Dear Kenny, thank you for clarifying the state of the cryptographic analysis of TLS 1.2 and 1.3! I also do not see TLS 1.3 being nearly as good understood from a security standpoint as the previous version. This is only natural given that it is so recent. I am also not quite happy with the existing results and their meaning for the final version of the standard (although I really am happy that the cryptographic community in general accompanies the standard development process.) I would expect the most valuable results to be published once there is an entirely fixed candidate specification. As Hugo has mentioned several times details really matter. Therefore I really like the idea of giving cryptographers time to analyse the final candidate quite thoroughly before acceptance.
And no, you guys are not the only ones reading this. Many greetings, Sven 2016-03-16 20:26 GMT+01:00 Paterson, Kenny <kenny.pater...@rhul.ac.uk>: > Hi > > On 16/03/2016 18:44, "Watson Ladd" <watsonbl...@gmail.com> wrote: > > >On Wed, Mar 16, 2016 at 11:22 AM, Paterson, Kenny > ><kenny.pater...@rhul.ac.uk> wrote: > >> Hi > >> > >> On 16/03/2016 15:02, "TLS on behalf of Watson Ladd" > >><tls-boun...@ietf.org > >> on behalf of watsonbl...@gmail.com> wrote: > >> > >> <snip> > >> > >>>The analysis of TLS 1.3 is just wrong. TLS 1.3 has been far more > >>>extensively analyzed then TLS 1.2. It's almost like you don't believe > >>>cryptography exists: that is a body of knowledge that can demonstrate > >>>that protocols are secure, and which has been applied to the draft. > >> > >> This is patently untrue. There is a vast body of research analysing TLS > >> 1.2 and earlier. A good survey article is here: > >> > >> https://eprint.iacr.org/2013/049 > > > >There's a vast literature, but much of it makes simplifying > >assumptions or doesn't address the complete protocol. > > Correct, but that does not make it irrelevant or valueless. Or are you > actually saying that it does? Quite a sweeping presumption; see > immediately below. > > >The first really > >complete analysis was miTLS AFAIK. > > Yes, and even there the analysis was done step by step, spread out over a > series of papers which gradually built up the complexity of the code-base > being handled. And, in parallel, various other groups were doing hand > proofs of abstractions of the core protocol. And I believe it's fair to > say - from having discussed it extensively with the people involved - that > the miTLS final analysis benefitted a lot from the experience gained by > the teams doing the hand proofs, going right back to a paper in 2002 by > Jonsson and Kaliski Jr. > > My point is that the TLS 1.2 "final" analysis represented by the miTLS > work was the culmination of a long line of research involving many people > and influenced by many sources. > > > Furthermore, a lot of the barriers > >to analysis in TLS 1.2 got removed in TLS 1.3. > > Unfortunately, some of them may be coming back again. But again, this has > nothing to do with the argument you were making. > > >The question is not how > >many papers are written, but how much the papers can say about the > >protocol as implemented. And from that perspective TLS 1.3's Tamarin > >model is a fairly important step, where the equivalent steps in TLS > >1.2 got reached only much later. > > The timing is entirely irrelevant to the argument you were making. > > I agree though that it's about the depth and reach of the analysis. And > from this perspective, I'd say that TLS 1.3 is still way behind TLS 1.2, > despite the very nice analyses done by Sam and Thyla (and their > collaborators), by Hugo & Hoeteck, and by Felix & co. > > I could go further, but I expect that, by now, only you and I are actually > reading this. > > >It's true 0-RTT isn't included: so don't do it. But I think if we > >subset (not add additional implementation requirements) TLS 1.3 > >appropriately we end up with a long-term profile that's more useable > >than if we subset TLS 1.2, and definitely more than adding to the set > >of mechanisms. I think claims that TLS 1.3 outside of 0-RTT is likely > >to have crypto weaknesses due to newness are vastly overstated. > > I didn't make that claim. > > Cheers > > Kenny > > >-- > >"Man is born free, but everywhere he is in chains". > >--Rousseau. > > "If I have seen further it is by standing on the shoulders of Giants" > -- Newton, in a letter to Robert Hooke > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
