IETF Logo Mail Archive

Re: [TLS] KeyUpdate and unbounded write obligations

Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 29 August 2016 17:30 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EC9812D7C2 for <tls@ietfa.amsl.com>; Mon, 29 Aug 2016 10:30:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.548] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E4aLaJ9lSrQe for <tls@ietfa.amsl.com>; Mon, 29 Aug 2016 10:30:17 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) by ietfa.amsl.com (Postfix) with ESMTP id 3BD5612D7B9 for <tls@ietf.org>; Mon, 29 Aug 2016 10:30:16 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id F3B7EFB8D; Mon, 29 Aug 2016 20:30:15 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id u7E6IdMCItTE; Mon, 29 Aug 2016 20:30:15 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-177-32.bb.dnainternet.fi [87.100.177.32]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id B33C62313; Mon, 29 Aug 2016 20:30:15 +0300 (EEST)
Date: Mon, 29 Aug 2016 20:30:05 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20160829173005.qfmfm2vfdumvolg2@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAMfhd9XxLq-S6c5K-JE50Wgm24JHihN++OawnVgQueMM8BuGuA@mail.gmail.com> <7e9c315a-f0e6-f547-e5e9-a3f48f8d12ff@cs.tcd.ie> <CAMzhQmN8=pw4LGHtZHyRQcVsx4DGwE89GNpHPUSENfbxcTHwRA@mail.gmail.com> <974CF78E8475CD4CA398B1FCA21C8E99565C26C5@PRN-MBX01-4.TheFacebook.com> <CAMzhQmM+msOti4rChS=dwRpo5YGh4VMpnqQvy4x=GG=rKA7kew@mail.gmail.com> <20160825042343.w6bg6kg75tujhexg@LK-Perkele-V2.elisa-laajakaista.fi> <CAMzhQmPFwE7H5gN-Ua1unGyFCpxh8aZuX4-2u55R0hmLD52FKQ@mail.gmail.com> <CABcZeBNjRvvKWctCy0oNYDpqgFoTck2Ai8iYuVeYQg1d5Jyk-g@mail.gmail.com> <20160828184105.yvrnbispbnpomk4s@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBM=3RPpmGygMmrTU8DMNHQo=k0VTweKjCrY53GR3X4p1A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBM=3RPpmGygMmrTU8DMNHQo=k0VTweKjCrY53GR3X4p1A@mail.gmail.com>
User-Agent: Mutt/1.6.2-neo (2016-08-21)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-my2b9N3bfWXVL2lhpMvpTirFAg>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] KeyUpdate and unbounded write obligations
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Aug 2016 17:30:19 -0000

On Sun, Aug 28, 2016 at 11:50:27AM -0700, Eric Rescorla wrote:
> On Sun, Aug 28, 2016 at 11:41 AM, Ilari Liusvaara <ilariliusvaara@welho.com>
> wrote:
> 
> > On Sun, Aug 28, 2016 at 10:53:14AM -0700, Eric Rescorla wrote:
> > >
> > > I'd prefer to keep things as simple as possible here and from that
> > > perspective, I think any indicator from side A to side B that it wants a
> > > key change over and above the KeyUpdate is extra complexity. I do,
> > however,
> > > want to retain the property that one side can ask the other one to rekey
> > > [0]. I believe we can get this by modifying the rule in the spec by
> > treating
> > > a run of KeyUpdates as a single generation.
> > >
> > > Specifically.
> > > "Upon receiving a KeyUpdate, the receiver MUST update its receiving
> > > keys. If the receiver has sent any data records since receiving the
> > > last KeyUpdate it MUST also increment its min_send_generation counter
> > > by 1. Otherwise, the min_send_generation MUST remain unchanged. Prior
> > > to sending a record, if min_send_generation is greater than the
> > > current sending generation, the sender MUST first send a KeyUpdate."
> >
> > Timing- and propagation-wise, it looks workable (also, could be done
> > with two flags[1], no need for counter).

I tried to implement this, and probably got it wrong somehow:

Test setup consisists of multi-Gbps stream in one direction and fairly
slow one in another. Very low latencies. Also, TLS stack can't do new
flights.

1) The fast stream eventually (~5min) reaches the rekey threshold,
   triggering a KeyUpdate.
2) The other side receives the KeyUpdate. Since last record it sent
   was not KeyUpdate, it marks KeyUpdate to be sent.
3) The slow stream transmits something. Since KeyUpdate is pending,
   it is sent, along with something else (so last record is not a
   KeyUpdate.
4) The fast sender receives the KeyUpdate. Since last record it
   sent was not a KeyUpdate (it has sent more data since) it
   schedules a KeyUpdate to be sent.
5) Almost immediately new data arrives, and since KeyUpdate is pending,
   it is sent, along with something else (so last record is not a
   KeyUpdate).
6) Goto 2.

The result is ping-pong of KeyUpdate's that starts as soon as one side
sends one (at rate determined by the send rate of the slower peer,
which still can be pretty high).


-Ilari

v2.23.0 | Report a Bug | By Email