Re: [Lurk] lurk integration with openssl
Daniel Migault <daniel.migault@ericsson.com> Wed, 23 May 2018 17:19 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: lurk@ietfa.amsl.com
Delivered-To: lurk@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49024127978 for <lurk@ietfa.amsl.com>; Wed, 23 May 2018 10:19:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.403
X-Spam-Level:
X-Spam-Status: No, score=-1.403 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ExggbOlYvWMC for <lurk@ietfa.amsl.com>; Wed, 23 May 2018 10:19:21 -0700 (PDT)
Received: from mail-wr0-x232.google.com (mail-wr0-x232.google.com [IPv6:2a00:1450:400c:c0c::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32D1212741D for <lurk@ietf.org>; Wed, 23 May 2018 10:19:21 -0700 (PDT)
Received: by mail-wr0-x232.google.com with SMTP id k5-v6so15786476wrn.3 for <lurk@ietf.org>; Wed, 23 May 2018 10:19:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=+4Xpcp8EcEz6B7/CP/0G8Oecnjb7T6UnuVE/KGsGZbQ=; b=GbII/vMHItsgsZYbuxZavPiECtKB5DHOmI0haCUEvTWw3ybxSinIYnI6WjnL3nJfoH safJlkcIihYbxpDjH2k+7WFwSHHal1dfCT2DGiQ6V6pLVnp3BIYrbL/MN7BvXNEotq00 iX38Ca6k6j9hC/VXZhSq279RUnKjs+2V9e3xqA9qWUYXjV1yrZbA4dewB80fP2VTFGPH 4IIOcrB5yarxHfQMKmHmju24DR5zny3tYPIeJtZg7bTYaBNomgLKcbZ6ZALHeYM3iUOi h4gv+5qIO29+mc1UAyLlJpPh0qDVasiEAMyvOtodVuH2InE5bygn0F0rgYsfzYsF+ls7 AaAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=+4Xpcp8EcEz6B7/CP/0G8Oecnjb7T6UnuVE/KGsGZbQ=; b=NihYfHI4aqreWF/4H6qUKAXZ5HqmzL3wRYa2Knq8djIypTaKwldZLc4/jjPsuVe8hE 4EqWLxk/v7cz0D/fABr+9wcXfEa0wAgShgEWroTW7xpOsCvYV7oY2M4GWEv0iDTKlCnZ jrcWY4wYlxA2qFXiJlBYane2uTjUxFC1Tyv2vC/wBcoUDozlMBLc1z+kF6zDKs2pZUXj lowuSErbCfYOsT83ERgkROwklr6O25yMVV/ezjXG6VhuC1Lpp/JaTG0Jdf7LQlDaOZW6 Bnbd6fcCelotVdx1Qzcuv0g0viIrDzMwJ4gsCq3Gth3YgmKEWIjT5y30q/y5Aqro2Y3R 4ylQ==
X-Gm-Message-State: ALKqPwcbj6r8SFAIZpzWP4QQJsOyZUHI6v/KvUnZo+7sr/M5udwnt4Vy z4bGMowncr+YH8JfDJyRjE+sU6FQJqSFggxo3GU=
X-Google-Smtp-Source: AB8JxZrMjd5NT36D82WSC8C72oaP63a2vwaInBwxM/f7o0Sk9Mn5F51ml7P/iL47sH9rAzI/oacmIH1m5WRxzhSLRNs=
X-Received: by 2002:a19:d7d5:: with SMTP id q82-v6mr2235520lfi.71.1527095959649; Wed, 23 May 2018 10:19:19 -0700 (PDT)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 2002:a2e:510a:0:0:0:0:0 with HTTP; Wed, 23 May 2018 10:19:18 -0700 (PDT)
In-Reply-To: <2f5dd5f6f12678d48679be2c5d7c4664@jesusalberto.me>
References: <CADZyTkmgW89C_hEYbuM2iVRADLGt47q2SMDqbWXMVLiYo9VtSw@mail.gmail.com> <CAAvCjhggLfVZwDbFuLpek0_T=VAryQVF8vFQH2mgvrVK0sJnGQ@mail.gmail.com> <fc8cdf45-9d4b-4840-9943-082db7538eef@Spark> <2DD56D786E600F45AC6BDE7DA4E8A8C118E4240A@eusaamb107.ericsson.se> <2f5dd5f6f12678d48679be2c5d7c4664@jesusalberto.me>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Wed, 23 May 2018 13:19:18 -0400
X-Google-Sender-Auth: eOElcfCPv7QYhmPbsAkNChr2IZA
Message-ID: <CADZyTkmNTPQDy9_k1QErcCqqxDuno4h4e41LJbNoMwugob92Kw@mail.gmail.com>
To: Jesús Alberto Polo <ietf@jesusalberto.me>
Cc: LURK BoF <lurk@ietf.org>, Dmitry Kravkov <dmitryk@qwilt.com>
Content-Type: multipart/alternative; boundary="0000000000003683ae056ce2bcf9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lurk/X6jExW0JFKCmywvYAJvL8ISxjRE>
Subject: Re: [Lurk] lurk integration with openssl
X-BeenThere: lurk@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Limited Use of Remote Keys <lurk.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lurk>, <mailto:lurk-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lurk/>
List-Post: <mailto:lurk@ietf.org>
List-Help: <mailto:lurk-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lurk>, <mailto:lurk-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 May 2018 17:19:24 -0000
Hi Jesus, That is really great to have two implementations! In addition the c implementation integrated with openssl would provide more accurate measurements on how lurk impact the edge server. That is great news and I wish interoperability tests may be done at the hackathon! Yours, Daniel On Wed, May 23, 2018 at 11:38 AM, Jesús Alberto Polo <ietf@jesusalberto.me> wrote: > Hi, > > A very early version of clurk will be ready very soon. So far, the ECDHE > handshake is done (POO is missing though) and I’m finishing the RSA > handshake (PFS is missing as well) based on the patch you shared lately. > > I’ll share the GitHub link as soon as it is ready and also provide more > details. > > Best, > > Jesús Alberto > > > On 2018-04-24 17:34, Daniel Migault wrote: > >> Thanks for the feed back! Yes absolutely for ecdhe, the sig_and_hash >> is missing from the spec. I have also slightly changed the extended >> master structure by exchanging the session_hash and encrypted >> premaster. I expect to be able to update the draft by next week as >> well. On my python implementation I am using the following structures >> for ecdhe. >> >> Yours, >> >> Daniel >> >> TLS12ECDHERequestPayload = Struct( >> >> Embedded(TLS12Base), >> >> "sig_and_hash" / SignatureAndHashAlgorithm, >> >> "ecdhe_params" / ServerECDHParams, >> >> "poo_params" / Struct( >> >> "poo_prf" / Default( POOPRF, "null" ), >> >> "rG" / IfThenElse( this.poo_prf == 'null', >> >> Pass, >> >> Switch( this.ecdhe_params.curve_param.curve, >> >> { >> >> "secp256r1" : UncompressedPointRepresentation_256, >> >> "secp384r1" : UncompressedPointRepresentation_384, >> >> "secp512r1" : UncompressedPointRepresentation_512 >> >> }) ), >> >> "tG" / IfThenElse( this.poo_prf == 'null', >> >> Pass, >> >> Switch( this.ecdhe_params.curve_param.curve, >> >> { >> >> "secp256r1" : UncompressedPointRepresentation_256, >> >> "secp384r1" : UncompressedPointRepresentation_384, >> >> "secp512r1" : UncompressedPointRepresentation_512 >> >> }) ), >> >> ) >> >> ) >> >> With >> >> TLS12Base = Struct( >> >> "key_id" / KeyPairID , >> >> "client_random" / Random, >> >> "server_random" / Random, >> >> "tls_version" / ProtocolVersion, >> >> "prf" / PRFAlgorithm >> >> ) >> >> I have also changed the structure of the extended master by >> interverting the session hash and the encrypted master to ease the >> parsing. >> >> struct{ >> >> KeyPairID key_id >> >> ProtocolVersion tls_version // see RFC5246 section 6.2.1 >> >> PRFAlgorithm prf // see RFC5246 section 6.1 >> >> opaque session_hash<2...2^16-2> >> >> EncryptedPreMasterSecret pre_master >> >> // see RFC5246 section 7.4.7.1 >> >> }TLS12ExtendedMasterRSARequestPayload; >> >> ]]></artwork> >> >> FROM: Jesús Alberto Polo [mailto:ietf@jesusalberto.me] >> SENT: Tuesday, April 24, 2018 11:11 AM >> TO: Dmitry Kravkov <dmitryk@qwilt.com>; Daniel Migault >> <daniel.migault@ericsson.com> >> CC: LURK BoF <lurk@ietf.org> >> SUBJECT: Re: [Lurk] lurk integration with openssl >> >> Hi, >> >> Thanks for the resources and the patch, it’s definitely easier to >> solve it the way you did in the hackathon. >> >> I managed to integrate the basic functionality of LURK for ECDHE and >> I’m preparing some tests, I hope they’re done and the code cleaned >> up by the end of this week. >> >> Regarding the TLS12ECDHERequestPayload [1], I think the _Signature >> Algorithm_ field is missing (hash and signature), to indicate the >> chosen algorithms for the TLS connection. >> >> Best regards, >> >> Jesús Alberto >> >> [1] https://tools.ietf.org/html/draft-mglt-lurk-tls12-00#section-7.1 >> [1] >> >> On 22 Apr 2018, 12:08 +0200, Dmitry Kravkov <dmitryk@qwilt.com>, >> wrote: >> >> Hi Jesus Alberto, >>> >>> this is a patch for openssl used during 101 hackathon >>> >>> It looks that direct calling for lurk library from statemachine will >>> be hard to push upstream, but adding more callbacks for master >>> secret calculation that nginx (or other client) registers for, will >>> be easier to submit. >>> >>> On Fri, Apr 20, 2018 at 9:26 PM Daniel Migault >>> <daniel.migault@ericsson.com> wrote: >>> >>> Hi Jesus Alberto, >>>> >>>> There have been some discussions regarding the integration of lurk >>>> with openssl during the hackathon, so feel free to share your >>>> concerns on the mailing list.. >>>> >>>> Here are some links you might find of interest: >>>> >>>> >>>> >>> https://www.agwa.name/blog/post/protecting_the_openssl_priva >> te_key_in_a_separate_process >> >>> >>>> https://www.agwa.name/blog/post/titus_isolation_techniques_continued >>> >>>> >>>> >>>> Yours, >>>> >>>> Daniel >>>> >>>> _______________________________________________ >>>> Lurk mailing list >>>> Lurk@ietf.org >>>> https://www.ietf.org/mailman/listinfo/lurk >>>> >>> >>> -- >>> >>> DMITRY KRAVKOV >>> Qwilt | Work: +972-72-2221630 | Mobile: +972-54-4839923 >>> >>> dmitrykATqwilt.com >>> >> >> >> Links: >> ------ >> [1] https://tools.ietf.org/html/draft-mglt-lurk-tls12-00%23section-7.1 >> > > _______________________________________________ > Lurk mailing list > Lurk@ietf.org > https://www.ietf.org/mailman/listinfo/lurk >
- Re: [Lurk] lurk integration with openssl Jesús Alberto Polo
- Re: [Lurk] lurk integration with openssl Daniel Migault
- [Lurk] lurk integration with openssl Daniel Migault
- Re: [Lurk] lurk integration with openssl Dmitry Kravkov
- Re: [Lurk] lurk integration with openssl Jesús Alberto Polo
- Re: [Lurk] lurk integration with openssl Daniel Migault
- Re: [Lurk] lurk integration with openssl Jesús Alberto Polo
- Re: [Lurk] lurk integration with openssl Daniel Migault