Re: [Emu] Consensus call on EAP-TLS key derivation
Joseph Salowey <joe@salowey.net> Tue, 11 May 2021 15:16 UTC
Return-Path: <joe@salowey.net>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E3AB3A1B14 for <emu@ietfa.amsl.com>; Tue, 11 May 2021 08:16:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bEgG9k01KqZd for <emu@ietfa.amsl.com>; Tue, 11 May 2021 08:16:50 -0700 (PDT)
Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DABA3A1B2B for <emu@ietf.org>; Tue, 11 May 2021 08:16:50 -0700 (PDT)
Received: by mail-lf1-x12e.google.com with SMTP id m11so12749358lfg.3 for <emu@ietf.org>; Tue, 11 May 2021 08:16:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VRcYutXJ/z+An5ldqOaO23WX/nALaBGovYkip6un4XE=; b=Dg0ty7up9EN4W5+NCyDAPm8kq/DiyoPFSRzTmvVc7xBydRTiEO5mefLTvlTzqhQmte 8No3T3xJrlJ8RSfuE4Wmrz/dPwiSixV64N3P4U0seBpz+xmp0Me3x3+AZ3XCWH9HmnxZ PwO10slwYV9IJLk6ZjUnpWLFYO+pUkESHpLGp5FK0ezPydywzSpZajFUjdmL6pihgsfs wgB/dCp0H8jXm/XD1artiI7NuRrUzTJsqPSuFr760RZLTvZSb1cDqwD5JA/l9KAcComr SDTkmLXEiJ7Ip+NlmNVX0TQIJNFLr023B5Y412SCYfUNV24eKwgRMELEjaLdDnc00pAz uJlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VRcYutXJ/z+An5ldqOaO23WX/nALaBGovYkip6un4XE=; b=GF3KzYSeNtVcnOuCYJmsSLts7B0G3VPKJ77PuSCyUG9oqEXkRW6Xt4quyV85nlVlQm VGfjO7sZ/Zd1KIb5Jvv+YVgmf8tF7UIoHnHsRZRDhmhJm07bNUiZuTSWb/Qx+60eGodB s0C6JpYrE7RaTxn56ajtzTtaW+BhJA4w/XGgT9L3EazNttkXJUHHOuM4+awPe8SmQsRB idgdJRepmIOQXc8FRJUGBNAa5+CjvSTmpdlhqFDnGoSrgAbKKtWEYdmF1XQh8fynaZxH jZs/m6F03Wrukwemf3k0XwBWEcaVecZMBmTiU+Ontrs3ZsALGHoQwSsbe5fjr9LnlwQu iiDA==
X-Gm-Message-State: AOAM530EGLajBkOSDlBCjkMRf5ceiO16pukjFaExEQF35NtE5O1fFVjf XBo7kw1k+gbzIPKZygyFpP94fBQxfRMO25L/OjBP0g==
X-Google-Smtp-Source: ABdhPJwI1EoqBDagHNPYkvswsOux8sPqmlx5ZBKYRl02hkJBYS8R/JyWX0OCwXMDRh4/ROy8TwMvat4PJ8RRx5WRJSA=
X-Received: by 2002:ac2:4851:: with SMTP id 17mr17581971lfy.328.1620746206850; Tue, 11 May 2021 08:16:46 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoDtd2HAG8RrpLAZ8XQoiyXpJNz2k6+CAyxU2+gnbqEwjg@mail.gmail.com> <D8592424-2A53-43BA-B1EE-6661CFAF6537@ericsson.com>
In-Reply-To: <D8592424-2A53-43BA-B1EE-6661CFAF6537@ericsson.com>
From: Joseph Salowey <joe@salowey.net>
Date: Tue, 11 May 2021 08:16:36 -0700
Message-ID: <CAOgPGoCDn2=JjMK5FM2t3J7QF8XUBiFvACirDmXXuU+xr8Bh2w@mail.gmail.com>
To: John Mattsson <john.mattsson@ericsson.com>
Cc: EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ee453205c20f613a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/Ff5glxuthS84V8OFywLOQJ6TbG0>
Subject: Re: [Emu] Consensus call on EAP-TLS key derivation
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2021 15:16:55 -0000
On Mon, May 10, 2021 at 10:53 AM John Mattsson <john.mattsson@ericsson.com> wrote: > I don’t see any strong reasons to keep the -15 key derivation. I started > to prepare a PR for the likely change back to -13. > > > > https://github.com/emu-wg/draft-ietf-emu-eap-tls13/pull/68 > > > > - Version 15 has the following wrong text that need to change. > Key_Material can now be kept, but IV should be removed. > > > > “the Key_Material, IV, and Method-Id SHALL be derived” > > ”derivation of Key_Material, IV and Method-Id” > > > > - The IANA table need to change. > > > > - I would suggest to have the text agreed in -13 stating stating that the > derivation from Key_Material is the same as in RFC 5216. > > > > The MSK and EMSK are derived in the same manner as with EAP-TLS > [RFC5216], Section 2.3. The definitions are repeated below for simplicity: > > > > MSK = Key_Material(0, 63) > > EMSK = Key_Material(64, 127) > [Joe] how about "are derived from Key_Material in the same manner as with EAP_TLS... " > > > John > > > > *From: *Emu <emu-bounces@ietf.org> on behalf of Joseph Salowey < > joe@salowey.net> > *Date: *Sunday, 9 May 2021 at 19:54 > *To: *EMU WG <emu@ietf.org> > *Subject: *[Emu] Consensus call on EAP-TLS key derivation > > > > We had discussion on the list on whether to include context in the key > derivation, but we never closed on the issue of separating out the MSK and > EMSK derivation. As a result several implementers have gone down the path > of implementing what is in draft 13 and not separating out the derivation. > The main difference is that draft 15 separated out the EMSK and MSK > derivation using two different labels while draft 13 used a single label to > derive key material which is partitioned into two keys. The reason for > the change was to enable different access control for these two different > quantities for different callers, however in practice it is EAP-TLS > application which needs access to both keys that is the caller of the TLS > library so this separation is not particularly useful. Therefore the > recommendation is to align with implementation and derive the MSK and EMSK > by partitioning the key material from the key material produced by a single > label of the exporter function. > > > > Please respond to the list if you support the change below or not to > revert some of the text in the key derivation section. If you object to > the change please state why. Please respond by May 20,2021. > > > > Thanks, > > > > Joe > > > > The proposal is to use the following key derivation which is largely a > reversion to draft 13: > > > > Draft-15 Text: > > > > Type-Code = 0x0D > > MSK = TLS-Exporter("EXPORTER_EAP_TLS_MSK",Type-Code,64) > > EMSK = TLS-Exporter("EXPORTER_EAP_TLS_EMSK",Type-Code,64) > > Method-Id = TLS-Exporter("EXPORTER_EAP_TLS_Method-Id",Type-Code,64) > > Session-Id = Type-Code || Method-Id > > > > Proposed New Text: > > > > Type-Code = 0x0D > > Key_Material = TLS-Exporter("EXPORTER_EAP_TLS_Key_Material", > > Type-Code, 128) > > MSK = Key_Material(0, 63) > > EMSK = Key_Material(64, 127) > > Method-Id = TLS-Exporter("EXPORTER_EAP_TLS_Method-Id", > > Type-Code, 64) > > Session-Id = Type-Code || Method-Id > > > > The rest of the text of the section remains the same as draft-15. > >
- [Emu] Consensus call on EAP-TLS key derivation Joseph Salowey
- Re: [Emu] Consensus call on EAP-TLS key derivation Alan DeKok
- Re: [Emu] Consensus call on EAP-TLS key derivation John Mattsson
- Re: [Emu] Consensus call on EAP-TLS key derivation Joseph Salowey
- Re: [Emu] Consensus call on EAP-TLS key derivation Jorge Vergara