Re: [TLS] TLS 1.3 PR #426: KeyUpdate message: add receive_generation field
Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 26 February 2016 12:24 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 588B61A0161 for <tls@ietfa.amsl.com>; Fri, 26 Feb 2016 04:24:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.006] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ok_vqsNwvvRN for <tls@ietfa.amsl.com>; Fri, 26 Feb 2016 04:24:33 -0800 (PST)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) by ietfa.amsl.com (Postfix) with ESMTP id 22A3C1A013F for <tls@ietf.org>; Fri, 26 Feb 2016 04:24:32 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 0530CF16; Fri, 26 Feb 2016 14:24:31 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id xCmFFGHXl7R7; Fri, 26 Feb 2016 14:24:30 +0200 (EET)
Received: from LK-Perkele-V2 (87-100-151-39.bb.dnainternet.fi [87.100.151.39]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id A91B1C4; Fri, 26 Feb 2016 14:24:30 +0200 (EET)
Date: Fri, 26 Feb 2016 14:24:25 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Judson Wilson <wilson.judson@gmail.com>
Message-ID: <20160226122425.GA32313@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAB=4g8Jp-04RQKSXDpos5PczdFfMU8bEv242qzf1HnC=aP0F2Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAB=4g8Jp-04RQKSXDpos5PczdFfMU8bEv242qzf1HnC=aP0F2Q@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/-3O8pMSZKdYTmHkdBS5MV3Macr0>
Cc: Dan Boneh <dabo@cs.stanford.edu>, Philip Levis <pal@cs.stanford.edu>, Judson Wilson <judsonw@stanford.edu>, tls@ietf.org, Keith Winstein <keithw@cs.stanford.edu>, Henry Corrigan-Gibbs <henrycg@stanford.edu>, "Riad S. Wahby" <rsw@cs.stanford.edu>
Subject: Re: [TLS] TLS 1.3 PR #426: KeyUpdate message: add receive_generation field
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Feb 2016 12:24:35 -0000
On Fri, Feb 26, 2016 at 01:27:45AM -0800, Judson Wilson wrote: > Hello folks, > > How this helps: In the current draft, an endpoint that sends a KeyUpdate > message and later receives a KeyUpdate message cannot know whether the > other side has actually updated its receive keys. The two messages may have > been generated independently and crossed in flight. Putting a > receive_generation field in the KeyUpdate message lets an endpoint confirm > that the other side has received and acted upon an earlier KeyUpdate > message. Well, the KeyUpdates are designed to be asynchronous so that the other end does not need to know if the other has acted on KeyUpdate. > One way for a client to grant delayed read-only access in TLS 1.3 is with a > "rotate and release." The client starts by sending a KeyUpdate. Later, > after all traffic keys from the previous generation have been superseded on > both sides, the client releases the (superseded) traffic keys to the > middlebox. The middlebox can use the keys to decrypt the previous > generation of ciphertext, without danger of compromising the integrity of > the session. The challenge is that an endpoint can't safely release its old > send keys until it knows that the other side has updated its receive keys. > Hence the receive_generation field. There are better (and less broken) ways to do this kind of thing (involving two MACs). > We think this is a pretty lightweight way to resolve the ambiguity from > KeyUpdates crossing in flight; it doesn't add any blocking, waiting, or > extra rounds or messages. Thanks in advance for any feedback. The KeyUpdate design is so that crossings don't matter. -Ilari
- [TLS] TLS 1.3 PR #426: KeyUpdate message: add rec… Judson Wilson
- Re: [TLS] TLS 1.3 PR #426: KeyUpdate message: add… Ilari Liusvaara
- Re: [TLS] TLS 1.3 PR #426: KeyUpdate message: add… Eric Rescorla
- Re: [TLS] TLS 1.3 PR #426: KeyUpdate message: add… Philip Levis
- Re: [TLS] TLS 1.3 PR #426: KeyUpdate message: add… Ilari Liusvaara