Re: Why not exporters?

Martin Thomson <mt@lowentropy.net> Sun, 14 June 2020 23:37 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65C723A0544 for <quic@ietfa.amsl.com>; Sun, 14 Jun 2020 16:37:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=UZZpCz1m; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=i7l8RbLp
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tmpp9WDvtaOY for <quic@ietfa.amsl.com>; Sun, 14 Jun 2020 16:37:45 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 285263A0542 for <quic@ietf.org>; Sun, 14 Jun 2020 16:37:45 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 4E5085C00C7 for <quic@ietf.org>; Sun, 14 Jun 2020 19:37:44 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute2.internal (MEProxy); Sun, 14 Jun 2020 19:37:44 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=FgVqolhZof0czREqKcWLIoELXx+nz7+ lxB27Zj2CzbA=; b=UZZpCz1m8A/a2672WLVZJtXb3paAyKT8Nf6OLRNW06U5GbJ PWr3Q1y/JMH3uoZSlBSmaas1szEaULqBbTxCTWAoeZHP3247j6sLJPJjH/t0mxhJ TkWYwPxmD3EH9Y17S12uzpg3sZpYCnNlFyZdHxpU+JeSLN/2MQgeAkVPf36hAWtd NJTaAuohcWysw0x54LFC4ZFKemGsk5dTzHBhL2PE/a0Pbpw2SorbaYVGHs4rDLNU jJsR/KaKOQBqkUnmEYP6z5BBvLZQbLBAtZg0+woWZMCZn93HdtXhJ2+xG7AXbccw Ex/AxsCG/9lo+blnBn4xM4Az/RxUHK4hNeLVxVw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=FgVqol hZof0czREqKcWLIoELXx+nz7+lxB27Zj2CzbA=; b=i7l8RbLpytQMstBoHyabHv QAEMngoWFpNDAIF1XFPIAxKghWqwmUC+VoDJRcGSS9bJQkDmFZTur1UO7wuG6Tji kWIneRF0GuGgb9LkYJ0sfi7r5TUAj0iR5JHili7KAgD8p/3Ow+JTtPMgRTmI+nJu 99EHZHgjuXCfkc2m9WzuICAGi1g6QdAYBgtnRe5iTw6qVcDxmShlDiCvzvQv3r+a 5dB/W1lgYFRN4reXQI5Wl8iiCqQEGMeu3A4fmI8g30qB1mja9pAjJebBa2k/wolU 6mOTbqd7JvN7027xCD6edKyuSNTCcXinlbEZk4J1xishy4tT/UoYkAiLi36xYrVA ==
X-ME-Sender: <xms:yLTmXs1p4EdaA-h5A25W1mvK546NqQ8PYQBIj0GiXRBZnnlSEgQRhw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrudeijedgvdeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpeekteeuieektdekleefke evhfekffevvdevgfekgfeluefgvdejjeegffeigedtjeenucevlhhushhtvghrufhiiigv pedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvg ht
X-ME-Proxy: <xmx:yLTmXnFWjdCcQBOb1qJQyjq692FADzrQ-uySJprFZXJA3pqX1Lf24w> <xmx:yLTmXk6sY20fgiUMmW1iWn9xLHKvPKD9CODB5aBexrdC7Oy92ybc_A> <xmx:yLTmXl3dCeETcYAC21qGNN70Xl6FvhHpoPsowFcUbKKJRdbY_LkZRQ> <xmx:yLTmXvHg9ezTC83n8guRXLrgq_e_B2GX3BH9PEumlMSNBIFxIyflOw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id ED491E00A8; Sun, 14 Jun 2020 19:37:43 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-dev0-525-ge8fa799-fm-20200609.001-ge8fa7990
Mime-Version: 1.0
Message-Id: <04a71698-968d-436b-9940-29afc9fea37d@www.fastmail.com>
In-Reply-To: <CACsn0c=+P4vRpOHw-MD4NxU5nVPKORBHoNPYnxxtk=fk0OCGiA@mail.gmail.com>
References: <CACsn0c=+P4vRpOHw-MD4NxU5nVPKORBHoNPYnxxtk=fk0OCGiA@mail.gmail.com>
Date: Mon, 15 Jun 2020 09:37:23 +1000
From: "Martin Thomson" <mt@lowentropy.net>
To: quic@ietf.org
Subject: Re: Why not exporters?
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/ZVOfoKoPCurIxDZi0owOxOQa4Iw>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Jun 2020 23:37:46 -0000

On Mon, Jun 15, 2020, at 06:24, Watson Ladd wrote:
> I'm afraid I missed the discussion of using exporters in the TLS QUIC
> draft. Exporters would assure the domain separation from TLS, and have
> an IANA registry to maintain that separation across versions. There
> doesn't seem to be a good reason not to do it.

Hi Watson,

We used exporters in an earlier version of the specification.  Indeed, the introduction of the early exporter in TLS 1.3 was - at least in part - in support of providing exporter keys that QUIC could use for 0-RTT.

However, when we moved to more closely following the TLS key schedule for packet protection, we decided to use TLS secrets rather than define a Handshake key exporter.  In the current design, those secrets are not used by TLS.

Domain separation is now achieved at the leaf. Until key updates occur, QUIC packet protection keys are derived from the same secrets that TLS uses for record protection, but the labels used for deriving the individual values (key, iv, hp) use a different label.  This ensures that keys cannot be synchronized.  That is in addition to the handshake being different due to containing a QUIC-specific extension and the guarantee provided by TLS that different connections have different keys. It's not as good as a clean separation might be, but there are several layers of defense.

Hope that helps,