Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)DHE public values be fresh

On Mon, Jan 2, 2017 at 11:43 AM, Yoav Nir wrote: > I’m assuming that the server generates private keys and saves them to a file > along with the time period that they were used, and another machine in a > different part of the network records traffic. It’s not so much that

Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)DHE public values be fresh

On Mon, Jan 2, 2017 at 11:43 AM, Yoav Nir wrote: > I’m assuming that the server generates private keys and saves them to a > file along with the time period that they were used, and another machine in > a different part of the network records traffic. It’s not so much that

Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)DHE public values be fresh

> On 2 Jan 2017, at 20:59, Eric Rescorla wrote: > > > > On Mon, Jan 2, 2017 at 8:58 AM, Yoav Nir > wrote: >> >> . >> >> Since I think the utility of this falls off as a reciprocal, I'll try >> making a concrete suggestion

Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)DHE public values be fresh

On Mon, Jan 2, 2017 at 8:58 AM, Yoav Nir wrote: > On 31 Dec 2016, at 20:36, Adam Langley wrote: > > Consider the motivations here: > > 1) We know that some implementations have gotten this wrong with TLS > 1.2 and cached values for far too long.

Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)DHE public values be fresh

On Mon, Jan 02, 2017 at 06:58:36PM +0200, Yoav Nir wrote: > > Still, if we want to accommodate the banking industry (or whatever > part of it we’ve talked to in Seoul), then they need to be able to > tell based on a timestamp which private key was used for that handshake. > With 60 seconds key

[TLS] I-D Action: draft-ietf-tls-iana-registry-updates-00.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Transport Layer Security of the IETF. Title : D/TLS IANA Registry Updates Authors : Joe Salowey Sean Turner

Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)DHE public values be fresh

Yoav, Thanks for pointing to this PR. Clearly we're only going to land one of these. One thing I wanted to note, as discussed in the comments on that PR, is that at least some of the proofs of security of TLS 1.3 assume that both sides use fresh DH shares. In TLS 1.3, of course, the nonces

Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)DHE public values be fresh

Typo correction below. On Jan 1, 2017 12:43 PM, "Hugo Krawczyk" wrote: There is more than one way to "backdoor" the use of DH (i.e., to not enforce forward secrecy) and some of these ways are completely undetectable (in particular, they would not repeat DH values). One