On 04/05/2017 04:03 AM, Karthikeyan Bhargavan wrote: > We’re hoping that the TLS:DIV workshop later this month will serve to > gather some opinions from the academic community on the current spec. > https://www.mitls.org/tls:div/ > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mitls.org_tls-3Adiv_&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=sssDLkeEEBWNIXmTsdpw8TZ3tAJx-Job4p1unc7rOhM&m=RT4kw6b0pru9yCl-BAMGwwVVQbdcshQhWcp0gDjoAU0&s=W1pxxY_zxF0_8Wgo8PFzD8btAMyElG7AhMA_jth0VfU&e=> > > At IEEE S&P (Oakland), there will be at least two papers on analyses > of draft 18: > - A ProVerif and CryptoVerif analysis of the protocol (and a minimal > reference implementation) > - A verified F* implementation of the record layer > > So, putting these together with the upcoming Tamarin analysis and > previously published papers on prior drafts, I think we’ll have a > solid bibliography justifying the core design of TLS 1.3, especially > the (EC)DHE and PSK 1-RTT handshakes along with resumption. > > What I am less confident about is the secure usage of features like > 0-RTT, 0.5 RTT, and post-handshake authentication. > Many researchers have looked at these aspects (and they can correct me > if I am wrong) but the security guarantees we can prove for these > modes is much more limited than for the regular 1-RTT handshake. My > concern is that these features will inspire new usage patterns will > emerge for TLS 1.3 that have not been adequately studied. I am not > sure what we can do about that except maybe work harder on the > security considerations. >
W.r.t. 0-RTT/0.5-RTT in particular, since applications MUST NOT use them without an application profile specifying their use, it may be worth analyzing the particular application profiles as well, e.g., https://datatracker.ietf.org/doc/html/draft-nottingham-httpbis-retry . -Ben
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
