RE: refactoring crypto handshakes (SSL in 3 easy steps)

2007-11-15 Thread Pasi.Eronen 
There's a dependency from negotiated capabililities
to the cryptographic things included in the first message
from client to server (since e.g. what algorithm is 
used by the client, or even what certificate is selected,
depends on these non-crypto capability/feature parts.)

But as James pointed out, you could probably handle this 
in optimistic mode; i.e. make a guess what the negotiated
capabilities are likely to be, and fall back to more
RTTs if the guess is wrong.

(BTW, usually we also want the capability negotiation
to be secure; SSL simply exchanges MACs of all messages
once the key for MAC has been agreed on. Would this
add 0.5 or 1RTT? Or perhaps there's some clever
way to do it without additional RTT?)

Best regards,
Pasi

 -Original Message-
 From: ext [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] 
 Sent: 14 November, 2007 21:46
 To: Eronen Pasi (Nokia-NRC/Helsinki)
 Cc: cryptography@metzdowd.com
 Subject: Re: refactoring crypto handshakes (SSL in 3 easy steps)
 
 On Tue, Nov 13, 2007 at 08:35:52AM +0200, [EMAIL PROTECTED] wrote:
  The extra messages might be irrelevant for cryptography,
  but they're not irrelevant for security or functionality.
  E.g. in SSL, you have capability/feature negotiation
  (cipher suites, trusted CAs, in TLS 1.2 also signature
  algorithms, etc.)
 
 So, this is a good place to attempt to use this method.
 
 Data to be sent:
 
 1) supported capabilities on the client
 2) supported capabilities on the server
 3) negotiated capabilities
 
 Dependencies:
 
 1) No dependencies (first message from client to server)
 2) No dependencies (first message from server to client)
 3) Depends on #1 and #2
 
 Results:
 
 3 messages
 1-1.5 RTTs (one if there's a simultaneous open, which is rare)
 
 So unless I'm missing something, we're still at 3 messages.
 
 Aside:
 
 I would like to point out that TCP-based protocols have the latency
 disadvantage of having to do a 3-way handshake before transferring any
 data.  If you were to design a new IP protocol, you could do the key
 exchange within the handshake, which would save 3 messages, but may be
 vulnerable to a resource-consumption attack on the CPU.
 
 I wonder if we here could develop a handshake that was
 cryptographically secure, resistant to CPU DoS now, and would be
 possible to adjust as we get faster at doing crypto operations to
 reduce latency even further.  Basically an easy knob for balancing
 high latency and DoS resistance vs. crypto overhead and low latency.
 It should be adjustable on either end without altering the other.
 
 -- 
 Life would be so much easier if it was open-source.
 URL:https://www.subspacefield.org/~travis/ Eff the ineffable!
 For a good time on my UBE blacklist, email [EMAIL PROTECTED]
 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

RE: refactoring crypto handshakes (SSL in 3 easy steps)

2007-11-13 Thread Pasi.Eronen 

The extra messages might be irrelevant for cryptography,
but they're not irrelevant for security or functionality.

E.g. in SSL, you have capability/feature negotiation
(cipher suites, trusted CAs, in TLS 1.2 also signature
algorithms, etc.) which IMHO *is* important for 
security (if you consider the security implications of 
deploying this over tens of years and hundreds of 
millions of hosts).

(But yes, there are variations of SSL where a smaller 
number of RTTs might have been sufficient..)

Best regards,
Pasi

 -Original Message-
 From: travis+ml-cryptography
 Sent: 08 November, 2007 21:50
 To: Cryptography
 Subject: refactoring crypto handshakes (SSL in 3 easy steps)
 
 ASSUMPTIONS:
 
 Network latency is important, and will only become more so, since
 light won't go faster in a given medium, and we can't do better than
 c, ever.
 
 PROPOSED SOLUTION:
 
 Refactor protocol to minimize number of interlocked steps.
 Specifically, reduce the number of messages.
 
 METHODOLOGY:
 
 Identify data which must be transmitted, and identify their
 dependencies.  Send data on first outbound message to peer after all
 its dependencies are available (i.e. on the step after it is
 received).  Each transmission is a sweep of one level of the
 dependency tree, starting at the root and working downward.
 
 PREVIOUS WORK:
 
 Three messages is the proven minimum for mutual authentication.  Last
 two messages all depend on the previous message, so minimum handshake
 time is 1.5 RTTs.
 
 EXAMPLE:
 
 First examine SSL with Mutual Auth, which is detailed here:
 
 http://en.wikipedia.org/wiki/Image:Ssl_handshake_with_two_way_
 authentication_with_certificates.png
 
 Here is a refactored version of the important messages:
 
 C-S: hello, RNc, client cert, enc_S(client_cert)
 S-C: server cert
 C-S: enc_S(PMS)
 
 DISCUSSION:
 
 Providing the datum as soon as its dependencies are satisfied is
 well-studied in processor design.
 
 One may have extra messages, but they are implementation artifacts,
 completely irrelevant to the cryptography.
 
 Network protocol libraries advance through time monotonically and thus
 are analogous to LR(1) language parsers which parse from left to right
 and are only able to look at the next token (message); perhaps we can
 apply what we already know about them to create unambiguous crypto
 handshakes with respectable error handling.
 
 Sending one layer of the dependency tree at once is like a synchronous
 circuit; one could also fire off messages as soon the data becomes
 available, like an asynchronous circuit, which may reduce overall time
 of the handshake due to computation by the endpoints.  However, it is
 an implementation detail, not important to this analysis.
 
 OPEN QUESTIONS:
 
 When would a handshake require more?  Is there such a thing, in any
 extant ZKS or PFS systems?
 
 COMMENTS?
 -- 
 Life would be so much easier if it was open-source.
 URL:https://www.subspacefield.org/~travis/ Eff the ineffable!
 For a good time on my UBE blacklist, email [EMAIL PROTECTED]
 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]