Re: [TLS] Consensus call for keys used in handshake and data messages
Hugo Krawczyk <hugo@ee.technion.ac.il> Fri, 17 June 2016 20:19 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5944112DABA for <tls@ietfa.amsl.com>; Fri, 17 Jun 2016 13:19:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.198, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2MIKwjEnigvD for <tls@ietfa.amsl.com>; Fri, 17 Jun 2016 13:19:05 -0700 (PDT)
Received: from mail-yw0-x22e.google.com (mail-yw0-x22e.google.com [IPv6:2607:f8b0:4002:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87A2612DAB5 for <tls@ietf.org>; Fri, 17 Jun 2016 13:19:05 -0700 (PDT)
Received: by mail-yw0-x22e.google.com with SMTP id z186so81357596ywd.2 for <tls@ietf.org>; Fri, 17 Jun 2016 13:19:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=xi5SE4X+5MEKzs26Ql7c2e6BqmYoTjO0Q6fvswW1Zmk=; b=ILztpwY2ggiYVRO6I0dGz83gobtKjh29Ka4Imbe+q8PqxmsJjXadPQLN4qeFqlLoPb +fhWvXb8jpCVaaYaHuxyirzyzormSoRwABKKrS7nSGGyEBII2D1XsS7/kpRJazAvYe5y TQsKEF7v9RPaZ6oxy7yCUZ+i7559HBmWHR99w0+RMrjjPEut/N96AACOEX+g0/bVkbMK QQCdscEgLSytMBJKNxI5Q381dae+pLvopx4YktvDCNM7lRxZqrmk1ME5huBhiIc4SbED zA8vroqfsp+uTbbPpMjBHRgIUHDPTcxX2+MoMtjfsdeyca2yo0ZwYJz2vzURrHTQNyeP G+dg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=xi5SE4X+5MEKzs26Ql7c2e6BqmYoTjO0Q6fvswW1Zmk=; b=Sfv+KNBOJ9zrkBBwd//ee4VVuJONhRqYTXUd/ikx0Yy6kW4QMK1jp2iE7jizs5VZur 6FIN2/hYy3MFixBiIGjl2CHzN+68NwDuujZhhFGdozGbQ0Pp6V7bb3ATojwS42HUt6Zp HK1K5HcJcYQS65UCaTqq24rPnv/1O1lyEi+VfnTGZ0mq9KEpAtzMbu/Rp+LqHcR59Nxb 2BKMMwaRHRBOqkO5EKrPo0OPvRB9FpdslnNqR/jMQvgvFaLVfWTfbc9vIfjpEXfEgDnf p2zxzlYvJujcfNTSrj7dF9z957e2RhUP6JUyOyVKFRt8kw96SpbTzELOg0orKY/CSnrU Pk9Q==
X-Gm-Message-State: ALyK8tJr82yaxnDn+3+pqKCkaxspHbBCCig5rIrqHzRLlDNfib4qnqznRRwHiN/6CiRyaZPaHqWs1WiHvOR6qQ==
X-Received: by 10.129.117.132 with SMTP id q126mr2523023ywc.114.1466194744594; Fri, 17 Jun 2016 13:19:04 -0700 (PDT)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.37.97.199 with HTTP; Fri, 17 Jun 2016 13:18:34 -0700 (PDT)
In-Reply-To: <CAOgPGoDRZdJN7DY10tDoEEidVkxeKabCcW_U3vQqaaH6x162gw@mail.gmail.com>
References: <CAOgPGoDRZdJN7DY10tDoEEidVkxeKabCcW_U3vQqaaH6x162gw@mail.gmail.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Fri, 17 Jun 2016 16:18:34 -0400
X-Google-Sender-Auth: yDy8HMQbOieFvSsC73238UN3TUs
Message-ID: <CADi0yUN=FxZHMUtDke4qdaHuvDM2y0aFVCvVJkkpbzXFS0+LsQ@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Content-Type: multipart/alternative; boundary="001a1147f6c6ec563a05357f10f5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-NPw8Zeihius7vPdOZYm9a8ytZM>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Consensus call for keys used in handshake and data messages
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2016 20:19:08 -0000
I am abstaining on the choice of alternative 1 and 2 since I do not understand enough the engineering considerations and ramifications of the different choices. Also, I have not put any thought into the privacy issues related to hiding content type and I certainly did not do any formal analysis of these aspects. I do want to say that from a cryptographic design and analysis point of view, key separation is of great importance. It allows to have more modular analysis and design, and prove composability properties of protocols and applications. I believe it has significant practical advantages particularly with respect to "maintaining" a protocol, namely, making sure that changes and extensions to a protocol are secure and do not jeopardize its security. The more modular the design the easier it is to reason about changes and additions to the protocol (and for a protocol like TLS, future changes and adaptations to different settings are unavoidable). As for the specific cryptographic considerations in TLS 1.3, I would have "fought" greatly to preserve key separation at the level of the basic handshake protocol (three first flights). It guarantees that the application key is *fresh* at its first use for protecting application data. Freshness means that the key can serve any purpose for which a shared random secret key can be used. (In contrast, a non-fresh key, e.g. one used during the handshake itself, can only be used with applications that are aware of how exactly the key was used in the handshake.) Since my understanding is that the current base-handshake specification does preserve the freshness of the application key, I am happy with that design. The issue of using the application key to protect post-handshake messages is more involved. First, post-handshake client authentication authenticates ("a posteriori") the application key but only after this key has already been used. In this sense this mechanism cannot possibly achieve key freshness for the application key. The best one can hope for is that this post-authentication authenticates the key without jeopardizing its use in the particular application it is intended for, namely, protecting TLS record layer data. Luckily, this can be proved. So now the question is whether using the application key to encrypt the very messages that provide post-handshake authentication (e.g., client's signature) may lower the security of this key. The answer is that it does not. That is, the security of the key for protecting record layer data is not jeopardized by using it to encrypt post-handshake messages. I feel moderately confident about the above paragraph as I have been working on the analysis of client authentication, including (encrypted) post-handshake authentication. On the other hand, I have not studied the effects of encrypting other post-handshake messages such as New Ticket or re-keying messages so I don't have an "educated conclusion" here. I do expect that there are analytical advantages for not using the application key for encrypting these messages but I cannot say for sure. In all, it is good and prudent practice (not just theory) to enforce key separation wherever possible, and I would be happier if there was no instance where the application key is applied to non-application data. But I also know that one has to weigh other engineering considerations and in this case the trade-off does not seem obvious to me. Hence, as said, I abstain. Hugo On Mon, Jun 13, 2016 at 3:00 PM, Joseph Salowey <joe@salowey.net> wrote: > For background please see [1]. > > Please respond to this message indicating which of the following options > you prefer by Monday June, 20, 2016 > > 1. Use the same key for handshake and application traffic (as in the > current draft-13) > > or > > 2. Restore a public content type and different keys > > Thanks, > > J&S > > > [1] https://www.ietf.org/mail-archive/web/tls/current/msg20241.html > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- Re: [TLS] Consensus call for keys used in handsha… Eric Rescorla
- Re: [TLS] Consensus call for keys used in handsha… Will Serumgard
- Re: [TLS] Consensus call for keys used in handsha… Björn Tackmann
- Re: [TLS] Consensus call for keys used in handsha… Subodh Iyengar
- Re: [TLS] Consensus call for keys used in handsha… Ilari Liusvaara
- Re: [TLS] Consensus call for keys used in handsha… Dave Garrett
- Re: [TLS] Consensus call for keys used in handsha… Colm MacCárthaigh
- Re: [TLS] Consensus call for keys used in handsha… Eric Rescorla
- Re: [TLS] Consensus call for keys used in handsha… Daniel Kahn Gillmor
- Re: [TLS] Consensus call for keys used in handsha… Hugo Krawczyk
- Re: [TLS] Consensus call for keys used in handsha… Martin Rex
- Re: [TLS] Consensus call for keys used in handsha… Paterson, Kenny
- Re: [TLS] Consensus call for keys used in handsha… Paterson, Kenny
- Re: [TLS] Consensus call for keys used in handsha… Ilari Liusvaara
- Re: [TLS] Consensus call for keys used in handsha… Daniel Kahn Gillmor
- Re: [TLS] Consensus call for keys used in handsha… Hubert Kario
- Re: [TLS] Consensus call for keys used in handsha… Dave Garrett
- Re: [TLS] Consensus call for keys used in handsha… Daniel Kahn Gillmor
- Re: [TLS] Consensus call for keys used in handsha… Nick Sullivan
- Re: [TLS] Consensus call for keys used in handsha… Dan Harkins
- Re: [TLS] Consensus call for keys used in handsha… Ilari Liusvaara
- Re: [TLS] Consensus call for keys used in handsha… Daniel Kahn Gillmor
- Re: [TLS] Consensus call for keys used in handsha… Yoav Nir
- Re: [TLS] Consensus call for keys used in handsha… Nikos Mavrogiannopoulos
- Re: [TLS] Consensus call for keys used in handsha… Benjamin Dowling
- Re: [TLS] Consensus call for keys used in handsha… Ilari Liusvaara
- Re: [TLS] Consensus call for keys used in handsha… Felix Günther
- Re: [TLS] Consensus call for keys used in handsha… Björn Tackmann
- Re: [TLS] Consensus call for keys used in handsha… Martin Thomson
- Re: [TLS] Consensus call for keys used in handsha… Yoav Nir
- Re: [TLS] Consensus call for keys used in handsha… Watson Ladd
- Re: [TLS] Consensus call for keys used in handsha… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Consensus call for keys used in handsha… Henrik Grubbström
- Re: [TLS] Consensus call for keys used in handsha… Hannes Mehnert
- Re: [TLS] Consensus call for keys used in handsha… Cas Cremers
- Re: [TLS] Consensus call for keys used in handsha… Eric Rescorla
- [TLS] Consensus call for keys used in handshake a… Joseph Salowey
- Re: [TLS] Consensus call for keys used in handsha… Andrei Popov
- Re: [TLS] Consensus call for keys used in handsha… Karthikeyan Bhargavan