starting on tls 1 3
play

Starting on TLS 1.3 Eric Rescorla ekr@rtfm.com IETF 85 Random - PowerPoint PPT Presentation

Sep 15, 2023 •49 likes •269 views

Starting on TLS 1.3 Eric Rescorla ekr@rtfm.com IETF 85 Random CNAMEs 1 Reminder: Objectives Encrypt as much of the handshake as possible Reduce handshake latency, with a target of 0-RTT for repeated handshakes and 1-RTT for full

  1. Starting on TLS 1.3 Eric Rescorla ekr@rtfm.com IETF 85 Random CNAMEs 1

  2. Reminder: Objectives • Encrypt as much of the handshake as possible • Reduce handshake latency, with a target of 0-RTT for repeated handshakes and 1-RTT for “full” handshakes • Reevaluate handshake contents • Reevaluate record protection mechanisms (not discussed here) IETF 85 Random CNAMEs 2

  3. Rough time allocation Time Topic 30 New handshake flows 7 Should we allow renegotiation 7 Should we stop supporting RSA? 7 Should we get rid of resumption? 7 Random sizes 2 Other? IETF 85 Random CNAMEs 3

  4. New Handshake Flows • Almost nothing here is new • Ideas cribbed from – False Start – Snap Start – NPN – Marsh Ray’s encrypted handshake draft – A bunch of other people • Writeup in: draft-rescorla-tls13-new-flows – Just posted (sorry about that!) IETF 85 Random CNAMEs 4

  5. DISCLAIMER DISCLAIMER: THIS IS A VERY ROUGH DRAFT. EVERYTHING HERE IS SUPER-HANDWAVY AND HASN’T REALLY HAD ANY SECURITY ANALYSIS. I DON’T PROMISE IT’S NOT VERY VERY WRONG BUT I WANTED TO BE ABLE TO HAVE AN EARLY DISCUSSION ABOUT DIRECTION. IETF 85 Random CNAMEs 5

  6. Reminder: TLS 1.2 Full Handshake ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] {Finished} --------> [ChangeCipherSpec] <-------- {Finished} {Application Data} <-------> {Application Data} IETF 85 Random CNAMEs 6

  7. Reminder: TLS 1.2 Resumed Handshake ClientHello --------> ServerHello [ChangeCipherSpec] <-------- {Finished} [ChangeCipherSpec] {Finished} --------> {Application Data} <-------> {Application Data} IETF 85 Random CNAMEs 7

  8. Reminder: False Start ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] {Finished} {Application Data} --------> [ChangeCipherSpec] <-------- {Finished} {Application Data} <-------> {Application Data} IETF 85 Random CNAMEs 8

  9. Warm-up: Fast Track (sort-of) ClientHello + CI ClientKeyExchange --------> ServerHello + CI Certificate* ServerKeyExchange* ServerHelloDone [ChangeCipherSpec] <-------- {Finished} [ChangeCipherSpec] {Finished} {Application Data} --------> {Application Data} <-------> {Application Data} IETF 85 Random CNAMEs 9

  10. Warm-up: Falling back under prediction failure ClientHello + CI ClientKeyExchange --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] {Finished} --------> [ChangeCipherSpec] <-------- {Finished} {Application Data} <-------> {Application Data} IETF 85 Random CNAMEs 10

  11. Reduced RT handshake with privacy ClientHello + CI ClientKeyExchange --------> ServerHello[1] + CI ServerKeyExchange* [ChangeCipherSpec] {ServerHello[2]} {Certificate*} {CertificateRequest*} {ServerHelloDone} <-------- {AlmostFinished} [ChangeCipherSpec] {Certificate*} {CertificateVerify*} {Finished} {Application Data} --------> <-------- {Finished} {Application Data} <-------> {Application Data} IETF 85 Random CNAMEs 11

  12. Reduced RT handshake with privacy ClientHello[1] + CI ClientKeyExchange --------> ServerHello[1] <-------- ServerKeyExchange* ClientHello[2] + CI // For consistency ClientKeyExchange [ChangeCipherSpec] {ClientHello[3]} --------> [ChangeCipherSpec] {ServerHello} {Certificate*} {ServerKeySignature*} {CertificateRequest*} {ServerHelloDone} <-------- {AlmostFinished} {Certificate*} {CertificateVerify*} {Finished} {Application Data} --------> <-------- {Finished} {Application Data} <-------> {Application Data} IETF 85 Random CNAMEs 12

  13. Zero RT Handshake (resumed) ClientHello + CI + AR [ChangeCipherSpec] {Finished} {Application Data} --------> ServerHello + CI + AR [ChangeCipherSpec] <-------- {Finished} {Application Data} <-------> {Application Data} IETF 85 Random CNAMEs 13

  14. Zero RT Handshake (non-resumed) ClientHello[1] + CI + AR ClientKeyExchange {ClientHello[2]} [ChangeCipherSpec] {Certificate*} {CertificateVerify*} {Finished} {Application Data} --------> ServerHello[1] [ChangeCipherSpec] {ServerHello[2]} {ServerHelloDone} <-------- {Finished} {Application Data} <-------> {Application Data} IETF 85 Random CNAMEs 14

  15. Zero-RTT Fallback Options • How many fallback options should we have? • Potentially – 0RTT resumed → 0RTT non-resumed → 1RTT Fast Track → Full handshake • This seems awful complicated – Both for specification and for client IETF 85 Random CNAMEs 15

  16. PFS just got complicated • Resumption obviously doesn’t provide PFS • But even the non-resumed handshake doesn’t provide it – Because it assumes a static server public key • Options – Do a rehandshake – Have a two-phase handshake with the server supplying a key and client cuts over IETF 85 Random CNAMEs 16

  17. Handwaving ClientHello[1] + CI + AR ClientKeyExchange {ClientHello[2]} [ChangeCipherSpec] {Finished} {Application Data} --------> ServerHello[1] [ChangeCipherSpec] {ServerHello[2]} {Certificate} {ServerKeyExchange} {ServerHelloDone} <-------- {{Finished}} {{Application Data}} <-------> {{Application Data}} IETF 85 Random CNAMEs 17

  18. Should we remove renegotation? • Raised by a number of people on the list • Arguments for – Obvious point of complexity – We’ve had problems here before • Arguments against – Change parameters – PFS refresh/rekey – To prevent cipher exhaustion (other ways to fix this) – Are we breaking people’s actual applications • Discuss. IETF 85 Random CNAMEs 18

  19. Should we stop supporting RSA? • Obviously suboptimal performance characteristics • Complexity – Doesn’t match the PFS pattern – See the handshakes above • But everyone uses it... – And they have RSA certificates – Nice to have options – Discuss. IETF 85 Random CNAMEs 19

  20. Should we remove resumption? • Servers have gotten a lot faster – As have our cipher suites • Arguments for – Remove complexity • Arguments against – People definitely use it – And not everyone has gone to EC – Some devices have gotten much slower (DICE) • Discuss. IETF 85 Random CNAMEs 20

  21. Random values • Current random values are (allegedly) 4 bytes of time and 28 bytes of randomness • Make them shorter – Reduce entropy leakage from the PRNG – Is there an easier way to do this, e.g., separate PRNGs? • Make them longer – Still waiting for a security analysis here • Remove time – Potential fingerprinting service – But maybe useful for some stuff – Compatibility questions probably not a big issue • Discuss. IETF 85 Random CNAMEs 21

  22. Other topics? IETF 85 Random CNAMEs 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

E L E C T R I C V E H I C L E S | M A I N S T R E A M &amp; A F F O R D A B L E Starting at

E L E C T R I C V E H I C L E S | M A I N S T R E A M &amp; A F F O R D A B L E Starting at

E L E C T R I C V E H I C L E S | M A I N S T R E A M &amp; A F F O R D A B L E Starting at $35,000 Tesla Model 3 reservations are currently over 373,000 E V S A L E S A R E G R O W I N G E V E R Y Y E A R S O U R C E : G L O B A L

588 views • 9 slides
School Starting Time Steering Committee May 16, 2017 Tonights Agenda School Starting Time

School Starting Time Steering Committee May 16, 2017 Tonights Agenda School Starting Time

Garden City Public Schools Report of the School Starting Time Steering Committee May 16, 2017 Tonights Agenda School Starting Time Steering Committee The Committees recommendations Background Committee activities Survey

329 views • 28 slides
Introduction In 2001, number of women starting in CS at UIUC was ridiculously low: 9%; way

Introduction In 2001, number of women starting in CS at UIUC was ridiculously low: 9%; way

Introduction In 2001, number of women starting in CS at UIUC was ridiculously low: 9%; way lower than fraction of women among faculty, or among students starting in mechanical engineering; retention was also worse than for men. Decided to

436 views • 29 slides
Beautiful Code in Rails 3 by Gregg Pollack Starting a new app New Router API ActionController

Beautiful Code in Rails 3 by Gregg Pollack Starting a new app New Router API ActionController

Beautiful Code in Rails 3 by Gregg Pollack Starting a new app New Router API ActionController - respond_with ActionMailer Syntax ActiveRelation (arel) ERB Strings Escaped Unobtrusive Javascript Starting a New App $ rails Usage: rails

593 views • 45 slides
1 3 1/3 1/3 yes no -22-19 wye-delta -22-20 auto- 2 2 transformer -22-21

1 3 1/3 1/3 yes no -22-19 wye-delta -22-20 auto- 2 2 transformer -22-21

IEV 411 Starting winding mains current % torque % interruption starting time critical method current % -22-18 direct - - - no no -22-26 series-parallel 1/2 1/4 1/4 yes no 1 3 1/3 1/3 yes no -22-19 wye-delta

832 views • 33 slides
UDL for Student Voices STARTING THE CONVERSATION Brooke Hessler, Learning Resources Bobby White,

UDL for Student Voices STARTING THE CONVERSATION Brooke Hessler, Learning Resources Bobby White,

2 February 2019 UDL for Student Voices STARTING THE CONVERSATION Brooke Hessler, Learning Resources Bobby White, Teaching Support Studio AGENDA UDL &amp; Chimeric Learners Starting with Names: Moodle profiles &amp; discussion boards

367 views • 19 slides
Experiences in starting measurement of services in Poland 31 ST VOORBURG GROUP MEETING CROATIA,

Experiences in starting measurement of services in Poland 31 ST VOORBURG GROUP MEETING CROATIA,

Experiences in starting measurement of services in Poland 31 ST VOORBURG GROUP MEETING CROATIA, 19-23 SEPTEMBER, 2016 CENTRAL STATISTICAL OFFICE OF POLAND TRADE AND SERVICES DEPARTMENT AGNIESZKA MATULSKA-BACHURA The starting and development of

643 views • 24 slides
Zalando. The Starting Point for Fashion. Q3 / 2019 Earnings Call October 31, 2019 Highlights

Zalando. The Starting Point for Fashion. Q3 / 2019 Earnings Call October 31, 2019 Highlights

Zalando. The Starting Point for Fashion. Q3 / 2019 Earnings Call October 31, 2019 Highlights and Business Update Strong financial performance driven by outstanding traffic and active customer growth Starting point strategy: Site visits

601 views • 20 slides
ST GEORGES STREET, CANTERBURY PROPOSED PUBLIC REALM IMPROVEMENTS The starting point

ST GEORGES STREET, CANTERBURY PROPOSED PUBLIC REALM IMPROVEMENTS The starting point

ST GEORGES STREET, CANTERBURY PROPOSED PUBLIC REALM IMPROVEMENTS The starting point Understanding the past is an important prelude to good design. In the Canterbury context the starting point is often looking back in history to understand

499 views • 20 slides
We will be starting soon. #PromisingApproaches Supported by Agenda Welcome and

We will be starting soon. #PromisingApproaches Supported by Agenda Welcome and

We will be starting soon. #PromisingApproaches Supported by Agenda Welcome and introductions Paul Cann Introducing the revised framework Kate Jopling Breakout discussions The Psychology of Loneliness Dr Kalpa

877 views • 70 slides
Starting point : Multicomponent signals (1) L s ( t ) = a ( t ) cos( ( t )) , t

Starting point : Multicomponent signals (1) L s ( t ) = a ( t ) cos( ( t )) , t

Starting point : Multicomponent signals (1) L s ( t ) = a ( t ) cos( ( t )) , t R Transform ee de Riesz multi- echelles et =1 a limage 1 Applications ` - Decomposition problem : extraction of the di ff erent

466 views • 11 slides
Hello If you can see this then you will be able to view todays session. We will be starting

Hello If you can see this then you will be able to view todays session. We will be starting

Hello If you can see this then you will be able to view todays session. We will be starting shortly, thank you for your patience. Managing employees through severe weather 24/7 professional support for business, across employment law, HR,

463 views • 11 slides
Helping People In Forming Companies, Opening Bank Account &amp; Getting Licenses Truly

Helping People In Forming Companies, Opening Bank Account &amp; Getting Licenses Truly

Helping People In Forming Companies, Opening Bank Account &amp; Getting Licenses Truly Simplifying Offshore Solutions Starting Offshore Ltd Registered in Saint Vincent &amp; Grenadines with IBC Number 23836 ABOUT STARTING OFFSHORE Starting

510 views • 9 slides
MEMPHIS C I V I C C O M M O N S The Fourth Bluff The Starting Point Life and commerce in

MEMPHIS C I V I C C O M M O N S The Fourth Bluff The Starting Point Life and commerce in

MEMPHIS C I V I C C O M M O N S The Fourth Bluff The Starting Point Life and commerce in Memphis began at the river with the Fourth Bluff at its heart. We will draw Memphians back to this original starting point and revitalize the Fourth

578 views • 22 slides
UTOPIAE is a 3.9M starting 01 January 2017 research and training network supported by the 15

UTOPIAE is a 3.9M starting 01 January 2017 research and training network supported by the 15

U NCERTAINTY Q UANTIFICATION IN O RBITAL M ECHANICS Massimiliano Vasile, Aerospace Centre of Excellence, Department of Mechanical &amp; Aerospace Engineering, University of Strathclyde UTOPIAE will last 4 years UTOPIAE is a 3.9M starting 01

808 views • 60 slides
In 2015/16, new 0% starting rate for savings income up to maximum of 5,000. But only

In 2015/16, new 0% starting rate for savings income up to maximum of 5,000. But only

FINANCE ACT 2015 Robert Jamieson MA FCA CTA (Fellow) TEP 25 September 2015 NEW STARTING RATE FOR SAVINGS In 2015/16, new 0% starting rate for savings income up to maximum of 5,000. But only in point for those whose non- savings

931 views • 64 slides
Interrupt and Exception Handling on the x86 ( Lecture 8 ) x86 Interrupt Vectors - Every

Interrupt and Exception Handling on the x86 ( Lecture 8 ) x86 Interrupt Vectors - Every

6.828: Operating System Engineering Interrupt and Exception Handling on the x86 ( Lecture 8 ) x86 Interrupt Vectors - Every Exception/Interrupt type is assigned a number: - its vector - When an interrupt occurs, the vector determines what code

456 views • 13 slides
ECE 2574: Data Structures and Algorithms - Error Handling and Exceptions C. L. Wyatt Today we

ECE 2574: Data Structures and Algorithms - Error Handling and Exceptions C. L. Wyatt Today we

ECE 2574: Data Structures and Algorithms - Error Handling and Exceptions C. L. Wyatt Today we will look at more detail into error handling mechanisms and the use of exceptions. Motivation: what can go wrong? The two and a half approaches

523 views • 18 slides
Garside structure and Dehornoy ordering of braid groups for topologist (mini-course II) Tetsuya

Garside structure and Dehornoy ordering of braid groups for topologist (mini-course II) Tetsuya

Garside structure and Dehornoy ordering of braid groups for topologist (mini-course II) Tetsuya Ito Combinatorial Link Homology Theories, Braids, and Contact Geometry Aug, 2014 Tetsuya Ito Braid calculus Aug , 2014 1 / 64 Part II: The

1.37k views • 114 slides
Motivations Chapter 12 Exceptions and File Input/Output When a program runs into a runtime

Motivations Chapter 12 Exceptions and File Input/Output When a program runs into a runtime

Motivations Chapter 12 Exceptions and File Input/Output When a program runs into a runtime error, the program terminates abnormally. How can you handle the runtime error so that the program can continue to run or terminate gracefully? This is

422 views • 16 slides
Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat

Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat

Dragonblood : Attacking the Dragonfly Handshake of WPA3 Mathy Vanhoef and Eyal Ronen Black Hat USA. Las Vegas, 7 August 2019. Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

532 views • 50 slides
Asynchronous circuit technology is on the market Overview Introduction Handshake

Asynchronous circuit technology is on the market Overview Introduction Handshake

Asynchronous circuit technology is on the market Overview Introduction Handshake Solutions Handshake Technology Counting asynchronous millionaires More metrics # trained people # competition # asynchronous

528 views • 36 slides
Utilizing the Marquette University Career Services Center Courtney Hanson Director, Career

Utilizing the Marquette University Career Services Center Courtney Hanson Director, Career

Utilizing the Marquette University Career Services Center Courtney Hanson Director, Career Services Center Marquette University Marquette University Career Services Center Holthusen Hall, First Floor (414) 288-7423

159 views • 15 slides
Modeling and Analyzing Concurrent Systems Robert B. France 1 Overview Why model and analyze

Modeling and Analyzing Concurrent Systems Robert B. France 1 Overview Why model and analyze

Modeling and Analyzing Concurrent Systems Robert B. France 1 Overview Why model and analyze concurrent systems? How are concurrent systems modeled? How are concurrent systems analyzed? What tools are available for modeling and

1.13k views • 85 slides

More recommend