[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Re: WGLC: draft-ietf-tls-srp-13

To: <tls@xxxxxxxx>
Subject: Re: [TLS] Re: WGLC: draft-ietf-tls-srp-13
From: <home_pw@xxxxxxx>
Date: Fri, 29 Dec 2006 18:23:24 -0800
Cc:
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <BAY103-DAV4BF9EC54383E84FC677FB92C60@xxxxxxx> <BAY103-DAV30366D530EC702791273892C60@xxxxxxx>

(as FIPS 800-56B drafts are not available to the likes of me.)



I've been attempting to deconstruct what I understand NIST's position on
next generation RSA ciphersuites to be (from what I assume 800-56B to say):-

Based on the way 800-56A discusses the role of RSA (or other) key transport.

One uses DH in the users' national identity cards to agree a random
secret,  which has the important property of "bi-lateral key confirmation"
implicit to the math of the DH/KEA etc. This agreement process may include
certain DH ephemerals in addition to statics, and a UKM nonce. This process
satisfies the writer-to-reader rules.

One may use RSA as an IK to transport to several parties the "secret" valuetothe authorized HSMs associated with one or more user (e.g. one's TPM-basedSSL CSP,or a broadcast community of HSMs). The crypto device uses aparameterized-KDF totransform the value into a KEK, which unwraps the keying materials (and macsecrets)used in the SSL HSMs. Presumably, the KDF enforces TPM assurance controls,preventingkey derivation when the secret is not assured to be from authorized id cards(validatedusing "tri-lateral key confirmation" using some unstated method (e.g. HSMcerts)).


"Key confirmation" would have to be trilateral, if there is key confirmation
by a "third party" - the community of authorized crypto devices.

The final KDF (per connection) in SSL finished protocol takes into accountthe rolesof the 2 or more SSL parties, currently hashes of the terms "client" and"server"


------------

For fun one can extrapolate, doctrinally:-

One can define a role for TLS Evidence, which exist to audit suchhandshakes, using

a dig sig of the handshake hashes (and store the handshake plaintexts).

Presumably, the router/ISP can enforce policy to (a) interdict certain flows(b) recordcertain auditable handshake plaintexts.


_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

References:
- Re: [TLS] Re: WGLC: draft-ietf-tls-srp-13
  - From: home_pw
- Re: [TLS] Re: WGLC: draft-ietf-tls-srp-13
  - From: home_pw

Prev by Date: Re: [TLS] Re: WGLC: draft-ietf-tls-srp-13
Previous by thread: Re: [TLS] Re: WGLC: draft-ietf-tls-srp-13
Index(es):
- Date
- Thread