Re: [Cfrg] [TLS] Document on increasing the lifetime of session keys

Евгений Алексеев <geni-cmc@mail.ru> Wed, 31 August 2016 16:04 UTC

Return-Path: <geni-cmc@mail.ru>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C57BD12D0D3; Wed, 31 Aug 2016 09:04:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mail.ru
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RX-SgXofcMuE; Wed, 31 Aug 2016 09:04:21 -0700 (PDT)
Received: from f430.i.mail.ru (f430.i.mail.ru [185.5.136.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE11A12B075; Wed, 31 Aug 2016 09:03:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ru; s=mail2; h=References:In-Reply-To:Content-Type:Message-ID:Reply-To:Date:MIME-Version:Subject:Cc:To:From; bh=iv3L8Ap8j+0J0/CzBZe3PN+c7WovJhoK/FLOXTG5Mrs=; b=fOt/4PbCENqLwJ8yd6y5hdckD1N9URr+1oNUlR6xLMkiLrPrqKut9zxPLQxSiEEMg/Z/RZdyZ9ZVwPi7DRGiURNwvuQ6UDrqa/ybLkrJlPMz/9Yw18Tw2tEUgweryqIB+5tKJI2zh0sleRQJ9WoAkVXz07cE9v8DVbnDlOinUyY=;
Received: from [193.37.157.2] (ident=mail) by f430.i.mail.ru with local (envelope-from <geni-cmc@mail.ru>) id 1bf7yd-0003VY-OL; Wed, 31 Aug 2016 19:03:00 +0300
Received: from [193.37.157.2] by e.mail.ru with HTTP; Wed, 31 Aug 2016 19:02:59 +0300
From: =?UTF-8?B?0JXQstCz0LXQvdC40Lkg0JDQu9C10LrRgdC10LXQsg==?= <geni-cmc@mail.ru>
To: =?UTF-8?B?RXJpYyBSZXNjb3JsYQ==?= <ekr@rtfm.com>, =?UTF-8?B?TWloaXIgQmVsbGFyZQ==?= <mihir@eng.ucsd.edu>
MIME-Version: 1.0
X-Mailer: Mail.Ru Mailer 1.0
X-Originating-IP: [193.37.157.2]
Date: Wed, 31 Aug 2016 19:02:59 +0300
X-Priority: 3 (Normal)
Message-ID: <1472659379.924523441@f430.i.mail.ru>
Content-Type: multipart/alternative; boundary="--ALT--5gUGANTJBxvYyK2E1zJ1BCxHWrtw0jn31472659379"
X-Mailru-Sender: 534CBB7A632DDA3F5EA110A820F45F9DAB11BC7CA93B0BD4A6D8A2E306644B2B1B2587948E2613F0
X-Mras: OK
X-Spam: undefined
In-Reply-To: <20160828144220.5828688.24760.6532@gmail.com>
References: <CAMr0u6mafme1Kh_gv7d8krToSnDxW1AxXuZrJvzcG8fa==U7rA@mail.gmail.com> <CABcZeBOh=3zqYv=U+Yd1vF-niwpziPA-rawSRdTLqyTOSeDC+Q@mail.gmail.com> <20160828144220.5828688.24760.6532@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/BMQ0goUJCfRP5GrvwOV4UaDvBno>
Cc: cfrg@irtf.org, =?UTF-8?B?PHRsc0BpZXRmLm9yZz4=?= <tls@ietf.org>
Subject: Re: [Cfrg] =?utf-8?q?=5BTLS=5D_Document_on_increasing_the_lifetime_of?= =?utf-8?q?_session_keys?=
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: =?UTF-8?B?0JXQstCz0LXQvdC40Lkg0JDQu9C10LrRgdC10LXQsg==?= <geni-cmc@mail.ru>
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Aug 2016 16:04:25 -0000

Hello, Eric and Mihir!
One other consideration about the connection between key meshing and usage of KDFs (with session keys derived from a master key in the moment of “Key update”): they can (and in a lot of cases they should) be used together, if you have really strict limitations on key lifetime. In these cases KDF may be used for deriving keys for the message (or packet or some other block of data that is to be handled separately) and key meshing to make it possible to handle rather long messages.
For example, if you have to limit key usage with 4 KB (e.g. your potential adversary has truly powerful capabilities of intercepting side-channel leakage of a key on operations with it) and you handle messages of variable length, you can KDF a new session key for each message and then work as usual – knowing that when the length of a message exceeds 4 KB, key meshing will work and you would be able to continue working. And it’ll be done transparently – just like you are using a modified block cipher mode, which expands key lifetime.
Otherwise you’ll have either to limit the size of messages (which is not always suitable), or get several KDFed session keys from the master key for a message if it’s long enough – which means hard fragmentation of messages and additional costs for starting/stopping encryption thread.
 --  Regards,
Evgeny Alekseev
CryptoPro


>Воскресенье, 28 августа 2016, 17:42 +03:00 от "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>om>:
>
>‎Dear Eric,
>
>Thank you for your comment - indeed, re-keying mechanisms based on secret state are widely used in the protocols (key trees are usual practice in ESP with GOSTs for more than 10 years, for example). My point is that a simple (e.g. without any additional keys or structures) and effective mechanism to increase ‎block cipher modes limitations on plaintext size can be helpful itself, without incorporating to a protocol. 
>
>About connection with TLS 1.3 draft - for example, we don't want the GCM mode be defined inside some protocol RFC, it should be defined separately, isn't it?  So the question is that if such mechanisms are needed, than separate documents on them can be a better solution.
>
>And my primary point here is about stateless techniques: as follows from t‎he preprint I cited before, the key lifetime for CTR can be increased quadratically, for example. 
>
>Kindest regards,
>Stanislav
>
>От:  Eric Rescorla
>Отправлено:  воскресенье, 28 августа 2016 г., 16:52
>Кому:  Stanislav V. Smyshlyaev
>Копия:  cfrg@irtf.org; Mihir Bellare; Paul Lambert; Paterson, Kenny; Mike Hamburg; < tls@ietf.org >
>Тема:  Re: [TLS] Document on increasing the lifetime of session keys
>
>Stanislav,
>
>TLS 1.3 incorporates a rekeying mechanism (KeyUpdate) similar to that if Abdalla and Bellare 1(b).
>
>-Ekr
>
>
>On Sun, Aug 28, 2016 at 3:48 AM, Stanislav V. Smyshlyaev  < smyshsv@gmail.com > wrote:
>>Dear colleagues,
>>Since there is a considerable interest to the question of increasing session keys lifetime (several productive off-the-list personal discussions about CryptoPro key meshing algorithms and  http://eprint.iacr.org/2016/628  started after the Friday posting), maybe we should think about getting started a work on a document on efficient re-keying (about techniques without secret state and/or techniques with it (like in M. Abdalla and M. Bellare work,  https://cseweb.ucsd.edu/~mihir/papers/rekey.html )) mechanisms for common cipher modes (CTR, CCM, GCM, CBC, CFB) in CFRG? 
>>If you consider it reasonable, we can prepare a first version of such a draft based on our results (both included in that our preprint and new ones which we are working on currently) before IETF 97 to be able to have a discussion on this issue there in Seoul.
>>Kindest regards,
>>Stanislav Smyshlyaev
>>_______________________________________________
>>TLS mailing list
>>TLS@ietf.org
>>https://www.ietf.org/mailman/listinfo/tls
>>
>
>
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>https://www.irtf.org/mailman/listinfo/cfrg