all these groups without requiring the CA to
issue DH certificates at all!)

* Assuming that servers will not want to get certificates for use with TLS
1.3
  only (why not?), then we need to address the above subcert forgery
scenario
  where the atacker gets limited access to the signing key. An imperfect but
  effective solution is to only issue subcerts with short validity period,
  i.e.  where the difference T2-T1 is small. In this case the attacker with
  temporary access to the signing key can only create a limited number of
  subcerts covering a limited time span.

Operational note: It is the servers' responsibility to create such
short-lived
subcerts but it is the clients' responsibility to check the subcerts are
indeed short-lived (otherwise an attacker can generate a long-lived subcert
that the client will accept).

* Clients with clocks with significant deviations from the correct time will
  have trouble accepting valid subcerts and may be induced to accept old (or
  into-the-future) subcerts. I can imagine this to be a problem. But is it
  enough to abandon the benefits of a ECDH-based solution like OPTLS?

* The acceptable validity periods can be fixed by the protocol or can be
part
  of the "negotiation" where the client will say which validity-period
lengths
  are acceptable to him and the server will send an error message if it does
  not support such periods. Or the server can simply send the subcert with
the
  shortest validity period which is still valid and the client accept it
  depending on his clock and policy.

Note: One could accommodate, in principle, a period length of 0, meaning a
subcert that is only valid instantaneously; in other words, this would be a
per-session signature on g^s that will also include the client nonce.

* There is no need to have a revocation mechanism for subcerts. The rule is
  that subcerts are not accepted once the RSA certificate is expired or
  revoked. Hence, the revocation of the RSA certificate implies revocation
of
  all subcerts signed with it.

FINAL NOTE: The above issues will be eventually solved with servers getting
certificates for use with TLS 1.3 (either ECDH certificates or signature
certificates used as explained in the first NOTE above).

Hugo


On Tue, Nov 11, 2014 at 3:37 PM, Nico Williams <nico@cryptonector.com>
wrote:

> On Tue, Nov 11, 2014 at 09:47:23AM -1000, Yoav Nir wrote:
> > > On Nov 11, 2014, at 7:33 AM, Nico Williams <nico@cryptonector.com>
> wrote:
> > > That the "sub-cert" needs either a revocation scheme (not likely) or a
> > > short lifetime.  The latter puts this on a par with session resumption,
> > > thus making one (well, me) wonder what the advantage to the static DH
> > > concept would be.
> >
> > There is a revocation scheme. If the private ECDH key is lost, you
> > revoke the certificate, thereby invalidating the delegation.
>
> Ah, good point!
>
> > > We could put static DH keys in DNSSEC and learn them that way, which
> > > would get us 0rt.
> >
> > Another possibility is to place the ECDH public key in a certificate
> > extension. This gives it a lifetime as long as the certificate, and it
> > doesn’t matter whether the “regular” certificate public key is RSA or
> > ECDSA or anything else.
>
> Sure, certs could have multiple subject public keys.  That'd be a very
> nice.  A cert could have an encryption key, a different signature key,
> and a key agreement key.
>
> > It removes the need to use signatures at all by the server. Not even
> > once.
>
> Yes.  I like this.
>
> Nico
> --
>

v2.23.0 | Report a Bug | By Email