Review of draft-ietf-tls-ctls-07 The template-based mechanism is a nice idea for TLS. A more compact version of TLS and DTLS is very welcome. My company has several times suggested the use of TLS or DTLS in different SDO but the SDO has often decided to design something new as both the handshake and record layer has been considered too large. The DTLS 1.3 record layer is _very_ slim (good job) and cTLS handshake is a nice improvement from the full (D)TLS handshake. The current sizes would increase the cases where TLS can be used even if it is still too large for very constrained IoT.
Comments: - Abstract How can it be "logically isomorphic" and use "alternative cryptographic techniques"? - "Semi-static and point compression are never mentioned again." If you just use x25519 you don't need point compression. For P-256 I think it would make more sense with compact representation. If you want to use P-256 it might be best to register a new group (I think this was suggested somewhere but I cannot find it). But just truncating the key share to 32 byte in this draft would also work. I don't think semi-static is the right word here. I think OPTLS use the term semi-static for a key with a lifetime between ephemeral and static. What would make cTLS messages smaller is to use ephermeral-static ECDHE for implicit authentication. I don't think the lifetime of the key matters. - "45 bytes over the minimum required by the cryptovariables" Can be discussed if random, y-coordinate, signatures, double MACs etc. are "required". Suggestion: "45 bytes over the the cryptovariables" - "Annotated handshake transcripts for these cases" There is no transcripts for PSK... - "Most of the other exchanges in TLS 1.3 are highly optimized" TLS 1.3 with PSK is not "highly" optimized. PSK+ECDHE echange with P-256 in TLS 1.3 takes a total of 370 bytes and such an AKE can be done in around 100 bytes. https://datatracker.ietf.org/doc/draft-ietf-lwig-security-protocol-comparison/ - "an equivalent JSON dictionary format" I think CBOR would make more sense for IoT applications. But I guess cTLS can reduce latence for TLS in general. For RFC 9140 the general conclusion seems to be that it was a mistake to use JSON instead of CBOR. - "IMPORTANT: Using short Random values can lead to potential attacks." If you anyway disable anti-downgrade mechanism, the problem I can see with using short or no Random is for the psk_ke mode, when reuseing key shares, or if the placement of random in the ClientHello and ServerHello would matter. - "hashing ephemeral public keys and to use the result" This seems like a good suggestion if the placement and random in the messages matters. Might be that this hashing is not needed. - "More analysis is needed to know the minimum safe Finished size." Such analysis could also incorporate the record layer MAC that he finished is sent in. TLS has two layers of MACs. Might even be that 0 byte Finished is secure. Cheers, John From: TLS <tls-boun...@ietf.org> on behalf of internet-dra...@ietf.org <internet-dra...@ietf.org> Date: Tuesday, 3 January 2023 at 17:58 To: i-d-annou...@ietf.org <i-d-annou...@ietf.org> Cc: tls@ietf.org <tls@ietf.org> Subject: [TLS] I-D Action: draft-ietf-tls-ctls-07.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Transport Layer Security WG of the IETF. Title : Compact TLS 1.3 Authors : Eric Rescorla Richard Barnes Hannes Tschofenig Benjamin M. Schwartz Filename : draft-ietf-tls-ctls-07.txt Pages : 25 Date : 2023-01-03 Abstract: This document specifies a "compact" version of TLS and DTLS. It is logically isomorphic to ordinary TLS, but saves space by trimming obsolete material, tighter encoding, a template-based specialization technique, and alternative cryptographic techniques. cTLS is not directly interoperable with TLS or DTLS, but it should eventually be possible for a single server port to offer cTLS alongside TLS or DTLS. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-tls-ctls/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-tls-ctls-07.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-tls-ctls-07 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
