IETF Logo Mail Archive

Re: [TLS] Consensus call for keys used in handshake and data messages

Hugo Krawczyk <hugo@ee.technion.ac.il> Fri, 17 June 2016 20:19 UTC

Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5944112DABA for <tls@ietfa.amsl.com>; Fri, 17 Jun 2016 13:19:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.198, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2MIKwjEnigvD for <tls@ietfa.amsl.com>; Fri, 17 Jun 2016 13:19:05 -0700 (PDT)
Received: from mail-yw0-x22e.google.com (mail-yw0-x22e.google.com [IPv6:2607:f8b0:4002:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87A2612DAB5 for <tls@ietf.org>; Fri, 17 Jun 2016 13:19:05 -0700 (PDT)
Received: by mail-yw0-x22e.google.com with SMTP id z186so81357596ywd.2 for <tls@ietf.org>; Fri, 17 Jun 2016 13:19:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=xi5SE4X+5MEKzs26Ql7c2e6BqmYoTjO0Q6fvswW1Zmk=; b=ILztpwY2ggiYVRO6I0dGz83gobtKjh29Ka4Imbe+q8PqxmsJjXadPQLN4qeFqlLoPb +fhWvXb8jpCVaaYaHuxyirzyzormSoRwABKKrS7nSGGyEBII2D1XsS7/kpRJazAvYe5y TQsKEF7v9RPaZ6oxy7yCUZ+i7559HBmWHR99w0+RMrjjPEut/N96AACOEX+g0/bVkbMK QQCdscEgLSytMBJKNxI5Q381dae+pLvopx4YktvDCNM7lRxZqrmk1ME5huBhiIc4SbED zA8vroqfsp+uTbbPpMjBHRgIUHDPTcxX2+MoMtjfsdeyca2yo0ZwYJz2vzURrHTQNyeP G+dg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=xi5SE4X+5MEKzs26Ql7c2e6BqmYoTjO0Q6fvswW1Zmk=; b=Sfv+KNBOJ9zrkBBwd//ee4VVuJONhRqYTXUd/ikx0Yy6kW4QMK1jp2iE7jizs5VZur 6FIN2/hYy3MFixBiIGjl2CHzN+68NwDuujZhhFGdozGbQ0Pp6V7bb3ATojwS42HUt6Zp HK1K5HcJcYQS65UCaTqq24rPnv/1O1lyEi+VfnTGZ0mq9KEpAtzMbu/Rp+LqHcR59Nxb 2BKMMwaRHRBOqkO5EKrPo0OPvRB9FpdslnNqR/jMQvgvFaLVfWTfbc9vIfjpEXfEgDnf p2zxzlYvJujcfNTSrj7dF9z957e2RhUP6JUyOyVKFRt8kw96SpbTzELOg0orKY/CSnrU Pk9Q==
X-Gm-Message-State: ALyK8tJr82yaxnDn+3+pqKCkaxspHbBCCig5rIrqHzRLlDNfib4qnqznRRwHiN/6CiRyaZPaHqWs1WiHvOR6qQ==
X-Received: by 10.129.117.132 with SMTP id q126mr2523023ywc.114.1466194744594; Fri, 17 Jun 2016 13:19:04 -0700 (PDT)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.37.97.199 with HTTP; Fri, 17 Jun 2016 13:18:34 -0700 (PDT)
In-Reply-To: <CAOgPGoDRZdJN7DY10tDoEEidVkxeKabCcW_U3vQqaaH6x162gw@mail.gmail.com>
References: <CAOgPGoDRZdJN7DY10tDoEEidVkxeKabCcW_U3vQqaaH6x162gw@mail.gmail.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Fri, 17 Jun 2016 16:18:34 -0400
X-Google-Sender-Auth: yDy8HMQbOieFvSsC73238UN3TUs
Message-ID: <CADi0yUN=FxZHMUtDke4qdaHuvDM2y0aFVCvVJkkpbzXFS0+LsQ@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Content-Type: multipart/alternative; boundary="001a1147f6c6ec563a05357f10f5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-NPw8Zeihius7vPdOZYm9a8ytZM>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Consensus call for keys used in handshake and data messages
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2016 20:19:08 -0000

I am abstaining on the choice of alternative 1 and 2 since I do not
understand
enough the engineering considerations and ramifications of the different
choices. Also, I have not put any thought into the privacy issues related to
hiding content type and I certainly did not do any formal analysis of these
aspects.

I do want to say that from a cryptographic design and analysis point of
view,
key separation is of great importance. It allows to have more modular
analysis
and design, and prove composability properties of protocols and
applications.
I believe it has significant practical advantages particularly with respect
to
"maintaining" a protocol, namely, making sure that changes and extensions
to a
protocol are secure and do not jeopardize its security. The more modular the
design the easier it is to reason about changes and additions to the
protocol
(and for a protocol like TLS, future changes and adaptations to different
settings are unavoidable).

As for the specific cryptographic considerations in TLS 1.3, I would have
"fought" greatly to preserve key separation at the level of the basic
handshake
protocol (three first flights). It guarantees that the application key is
*fresh* at its first use for protecting application data. Freshness means
that
the key can serve any purpose for which a shared random secret key can be
used.
(In contrast, a non-fresh key, e.g. one used during the handshake itself,
can
only be used with applications that are aware of how exactly the key was
used
in the handshake.) Since my understanding is that the current base-handshake
specification does preserve the freshness of the application key, I am happy
with that design.

The issue of using the application key to protect post-handshake messages is
more involved. First, post-handshake client authentication authenticates ("a
posteriori") the application key but only after this key has already been
used.
In this sense this mechanism cannot possibly achieve key freshness for the
application key. The best one can hope for is that this post-authentication
authenticates the key without jeopardizing its use in the particular
application
it is intended for, namely, protecting TLS record layer data. Luckily, this
can
be proved. So now the question is whether using the application key to
encrypt
the very messages that provide post-handshake authentication (e.g., client's
signature) may lower the security of this key. The answer is that it does
not.
That is, the security of the key for protecting record layer data is not
jeopardized by using it to encrypt post-handshake messages.

I feel moderately confident about the above paragraph as I have been
working on
the analysis of client authentication, including (encrypted) post-handshake
authentication. On the other hand, I have not studied the effects of
encrypting
other post-handshake messages such as New Ticket or re-keying messages so I
don't have an "educated conclusion" here. I do expect that there are
analytical
advantages for not using the application key for encrypting these messages
but I
cannot say for sure.

In all, it is good and prudent practice (not just theory) to enforce key
separation wherever possible, and I would be happier if there was no
instance
where the application key is applied to non-application data. But I also
know
that one has to weigh other engineering considerations and in this case the
trade-off does not seem obvious to me. Hence, as said, I abstain.

Hugo


On Mon, Jun 13, 2016 at 3:00 PM, Joseph Salowey <joe@salowey.net> wrote:

> For background please see [1].
>
> Please respond to this message indicating which of the following options
> you prefer by Monday June, 20, 2016
>
> 1. Use the same key for handshake and application traffic (as in the
> current draft-13)
>
> or
>
> 2. Restore a public content type and different keys
>
> Thanks,
>
> J&S
>
>
> [1] https://www.ietf.org/mail-archive/web/tls/current/msg20241.html
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>

v2.23.0 | Report a Bug | By Email