[mosh-devel] dtls
Keith Winstein
keithw at MIT.EDU
Wed Jan 23 18:42:26 EST 2013
Hello Bruce,
We talk about this a little bit in the Mosh paper draft
(http://mosh.mit.edu/mosh-paper-draft.pdf), and a little less in the
actual paper, but the main reasons were probably as follows. I'm not
an expert on DTLS or crypto, so there may be better ways to use DTLS
that were not apparent to us when we were designing SSP.
(1) In DTLS, the client and server authenticate each other and
negotiate a session key using public-key encryption. I'm not sure how
we would use that in practice the way Mosh works -- when would the
keys pairs be generated? How would each party verify the other's
public key?
(1b) I guess we don't think public-key encryption is necessary here.
We rely on out-of-band means (e.g. SSH) to authenticate the user in
the first place and convey a shared secret between server and client.
(2) Existing DTLS implementations don't roam. We could in theory make
a roaming version of DTLS with our own implementation, or try to proxy
DTLS through a roaming layer, but neither of these really seems like a
good idea. Layering roaming on top of an existing DTLS implementation
would require detecting when the existing connection had broken, and
then initiating and handshaking a new DTLS session.
Mosh/SSP can do single-packet roaming without the client's even
knowing that it roamed -- it's simple and works well.
(3) DTLS is kind of a lousy protocol that inherits its weaknesses from
TLS, which is like the fifth in a line of broken protocols (SSL 1, SSL
2, SSL 3, TLS 1.0...). Implementations have suffered from a bunch of
problems, in part because few protocols actually use DTLS so there are
not a lot of eyeballs on it, and even some fixes that get applied to
TLS don't make it to DTLS until later. And because DTLS does not have
reply prevention itself, we would need to use a replay cache (or
something like SSP) anyway.
See http://www.openssl.org/news/vulnerabilities.html,
http://blog.cryptographyengineering.com/2012/01/attack-of-week-datagram-tls.html,
http://blog.cryptographyengineering.com/2012/05/tale-of-two-patches.html
Since the first beta testing of Mosh and SSP in 2011, our security
track record is a lot better than OpenSSL DTLS, but our track record
overall is also a lot shorter and we have fewer people trying to find
attacks. We think and hope our protocol is simpler and better for this
application, but anybody should be skeptical of a new secure-datagram
protocol, ours included.
Hope this helps.
Best regards,
Keith
On Tue, Jan 22, 2013 at 5:54 PM, Bruce A Downs <bruce_downs at yahoo.com> wrote:
> I read through the mail-devel archive looking for why ocb was chosen. I see
> justifications for aes-ocb over gcm/ccm/etc, but no mention of dtls.
>
> Was dtls considered?
>
> -bruce
>
> _______________________________________________
> mosh-devel mailing list
> mosh-devel at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mosh-devel
>
More information about the mosh-devel
mailing list