<div dir="ltr">I was literally having this exact same discussion with Ilari today, and even started describing OPTLS as "Noise for TLS" until Ilari explained to me what you discovered, and now I kind of feel like it's the worst of both worlds.</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 24, 2015 at 11:05 PM, Trevor Perrin <span dir="ltr"><<a href="mailto:trevp@trevp.net" target="_blank">trevp@trevp.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I took a closer look at TLS 1.3, to see how it might translate to Noise.<br>
<br>
It's still largely in flux. But the OPTLS proposal [1] is very<br>
similar to a Noise pipe or HandshakeNX (HandshakeXX with client auth)<br>
[2]:<br>
<br>
HandshakeNX():<br>
-> e<br>
<- e, dhee, s, dhse<br>
<br>
HandshakeXX(s):<br>
-> e<br>
<- e, dhee, s, dhse<br>
-> s, dhse<br>
<br>
IETF discussion of that focused on the case where [3]:<br>
(a) the server's long-term key is already a signing key<br>
(b) it's stored in an HSM that doesn't support DH keys<br>
(c) time sync doesn't exist<br>
<br>
(a) and (b) preclude using the long-term key as s above. (b)<br>
precludes the solution of signing s with the signing key since s would<br>
then have all the power of the signing key, but is stored less<br>
securely. (c) precludes limiting that risk with signature expiry.<br>
<br>
Meeting those constraints require signatures over the entire<br>
handshake, which loses some deniability:<br>
-> e<br>
<- e, dhee, long-term key, sign-everything<br>
<br>
For some reason the IETF is trying to combine this with OPTLS [4]:<br>
-> e<br>
<- e, dhee, s, dhse, long-term key, sign-everything<br>
<br>
Where s is a "semi-static" key for a subsequent 0-RTT handshake.<br>
<br>
Am I missing something, or is that ugly and missing the point of<br>
OPTLS? (which was to accomplish a DH-only key agreement, for savings<br>
in bandwidth, deniability, and implementation simplicity):<br>
- If the server doesn't support the semi-static key, it sets s=e to<br>
skip the dhse calculation (but then transmitting s is pointless)<br>
- If the server *does* support the semi-static key, then dhse is<br>
performed but is pointless, as the connection is already authenticated<br>
by the signature, and forward-secrecy is already provided by dhee<br>
<br>
Anyways, Noise doesn't have the HSM-back-compatibility concerns that<br>
are apparently steering them to signatures. So a system using Noise<br>
could easily have the server send an optional semi-static public-key<br>
in the payload of a HandshakeNX, and then the client could use that<br>
for a 0-RTT BoxNS:<br>
-> e, dhes<br>
<br>
<br>
Trevor<br>
<br>
<br>
[1] <a href="https://www.ietf.org/mail-archive/web/tls/current/msg14385.html" target="_blank">https://www.ietf.org/mail-archive/web/tls/current/msg14385.html</a><br>
[2] <a href="https://github.com/trevp/noise/blob/noise2/noise.md" target="_blank">https://github.com/trevp/noise/blob/noise2/noise.md</a><br>
[3] <a href="https://www.ietf.org/mail-archive/web/tls/current/msg14494.html" target="_blank">https://www.ietf.org/mail-archive/web/tls/current/msg14494.html</a><br>
[4] <a href="https://www.ietf.org/mail-archive/web/tls/current/msg15621.html" target="_blank">https://www.ietf.org/mail-archive/web/tls/current/msg15621.html</a><br>
_______________________________________________<br>
Noise mailing list<br>
<a href="mailto:Noise@moderncrypto.org">Noise@moderncrypto.org</a><br>
<a href="https://moderncrypto.org/mailman/listinfo/noise" target="_blank">https://moderncrypto.org/mailman/listinfo/noise</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature">Tony Arcieri<br></div>
</div>