Re: [TLS] DTLS Key Separation PR

"Martin Thomson" <mt@lowentropy.net> Thu, 10 October 2019 23:02 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 365AE1200D7 for <tls@ietfa.amsl.com>; Thu, 10 Oct 2019 16:02:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=SYQu/FA6; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=CfgxUk2V
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gpbepq7SeRUu for <tls@ietfa.amsl.com>; Thu, 10 Oct 2019 16:02:09 -0700 (PDT)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB2AE12003E for <tls@ietf.org>; Thu, 10 Oct 2019 16:02:09 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id F35F754C; Thu, 10 Oct 2019 19:02:08 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Thu, 10 Oct 2019 19:02:09 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type; s=fm3; bh=V+xEwiwdxgmBUyCcLANs3NyL5KG2 CRe0av01v7TyCF4=; b=SYQu/FA6xb2/tD76VAWkf+xnSLXauYY0uu0dX47+Dc4s VAoX4UUnh15d9O24a2NrhFpOuWXb9yOwdCa/un7aGUQfne7hAMzzqSL9PdlVHPr6 DNBiPrPULcZP9c3GYmT3YZhky9Em5mHT0f9q3DyTn6vJEoBJEyQ5Kv3RgBofgPGk 81gMdeUreTswofAr3i8OesyM2yy9ahzjDcOb9O5+AFzoJQEgZ51p2vtVrOBDFso4 imenC4KyIyy/TOvz8EJqDf314BIv8I2cjiaMhmxzYTqU12lmDqsPid+GBtaviz9C wCB4WfC2qpPVlrM7SHrlVg8V0l1jTBUEO3FeYaiJYQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=V+xEwi wdxgmBUyCcLANs3NyL5KG2CRe0av01v7TyCF4=; b=CfgxUk2VujeGWwPOw9m4E0 IC3dGLmP7Oi2fDmzh0uqP8FzoHonXD5/wbzEnF0G9sEkTUMdWcktGSnI3P1RBN2D FpGmXjEGkeLuWJ61djhWFDz2n9XfyubP0Hr4xSjYw8meN6ftpKcnb/9uGpiI7omM 4dAM1rar3PesyRwOdXqT8zTIuysXn+H/TTndZGaYqNGu9twVloN4wvAnbT6N4q8S 5KdxnVCnEPO0g6igGexdBr5h+o1d56pTKH0H4wdKYoepJS8QwbGrBEhHMlHz0EPY yRz8DDj7TWg5VsoymVgGMOPnmREdXdyW79vJsaN6F5VcKG76+1Epcvm5mFErofbA ==
X-ME-Sender: <xms:cLifXa_u-ln6gfLiPIoli3B0yGsLwuXM0YnU88ZprEfqZvpaHcieCg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrieeggdduiecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohif vghnthhrohhphidrnhgvtheqnecuffhomhgrihhnpehgihhthhhusgdrtghomhdpihgvth hfrdhorhhgnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophih rdhnvghtnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:cLifXQUqd63Ob_hD3q5zv_TOIBAvJCT4eD2YQGh05QaGxXa_izOKXw> <xmx:cLifXfNUq15EVHovLKykHcDSCcYHgF-c2EubILcMpq_F_8yyXuNa6w> <xmx:cLifXQYKnC4azZT00Qc25vuqL_IyS48ypj9C7Us_LPbi2wks7GujtQ> <xmx:cLifXczmV7Eg0jWU5Wsx3aDzM6sS0St8IZ2vvwbR09ghSrU-aH1aOg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id DE03EE00A5; Thu, 10 Oct 2019 19:02:07 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-360-g7dda896-fmstable-20191004v2
Mime-Version: 1.0
Message-Id: <f15bbae0-db5a-468e-8514-e001bc9f2cc3@www.fastmail.com>
In-Reply-To: <CABcZeBPRMTEYC2b1Z94uDPXy6Y5tPTTjK7yzWff4Eze1wtgfpQ@mail.gmail.com>
References: <CABcZeBMDDyuTQ72sk2UNqpUMk+aHaskrJjSyQkUqt1HZFgnNGw@mail.gmail.com> <69c7cfbd-fe9f-40fa-b92b-e4b65fa6cb5d@www.fastmail.com> <CABcZeBPRMTEYC2b1Z94uDPXy6Y5tPTTjK7yzWff4Eze1wtgfpQ@mail.gmail.com>
Date: Fri, 11 Oct 2019 10:01:48 +1100
From: "Martin Thomson" <mt@lowentropy.net>
To: "'Eric Rescorla'" <ekr@rtfm.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/23LukH72TeRMXQNvsP-C3m7ppS8>
Subject: Re: [TLS] DTLS Key Separation PR
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Oct 2019 23:02:12 -0000

Thanks, that was my mistake.  I confirmed with our code and we are indeed right up to the line.

On Thu, Oct 10, 2019, at 23:37, Eric Rescorla wrote:
> 
> 
> On Wed, Oct 9, 2019 at 7:01 PM Martin Thomson <mt@lowentropy.net> wrote:
> > tl;dr keep the space.
> > 
> >  I had a little trouble reproducing the 12 from RFC 8446, so I double-checked.
> > 
> >  ....
> > 
> >  Working from the base for SHA-256:
> > 
> >  The last block of SHA-256 is rounded up to 448 bits (56 bytes), less one to allow for padding. Therefore we have 55 bytes to use without having to run two blocks through SHA-256.
> > 
> >  HMAC-Hash = H(K XOR opad || H(K XOR ipad || text))
> > 
> >  Here `K XOR ipad` is the 32 bytes output size of SHA-256, so we are down to 23 bytes for text before it adds a block.
> 
> In HMAC the key consumes an entire input block, so that you are 
> guaranteed a compression function cycle before the data is added:
> 
> 1) append zeros to the end of K to create a B byte string
>         (e.g., if K is of length 20 bytes and B=64, then K will be
>          appended with 44 zero bytes 0x00)
>     (2) XOR (bitwise exclusive-OR) the B byte string computed in step
>         (1) with ipad
> 
> https://tools.ietf.org/rfcmarkup?doc=2104#section-2This shifts 
> everything to the right 32 bytes, which, because context is 32 bytes, 
> gets us back to 12, I think, though I haven't re-worked through it. 
> 
> Here's Ilari's original analysis, if that's helpful:
> https://mailarchive.ietf.org/arch/msg/tls/n_TFape7L4HHoKLxGo8CkimZziI
> 
> -Ekr
> 
> 
> 
> 
> >  HKDF-Expand = HMAC-Hash(PRK, info | 0x01)
> > 
> >  This takes one more. Down to 22.
> > 
> >  HKDF-Expand-Label passes info in the form of:
> > 
> >  struct {
> >  uint16 length = Length;
> >  opaque label<7..255> = "tls13 " + Label;
> >  opaque context<0..255> = Context;
> >  } HkdfLabel;
> > 
> >  which has a minimal overhead of 2 + 1 + len("tls13 ") + 1 = 10. So we get 12.
> > 
> >  "c ap traffic" is 12 bytes long, so yeah it *looks* like we're stuck if we care about not adding too many extra hash iterations.
> > 
> >  ....
> > 
> >  But if you look at the key schedule, we always provide a context for those cases we use "c ap traffic". Those will always spill over into the next iteration as Context is 32 bytes. So for those cases, we have a whole 32 bytes extra to play with. The only cases with an empty Context are "derived" and "res binder"|"ext binder". Those max out at 10, so we seem to have two whole bytes of wiggle room.
> > 
> >  You can safely add the space.
> > 
> >  On Wed, Oct 2, 2019, at 08:40, Eric Rescorla wrote:
> >  > Hi folks,
> >  > 
> >  > As discussed in Montreal, I've prepared a PR to give us DTLS/TLS key separation.
> >  > 
> >  > See: 
> >  > https://github.com/tlswg/dtls13-spec/pull/99
> >  > 
> >  > Sadly. we didn't have enough space for "dtls13 " so I went for "dtls13"
> >  > 
> >  > -Ekr
> >  > 
> >  > _______________________________________________
> >  > TLS mailing list
> >  > TLS@ietf.org
> >  > https://www.ietf.org/mailman/listinfo/tls
> >  >
> > 
> >  _______________________________________________
> >  TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls