IETF Logo Mail Archive

Re: [TLS] Closing on keys used for handshake and data messages

Björn Tackmann <btackmann@eng.ucsd.edu> Tue, 14 June 2016 09:18 UTC

Return-Path: <btackmann@eng.ucsd.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EAD012D11F for <tls@ietfa.amsl.com>; Tue, 14 Jun 2016 02:18:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eng.ucsd.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WsZie2BOAXi2 for <tls@ietfa.amsl.com>; Tue, 14 Jun 2016 02:18:18 -0700 (PDT)
Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A75C12B032 for <tls@ietf.org>; Tue, 14 Jun 2016 02:18:18 -0700 (PDT)
Received: by mail-wm0-x234.google.com with SMTP id k204so113506208wmk.0 for <tls@ietf.org>; Tue, 14 Jun 2016 02:18:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=eng.ucsd.edu; s=google; h=mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=J/r1Hqee2Cv4ZqNrfcYKzsGows9UFd/aZEDAqfqBKpc=; b=QqI2XVyWBTHS6cysF2sdXkoWZrFRmIcMS3UaXjcEqBBwal2LKip5I+vwZCpiGwFoIT 4ATUnqVxEqJ8mVJxD4uH6T0g5RXCLCE44odDSxML4qzJJz02IpH+tbjrXqzHKumOcp7N bfyevuPrzBhvQFAq5Yr1ADlWfo2WKaZn99JPI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=J/r1Hqee2Cv4ZqNrfcYKzsGows9UFd/aZEDAqfqBKpc=; b=hrSaAsT4J/YwU3o91rn5TJpt2MB44LbwK4SE+8ZHq+h0jyquPOFlVbbD1hbvn8yHgN FC6NNGbQk9orRtVXIQW66Uu4Iw90bn15ak1kYVqCm3j8zGEfA4xzVo/FJShA6ZP1J+Iz KRgKWCqdy9RkAps6PvOjVFhQGu5tG5/jxp7Mi7nDcBUxiz0Aem5FBOjTK42ynPjXrpIK kPkwfTMNCd98GQ11ReTvSEeRAcahfiK3HwEnEbuaMMJEY3rf/b9QG+2lyiFqUCYd5Jtd wD++BObC4rf4im2qP3REnOqNlpsCU+lHMtiETQdQea1AfvIld35LeG5Rm4AseheVG3AS qsSg==
X-Gm-Message-State: ALyK8tJPGDY16w7miVGK4r7SMNkXGNrnQQrx3JtnIzWrzgYsaBK+tNs5NrtGPTEtobjgsY39
X-Received: by 10.28.69.210 with SMTP id l79mr1551596wmi.31.1465895896483; Tue, 14 Jun 2016 02:18:16 -0700 (PDT)
Received: from [10.71.48.202] ([185.25.95.132]) by smtp.gmail.com with ESMTPSA id 124sm3086401wml.12.2016.06.14.02.18.15 for <tls@ietf.org> (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 14 Jun 2016 02:18:15 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Björn Tackmann <btackmann@eng.ucsd.edu>
In-Reply-To: <87d1nqc9gq.fsf@alice.fifthhorseman.net>
Date: Tue, 14 Jun 2016 11:18:14 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <38042862-8DF3-48A1-9B35-2D902EE12FC1@eng.ucsd.edu>
References: <CAOgPGoB6=eH9059u95RJzt_quCN3+auP2NSx+mxLztePVYqGrw@mail.gmail.com> <87d1nqc9gq.fsf@alice.fifthhorseman.net>
To: "tls@ietf.org" <tls@ietf.org>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1Uaxn1LXvabx2frtJKlk7aEhWuU>
Subject: Re: [TLS] Closing on keys used for handshake and data messages
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jun 2016 09:18:20 -0000

Hi dkg,

sorry for my late response.

Let me start by saying that I do not believe that this is really critical; after all, we can prove alternative (1) as well — it’s just less clean and makes the proofs harder to write, read, and verify, which is generally not a good thing for a cryptographic protocol. On the other hand, the privacy improvements offered by alternative (2) appear to be rather moderate; even if we were to realistically achieve the best privacy it could offer, it would protect the fact that a “new session ticket” message (is this a gain at all?) or a client auth message was sent. If I understood correctly, client auth has not been widely used in previous TLS versions, and even if this would change, it’s not quite clear how big the gain is. Maybe you have more precise insights into this than I do?


> On Jun 9, 2016, at 11:56 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> 
> I confess i was hoping that double-encrypting would provide some measure
> of useful key separation for cryptanalysis.  I don't think i understand
> Ilari's explanation in this thread, though, so i'd appreciate any other
> attempts to clarify.

Double encryption is not problematic. It just does not have advantages over alternative (1) in terms of cryptographic analysis (it does not quite help in modularizing the proofs). On the other hand, we’ve heard (others may want to chime in) that it /does/ make the implementation more cumbersome, in the sense that it requires more changes to the existing code base.

In that sense, it appears to be strictly dominated by alternative (1).


>> PUBLIC CONTENT TYPES
>> 
>> Clearly, having a public content type and separate keys for handshake and
>> application data provides full key separation, at the cost of revealing
>> whether a given record is handshake or application data (and potentially
>> alerts). The major question that the group had was whether it was actually
>> possible to conceal this information effectively, even with encrypted
>> content types, since hiding the handshake messages in the application
>> traffic requires detailed knowledge about the application traffic pattern
>> (e.g., packet lengths, timing, response patterns, etc.). It’s clear some
>> analysis of this is needed.
> 
> We know that traffic analysis is difficult, and may in some cases be
> impossible.  This is an area in need of active research.  However,
> deciding to make it *always* impossible to protect because we don't know
> how to protect it absolutely is "security nihilism", and i hoped we were
> moving beyond that mindset as a community.

I beg to disagree here.

First, we would not drop it for no reason whatsoever. We would drop it because dropping it has other advantages. It’s a trade-off.
Second, we should in any case carefully point out that this mechanism alone, i.e., without proper padding etc., may not provide any additional privacy guarantees. A security mechanism that does not work can be worse than no mechanism at all if people start relying on it without understanding what it achieves.

Introducing a mechanism without analyzing it is somewhat akin to what happened to encryption with compression. (Used properly, it can be useful.) I hoped we were moving beyond that mindset — sorry for echoing ;-)


> If we don't have a mechanism to hide this metadata, then we certainly
> won't develop any useful practice around actually making it
> indistinguishable.  Protecting users is a multidimensional problem.  We
> should provide a mechanism to make this information indistinguishable in
> the axis we know how to handle (encrypting the material itself) so that
> there is a reason for people to work on the axes we don't yet know how
> to handle (protecting against traffic analysis).

I’m totally in for protecting user privacy. I simply believe that we should first specify what we want, then see whether we can achieve it, and then build the mechanism that does it.


Cheers,
Bjoern


--
Björn Tackmann
Postdoctoral Research Scholar
Computer Science & Engineering, UC San Diego

v2.23.0 | Report a Bug | By Email