kemtls / draft-celi-wiggers-tls-authkem Goto Github PK
View Code? Open in Web Editor NEWIETF drafts that describe AuthKEM and AuthKEM-PSK
Home Page: https://kemtls.org/draft-celi-wiggers-tls-authkem/
License: Other
IETF drafts that describe AuthKEM and AuthKEM-PSK
Home Page: https://kemtls.org/draft-celi-wiggers-tls-authkem/
License: Other
Like using SetupBaseS/R
followed by a Export()
.
Came up during the IETF meeting:
David Benjamin:
I'm concerned about authenticating the server's request to the client. Client certificate decisions can result in interesting side effects, like unlocking smartcards or prompting the user. Having something so visible not be authenticated is pretty scary.
HPKE already registers a bunch of KEMs
We need to figure out what to do about the following scenarios:
Probably fixable by mixing in '0'
in the AuthKEM key schedule.
This might be tricky with the key schedule?
For some reason, Douglas Stebila's name got changed to 'Douglas Steblia' in the data tracker.
We should fix it in a new release of the draft.
For handshake authentication the value is hard-coded (null) but this value is used to distinguish post-handshake auth requests (of which there can be multiple existing in parallel because of reasons). It's probably good future-proofing if we don't omit this distinguisher.
[...]
SSc||0 * -> HKDF-Extract = Main Secret
|
+--> Derive-Secret(., "c ap traffic",
| ClientHello...server Finished)
| = client_application_traffic_secret_0
|
+--> Derive-Secret(., "s ap traffic",
| ClientHello...server Finished)
| = server_application_traffic_secret_0
[...]
The traffic keys are here shown to be derived from server Finished
. This is not possible: we've not received/sent server's Finished yet when we already need to derive the client application traffic keys. The KEMTLS paper and analyses uses that these keys are derived from the complete transcript (unlike in TLS 1.3). Changing it to be derived from just client finished, I don't like so much.
If we deliver the KEM public key via something that is not a certificate, should we use cached_info for conveying the public key digest/fingerprint?
We could maybe see if we can build AuthKEM-PSK on top of pre_shared_key instead of reinventing the wheel.
We should add a section or discuss why will someone use kem-based auth.
cc./ @thomwiggers @chris-wood
Ilari writes:
Reading the draft, it occurs to me that adapting it to work on DTLS (or unreliable CTLS) might require major and very challenging changes to DTLS 1.3. Especially with client authentication.
And 0-RTT client auth probably can not work in DTLS at all, since DTLS has no reliability for 0-RTT, unlike other handshake, which is reliable.
The document could mentioned that to derive the application_traffic_secret, an attacker needs more than a single private key. Having a single ephemeral private key is no longer enough as it is the case in ordinary certificate based TLS 1.3.
https://mailarchive.ietf.org/arch/msg/pqc/ZXleiKjJzbHv7sYRas11Z4lIjlk/
Inspired by Dennis Jackson's https://dennisjackson.github.io/draft-jackson-tls-cert-abridge/draft-jackson-tls-cert-abridge.html#name-preliminary-evaluation we should also include a brief section where we show the sizes of some instantiations.
The KEM API we use in AuthKEM makes use of HPKE's key derivation, which allows label inputs.
We currently concatenate the context info to the setup label, but we should instead put it into the export function. this avoids string concat.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.