[Cryptography] Why TLS? Why not modern authenticated D-H exchange?
Thierry Moreau
thierry.moreau at connotech.com
Tue Sep 6 11:43:06 EDT 2016
Dear applied cryptographers ...
The STS protocol (Station-To-Station) evolved into Hugo Krawczyk SIGMA
(Sign-and-MAC) variant which is now found in IPSEC IKE and HIP (Host
Identity Protocol, IETF RFC7401).
However, if one wants to consider this as an alternative to TLS,
documentation sources are few and either too academic or too overloaded
with protocol details detracting from the security properties.
I did face this situation while looking for a basic authenticated key
establishment protocol. STS has been the very first secure protocol to
which I was exposed decades ago, but recently I could not recognize its
features/properties in any TLS deployment profile. So I researched the
STS impact on modern protocols and I recorded my findings in this document:
"The Classical Authenticated Diffie-Hellman Exchange Revisited (with the
Bladderwort Protocol Feature Addition)"
http://www.connotech.com/pract_sec_authed_dh_xchng.html
Abstract:
When a secure data communications channel between two distant server
systems must be established, the TLS (Transport Layer Security) is the
solution that comes first to the mind of IT security experts. Departing
from this default common wisdom, we revisit the authenticated
Diffie-Hellman exchange as a solution well rooted in the early ideas in
the field of public key cryptography, refined by the dedication of
theoreticians, and entrenched in a few (less conspicuous) Internet
secure protocol standards, namely IPSEC IKE and HIP. Under the name
Bladdarwort, we also propose a minor protocol addition for streamlined
server operations where a long-term private signature key is better kept
off-line during the operational phase of the secure communications channel.
===========
I guess the end result holds important lessons, as a straightforward
solution path for a basic and recurring issue in IT security. Yet, the
difficult aspects of applied cryptography remain difficult, the document
being explicit about them.
Thus, why TLS?
- Thierry Moreau
More information about the cryptography
mailing list