Re: [CFRG] Comment on draft-irtf-cfrg-aead-limits-01
John Mattsson <john.mattsson@ericsson.com> Tue, 17 November 2020 09:05 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D2233A0AAD for <cfrg@ietfa.amsl.com>; Tue, 17 Nov 2020 01:05:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qi_fIxzfHBtm for <cfrg@ietfa.amsl.com>; Tue, 17 Nov 2020 01:05:29 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80054.outbound.protection.outlook.com [40.107.8.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A7033A0A42 for <cfrg@irtf.org>; Tue, 17 Nov 2020 01:05:29 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ARB8xga7ipO8YFIc6n5zWxXvLhd/R39qjjeuH6CThnnCTDUacYsOeUOjXHZLaXnoUsj6BspumzMGKs90ITWnAKavowkoveCIq/qZAzbgsFWveZSvV9NaCtzj1ieGmjjmnO5U1Ek9jIMKUJJrmtMGU9HrzQSosKY+sqzZDWNQlCjXtP4V1DXRz2wtic7V+aGoEPfQhEuzN1XqJByaK70yxv12wIKRDexWY2Wh6UT5j/GkmMDTk5UDTppG+KuO96MjR9Ku9zuIQ6rBF5NRNdgclx/BjpX4jDAl28DoYlwwQADgbJuoYtxACzP+49vhVXU9gtOQZW/aRx3SE0ztCRHJeA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3JYY56TTuQo3liBfz3CFvcTe6UXodOCqLZLqbSRZljs=; b=mDoTnMlR7zrFIWgm764JiXpzTI37todp7qQNEYgBzEvMaXRo+0EbwzR9fAKa3xeezghfb795sHTbHftmuQhh1Uuqb0r//yHdTXHKDlYcDSH+BWJ98GC5hBvU1Y2VaJCgVUUUcjfLQVbTXOWZoAwd7qcYJfbVIZPD48hYGbS1HaybQ9xAO8nHywrMQUiHyTJF7bBcbbVuWCU6bmSwjMgLR7QBsNV5uaPirvHk5S6J0gTzuebdTaGWAkJHqXd1RjytUVuzM91zAUOU65nqOsYLXeqIXwPYwOtV4sHLvTuru4Nh335I4coLu/yceqZQoXOrvphY4T51ULrP8vCvLzjxQA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3JYY56TTuQo3liBfz3CFvcTe6UXodOCqLZLqbSRZljs=; b=evgDogQ6jL9ko4v5scJpHfsqDIGldLht31Ln37iDTW8T1CEmpjnDGg7BSUYqYGDI0Luhm6i/zpK65V6ChJeGiCn7UoUNWQYlr/VVOfrz+VyhMNq/V4AH7a3dG5pu7R6xPhZ/EToR9SrGpwVjQyc5P6xQeW3Mm8KY6F5aRzPl64c=
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com (2603:10a6:20b:17::24) by AM7PR07MB6787.eurprd07.prod.outlook.com (2603:10a6:20b:1bc::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.16; Tue, 17 Nov 2020 09:05:27 +0000
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::951:a4c3:7f39:e39c]) by AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::951:a4c3:7f39:e39c%5]) with mapi id 15.20.3589.017; Tue, 17 Nov 2020 09:05:27 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Eric Rescorla <ekr@rtfm.com>
CC: CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] Comment on draft-irtf-cfrg-aead-limits-01
Thread-Index: AQHWvCVZoFTeCQ5e9UCcNMyvepSzH6nLc6EAgAACw4CAAAI1gIAAAvSAgAABWACAAJ0nAA==
Date: Tue, 17 Nov 2020 09:05:26 +0000
Message-ID: <8AA354A7-46D9-408A-8A2F-A47F1CC61552@ericsson.com>
References: <A3C540A2-6B18-42E0-8F0F-B4723BC5F0DA@ericsson.com> <26fe988b-c2a8-2202-19ed-03b1b2d62d3e@cs.tcd.ie> <CABcZeBNX7J3pwvvTDhq4ugpu=auoZ8Saoq2C3Kx8w-mahLmEvQ@mail.gmail.com> <8390ffe5-2089-6efa-5b83-d96491b3889c@cs.tcd.ie> <CABcZeBMm3-2sHciVJPmcL4M49ezhP1O_52x4QExpH+kB6z5Cew@mail.gmail.com> <0e959c4c-87c6-0c4a-d605-a7ebac4f30ce@cs.tcd.ie>
In-Reply-To: <0e959c4c-87c6-0c4a-d605-a7ebac4f30ce@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.42.20101102
authentication-results: cs.tcd.ie; dkim=none (message not signed) header.d=none;cs.tcd.ie; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1af6ba57-0d26-428a-e3eb-08d88ad7eceb
x-ms-traffictypediagnostic: AM7PR07MB6787:
x-microsoft-antispam-prvs: <AM7PR07MB67876E59C98CE360A024220489E20@AM7PR07MB6787.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: yzTkIk/A+4y8Rvu7duMoiFpI0A8FTuQG5+f5758eBahHCxd6H92r4iyNUAM454XTNcF/7fwBZyEpc2qpLxnW99qYSHFbj6tkvdNB/LjrhqInNIy/VcxnKY6IWkZbIu5lahy4QrcBd0Bi7eHV/OYzHcknGWID7ElAlxP9TtFRycF0CIO6P7nBi7YAXVAlb5/+CVDMLA8wAE1ilMkWHBFUy9ruFfh/yD0mZVV9iblJVUusHnnZqoaCLnjx0kx24t/L/Gd4xWsPyNNz3O5+YvnMaZcaR8heuXfDZ6h90ip3yeaW1uz+c2C5tLUHFlIr5bXaqym/3k0y9OeVPLcnAxFZcg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR07MB4584.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(366004)(376002)(346002)(396003)(136003)(83380400001)(8936002)(8676002)(33656002)(296002)(110136005)(6512007)(2906002)(71200400001)(86362001)(6486002)(6506007)(76116006)(64756008)(91956017)(66476007)(66446008)(36756003)(66946007)(316002)(53546011)(66556008)(5660300002)(4326008)(478600001)(2616005)(186003)(44832011)(26005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: ocJWwWKMU8AWs80S5R6/CRTasx/0ki2mcG19u2wQ3jDyBSpjwH3TrF1U055EGqDk2k4vWC8+gcbPRutd83NUermyZhbnOVa9ZmTMFjTdE+2i8HQMKHukUKGgsT6Dz+aSX0CP8+Trey7lz4NoJOqMgPFxEjejGlNq3GSByGY42Lsy8HyQ05akbajCWlolqpBFx4kxTHROJlCAUbK/QPZgsoaikklezmtWARWkbLFFxPA/m+2ranJvRHWwuuH3G/ezC46KSxGF6ChcPIeXGwHmcN0mX8RAk55rXJMEGYfktUqX8kFURh1+J3uRKtMSmQL454r9nFs6wPourhFciQy8D2C2NuhDOaF1yYkHWtPbcEtx+CcmJ7LVX0SyzVYcmG60Rh753cbLXPdEiwt64pIdsGQHSPuGYMfuKibTQSFU07VwjGo4viXcy1sIxKTh4syXFIGHRXTpCAwaMEmPaxhPeKPOR3mIqzKgaNZG6Bmzy/xjiIGlHqEJj/2X7+OK3BFYrHYKzu47VLrW5F4WmJHRCP/tdRIr4ql2N+KvFC4MU0o1yNM2IyT4ymdZr1w+VKqM8sdkc/eHCetvf3ZhNM1NuOw15GDqAB/Zc/YUuGlEtJOWRMXvY6mn4jFWHDkQWqS3TK+mTH0QjUc7ML+aE0dV1g==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <FCE5528264DD724ABA642520CB2BB16B@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM6PR07MB4584.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1af6ba57-0d26-428a-e3eb-08d88ad7eceb
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Nov 2020 09:05:26.9539 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +m3oIJJN1Fn8av42Xpq9o/NelTjOuRJN9GrjY2KXSKGLfPZCJtLl43GvRUTHz35ZTkvCzPN03EMQVk3Cata0JprVrU0s4jSmfG7DLZTYlBU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6787
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/n8TTU4_u1xUQXQigSw6zmZK7WRc>
Subject: Re: [CFRG] Comment on draft-irtf-cfrg-aead-limits-01
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2020 09:05:32 -0000
Hi, I think recommendations on re-keying probably have to discuss things like the key hierarchy in the security protocol and the security boundaries in the implementation. Re-keying can be done different levels. - Using the long-term authentication keys. - Inside the “record layer” like in TLS 1.3 and OSCORE - In the middle of these like TLS resumption, Child SA, or Signal Ratcheting. Where to do re-keying also depends on the implementation, to protect against key leakage the re-keying needs to be done from keys stored behind some security boundary. Or from the “leaked key” themselves is DH/PFS is used. Stephen Farrell wrote: > "Keys leak from devices. If you can re-key > every year, do at least that. If every month, then re-key > monthly. If more frequently then great, do it as often as > you can afford. And in the limit, theory says you really > have to re-key at least as often as section x.y says." I would also like to see a document like that, but maybe AEAD limits is not the right place. If possible, I would say that you should to a Diffie-Hellman key exchange every day or every few hours, that is what a lot of governments recommend for IPsec. Stephen Farrell wrote: > I can some envisage developers reading text like this > draft and concluding that they'll never hit the relevant > limit (or more likely assuming that, as it means writing > and testing less code) and never writing any code to > trigger a re-key. I think that is good point, I can envisage that too. Maybe the document could make it clear that the AEAD limits are just one reason to do re-keying and that re-keying should also be done to protect against key-leakage? I think key-leakage is likely a greater practical threats than the distinguishing and forgery attacks in the AEAD limits document. Cheers, John -----Original Message----- From: CFRG <cfrg-bounces@irtf.org> on behalf of Stephen Farrell <stephen.farrell@cs.tcd.ie> Date: Tuesday, 17 November 2020 at 01:43 To: Eric Rescorla <ekr@rtfm.com> Cc: CFRG <cfrg@irtf.org> Subject: Re: [CFRG] Comment on draft-irtf-cfrg-aead-limits-01 Hiya, On 17/11/2020 00:38, Eric Rescorla wrote: > What stops the TLS or QUIC stack from rekeying internally > when it hits the limit without even notifying the developer. The heat death of the (developer's local) universe? :-) I can some envisage developers reading text like this draft and concluding that they'll never hit the relevant limit (or more likely assuming that, as it means writing and testing less code) and never writing any code to trigger a re-key. Given the more likely risk is leakage rather than exhausting the crypto-lifetime of a key (in at least many cases), text addressing that may be useful. Cheers, S.
- [CFRG] Comment on draft-irtf-cfrg-aead-limits-01 John Mattsson
- Re: [CFRG] Comment on draft-irtf-cfrg-aead-limits… Martin Thomson
- Re: [CFRG] Comment on draft-irtf-cfrg-aead-limits… Stephen Farrell
- Re: [CFRG] Comment on draft-irtf-cfrg-aead-limits… Eric Rescorla
- Re: [CFRG] Comment on draft-irtf-cfrg-aead-limits… Stephen Farrell
- Re: [CFRG] Comment on draft-irtf-cfrg-aead-limits… Eric Rescorla
- Re: [CFRG] Comment on draft-irtf-cfrg-aead-limits… Stephen Farrell
- Re: [CFRG] Comment on draft-irtf-cfrg-aead-limits… John Mattsson
- Re: [CFRG] Comment on draft-irtf-cfrg-aead-limits… John Mattsson
- Re: [CFRG] Comment on draft-irtf-cfrg-aead-limits… Martin Thomson
- Re: [CFRG] Comment on draft-irtf-cfrg-aead-limits… Stephen Farrell