IETF Logo Mail Archive

Re: [TLS] judging consensus on keys used in handshake and data messages

David Benjamin <davidben@chromium.org> Wed, 06 July 2016 22:19 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC91D12D0C3 for <tls@ietfa.amsl.com>; Wed, 6 Jul 2016 15:19:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.125
X-Spam-Level:
X-Spam-Status: No, score=-4.125 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ud1fwHmwa_Ff for <tls@ietfa.amsl.com>; Wed, 6 Jul 2016 15:19:44 -0700 (PDT)
Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EF2A12D79A for <tls@ietf.org>; Wed, 6 Jul 2016 15:19:40 -0700 (PDT)
Received: by mail-it0-x234.google.com with SMTP id h190so7198143ith.1 for <tls@ietf.org>; Wed, 06 Jul 2016 15:19:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xcvP2RZuKimMvtJtAayF0s93nSqK8U3YaPIsAsWG/kQ=; b=DFWuKXwa3kB8A5xzqbAY/g7TEdjX84NkNvg0+8WJjjQ2f96sTLqzSC/b5RLy5dylEe QVOb0vAe/Eec2fCMg3p4dNGW2CLXAUbrXtu4rLUQje5FrfWiFyz9cu10qniy1iqZ9Bil OCa5mYFdhI9KEdFwoThgzoyYgSUD6/065+9AE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xcvP2RZuKimMvtJtAayF0s93nSqK8U3YaPIsAsWG/kQ=; b=E3zJ9lyKT/UPhBIv78sV04XMdt9vJYlfrHubMaSd7OmI6f0aVMO98nMxGlm5YN57KJ nl8fP5XuK5jjiaLls+rdq9pozhcUd7uivPMFzY64xkxF5PLBsjkzkEtxD0Wh5N1iQAGQ qSsYzuNKd1dNokiZD+1HSoj5ZptyGt/4FaysSQzO2sK3/SOmdYqMmMbruD9OHjkhl2rk 4DK/lKZMMCSg3gQD3QqHY6MFYb0a31JXW8of7A4FIGlCmpSC0I+9byJ7I9bRsRRuFv5s VZitOxd/R8AjDMDMwyGPzI1mjHCN5ibBSOyYWngh7v0yyluPidfxOOPCbya0zpj1A4gY XGNA==
X-Gm-Message-State: ALyK8tIOzdegrrx7hK0I5EqzKekG1BuiPgs80KVHWULQRqyxC8KA+CAJdq0r0Mv+JYbAOmCzqOTT1eDlkQn7gIhi
X-Received: by 10.36.13.19 with SMTP id 19mr22643449itx.76.1467843579904; Wed, 06 Jul 2016 15:19:39 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoA2RmAUMR=4bOOwepSSdrJ2tUGD1B+hieQzZaRVnwXo=A@mail.gmail.com> <A2C29D69-FF97-4C16-941B-87C0022C6362@gmail.com>
In-Reply-To: <A2C29D69-FF97-4C16-941B-87C0022C6362@gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 06 Jul 2016 22:19:29 +0000
Message-ID: <CAF8qwaC+iXoJ_Z9xuB4UqR4-7EmXUmr2pRRcBDxtDP-eZ8LzAg@mail.gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>, Joseph Salowey <joe@salowey.net>
Content-Type: multipart/alternative; boundary="001a113f87342b07430536fef712"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/0Gqunv_mLwI9WZP6GCKyAw9wkIg>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] judging consensus on keys used in handshake and data messages
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jul 2016 22:19:50 -0000

On Wed, Jul 6, 2016 at 2:11 PM Yoav Nir <ynir.ietf@gmail.com> wrote:

> Hi, Joe
>
> > On 6 Jul 2016, at 8:39 PM, Joseph Salowey <joe@salowey.net> wrote:
> >
> > We are the unenviable position of calling consensus between three
> choices [0]:
> >
> > - Option 1 - use the same key for both handshake and applications
> messages.
> > - Option 2 - restore a public content type and different keys.
> > - Option 3 - separately encrypting the content type.
> >
> > At this point the consensus is rough.
> >
> > The first option we would broadly characterize as supported by the
> implementers because they can’t see the harm in using the same key but
> opposed by the cryptographers because it makes the proofs harder making
> mistakes easier to miss.
> >
> > The second option as supported by researchers/cryptographers because it
> cleanly separates the keys used but opposed by the implementers because
> it’s unnecessarily complex.  In general, privacy advocates do not support
> this option either.
> >
> > The third was not really discussed at all and it’s not clear what is the
> impact to security proofs or implementations.
> >
> > As we see it the privacy concerns are somewhat of a moving target,
> however not encrypting the content type seems worse for privacy than
> encrypting it.
> >
> > We are looking to eliminate option 2 and choose 1 or 3.  If you are in
> favor of option 2 then we need to know if option 1 meets your needs, if
> option 3 is better than option 1, or if you feel that the only viable
> option is option 2.
>
> I will re-iterate my opposition to option 2. Some occurrences on
> non-application data records within a TLS session are initiated by user
> action or application state. Best example is when the user sees a login
> page and clicks the button that says “Log in with certificates…” causing
> (in TLS 1.2) a HelloRequest to be send and a renegotiation with client
> certificates, or (in TLS 1.3) a CertificateRequest to be sent followed by
> the client sending a certificate. This is not some theoretical weakness.
> This is real information disclosure. With TLS 1.2 you can look at the
> Wireshark screen, point to the handshake record in the middle of the TCP
> flow and know that this is where the user pressed the button.
>
> Of options 1 and 3, I can see that #3 is theoretically better, but the
> design seems too baroque to me. I hope it can be done without adding a
> whole new block operation to each record, and I prefer the simplicity of
> #1, but I’m not really opposed to #3. IIRC there were some cryptographers
> who were concerned about #1. We haven’t heard from them that #3 solves
> their issue, have we?
>

I'm also curious which post-handshake messages are the problem. If we were
to rename "post-handshake handshake messages" to "post-handshake bonus
messages" with a distinct bonus_message record type, where would there
still be an issue? (Alerts and application data share keys and this seems
to have been fine.)

For post-handshake client auth, is
draft-bishop-httpbis-http2-additional-certs-01 still the plan for HTTP/2?
It seems to me that, whatever we do for the HTTP/1.1 + TLS 1.3 case, we
need to solve certificate auth hosted in application data anyway. So we
don't gain anything overall for HTTP if these messages share fate with
handshake vs. application data. And, as you note, this is where the
information disclosure is particularly bad.

The KeyUpdate messages themselves seem so inconsequential that I likewise
can't imagine key separation is particularly important. But I don't
understand the proof-related concerns, so perhaps I'm confused.

NewSessionTicket I am willing to buy should share fate with the handshake
and not application data. Though it still doesn't seem worth the complexity
tradeoff to me. (With the caveat I, again, don't actually understand the
proof-related concerns.)

David

v2.23.0 | Report a Bug | By Email