> On 10 Oct 2013, at 17:06, John Kelsey <crypto....@gmail.com> wrote: > > Just thinking out loud.... > > The administrative complexity of a cryptosystem is overwhelmingly in key > management and identity management and all the rest of that stuff. So > imagine that we have a widely-used inner-level protocol that can use strong > crypto, but also requires no external key management. The purpose of the > inner protocol is to provide a fallback layer of security, so that even an > attack on the outer protocol (which is allowed to use more complicated key > management) is unlikely to be able to cause an actual security problem. On > the other hand, in case of a problem with the inner protocol, the outer > protocol should also provide protection against everything. > > Without doing any key management or requiring some kind of reliable identity > or memory of previous sessions, the best we can do in the inner protocol is > an ephemeral Diffie-Hellman, so suppose we do this: > > a. Generate random a and send aG on curve P256 > > b. Generate random b and send bG on curve P256 > > c. Both sides derive the shared key abG, and then use SHAKE512(abG) to > generate an AES key for messages in each direction. > > d. Each side keeps a sequence number to use as a nonce. Both sides use > AES-CCM with their sequence number and their sending key, and keep track of > the sequence number of the most recent message received from the other side. > > The point is, this is a protocol that happens *inside* the main security > protocol. This happens inside TLS or whatever. An attack on TLS then leads > to an attack on the whole application only if the TLS attack also lets you do > man-in-the-middle attacks on the inner protocol, or if it exploits something > about certificate/identity management done in the higher-level protocol. > (Ideally, within the inner protcol, you do some checking of the identity > using a password or shared secret or something, but that's application-level > stuff the inner and outer protocols don't know about. > > Thoughts?
Suggest it on the tls wg list as a feature of 1.3? S > > --John > _______________________________________________ > The cryptography mailing list > cryptography@metzdowd.com > http://www.metzdowd.com/mailman/listinfo/cryptography _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography