Is the security property mentioned below a defined goal of, and proved for, TLS 1.3?
Just curious, because it seems a little counter-intuitive: impersonation of an anonymous (unauthenticated) client, under the harsh conditions of all content in the clear. It is certainly plausible by regarding the client as having a a MAC key and a pseudonym from the handshake: I think many key exchange proofs have a notion of sessions, etc., and PKE definitions also have notions of non-malleability, so I would not be surprised if a proof of this property is known for TLS 1.3. If there is a proof, then could it be said that eTLS defeats the proof, etc. From: Tony Arcieri Sent: Saturday, December 1, 2018 11:00 AM To: beld...@gmail.com Cc: Crypto; <tls@ietf.org> Subject: Re: [TLS] ETSI releases standards for enterprise security and data centre management This does not seem to address a problem which was brought up when the similar draft-green-tls-static-dh-in-tls13-00 was discussed, namely any system in possession of one of the non-ephemeral-ECDHE private keys, ostensibly for the purposes of passive traffic decryption, can arbitrarily resume decrypted sessions and therefore impersonate any observed clients.. I'm not a fan of systems like this, but I believe for security reasons they should be designed in such a way that only the confidentiality of traffic is impacted, and a "visibility" system isn't able to leverage the decrypted traffic to resume decrypted sessions and thereby impersonate clients. -- Tony Arcieri
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls