On Sun, Oct 11, 2015 at 8:17 AM, Ilari Liusvaara <ilariliusva...@welho.com> wrote: > On Sun, Oct 11, 2015 at 09:25:10AM +0200, Rick van Rein wrote: >> > *From:* internet-dra...@ietf.org >> > >> > Name: draft-vanrein-tls-kdh >> > Revision: 00 >> >> Hello TLS WG, >> >> I would like to propose new CipherSuites for TLS. The cryptography is >> founded on Kerberos authentication and DH encryption, cryptographically >> bound together. The mechanism uses mutual authentication, although >> clients may use anonymous tickets. >> >> Any feedback that you may have (technical, or WG-procedural) is kindly >> welcomed. I will also send this to the Kitten WG. > > Some quick comments: > - The signed DH share does not look to be bound to anything (crypto > parameters negotiation, randoms, server key exchange, etc..). I can't > offhand say what that would lead to, but it looks even worse than > TLS ServerKeyExchange, which has known vulernabilities due to > lack of binding to things like ciphersuite. > - The ciphersuite list looks bad: 1) IDEA (bad idea), CBC > (don't use), apparent SHA-1 prf-hash (REALLY bad idea)[1][2]. > - Even use of DH is questionable.
I would suggest piggybacking on the PSK mode, using the key Kerberos provides at both ends as the PSK key. This would address all of these issues in TLS 1.3 Sincerely, Watson _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
