I haven’t looked carefully, but what does this construction break?
That's just 2 minutes of thinking. No doubt there are "better" ones. Seems unrealistic to expect to prevent the server from leaking the ECDH key to something it trusts, in a scalable way that depends only on out-of-band shared key + the bytes on the wire. What's the exact goal?
-
-
Goal for whom? Enterprises: decrypt data by man-on-the-side boxes. TLS WG: prevent exactly that. Matt: provide a visible, standardized mechanism to do it so enterprises don’t do exactly the sort of thing you propose.
-
The "prevent exactly that" group. I get the impression they're less interested in preventing "enterprise" stuff and more interested in preventing government-scale use of that stuff. There's lots of reasons one can't prevent, technologically, the "enterprise" use cases.
-
Once enterprise builds the systems and gets their revisions into every Blue Coat middlebox, half the engineering work of those abusive governments is done.
-
Yeah, that's what I'm trying to say. And, to be honest, the design & implementation of even an impossible-to-detect mechanism is not hard.
-
how do you get around the CA problem? I'd think a stealth intermediary would get flagged pretty quickly by Mountain View.
-
Like I mentioned earlier in this thread, if you want to share a static key but you need the ECDH key to change every connection, you can do that by making the ECDH key a function of the static key and Server.Random.
-
If we wanted to prevent this kind of thing, then we would have tried to find a way to make the protocol secure by making Server.Random deterministic, and get people to insist on that variant of TLS. (Even now, given the use of ephemeral DH, does Server.Random need to be random?)
-
This is an impossible problem. You’d have to lock down every potentially random byte of the protocol to make this work, and even then you could always use a timestamp or an out-of-band channel.
- 7 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.