> On 10 Oct 2013, at 17:06, John Kelsey <crypto....@gmail.com> wrote:
> Just thinking out loud....
> The administrative complexity of a cryptosystem is overwhelmingly in key 
> management and identity management and all the rest of that stuff.  So 
> imagine that we have a widely-used inner-level protocol that can use strong 
> crypto, but also requires no external key management.  The purpose of the 
> inner protocol is to provide a fallback layer of security, so that even an 
> attack on the outer protocol (which is allowed to use more complicated key 
> management) is unlikely to be able to cause an actual security problem.  On 
> the other hand, in case of a problem with the inner protocol, the outer 
> protocol should also provide protection against everything.
> Without doing any key management or requiring some kind of reliable identity 
> or memory of previous sessions, the best we can do in the inner protocol is 
> an ephemeral Diffie-Hellman, so suppose we do this:  
> a.  Generate random a and send aG on curve P256
> b.  Generate random b and send bG on curve P256
> c.  Both sides derive the shared key abG, and then use SHAKE512(abG) to 
> generate an AES key for messages in each direction.
> d.  Each side keeps a sequence number to use as a nonce.  Both sides use 
> AES-CCM with their sequence number and their sending key, and keep track of 
> the sequence number of the most recent message received from the other side.  
> The point is, this is a protocol that happens *inside* the main security 
> protocol.  This happens inside TLS or whatever.  An attack on TLS then leads 
> to an attack on the whole application only if the TLS attack also lets you do 
> man-in-the-middle attacks on the inner protocol, or if it exploits something 
> about certificate/identity management done in the higher-level protocol.  
> (Ideally, within the inner protcol, you do some checking of the identity 
> using a password or shared secret or something, but that's application-level 
> stuff the inner and outer protocols don't know about.  
> Thoughts?

Suggest it on the tls wg list as a feature of 1.3?


> --John
> _______________________________________________
> The cryptography mailing list
> cryptography@metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
The cryptography mailing list

Reply via email to