[TLS] Pull request for session hash

Eric Rescorla <ekr@rtfm.com> Fri, 07 November 2014 22:02 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 649F51A1B3A for <tls@ietfa.amsl.com>; Fri, 7 Nov 2014 14:02:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.577
X-Spam-Level:
X-Spam-Status: No, score=-0.577 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UH7du6am5Rby for <tls@ietfa.amsl.com>; Fri, 7 Nov 2014 14:02:09 -0800 (PST)
Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com [209.85.212.173]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AE161A1B46 for <tls@ietf.org>; Fri, 7 Nov 2014 14:02:09 -0800 (PST)
Received: by mail-wi0-f173.google.com with SMTP id n3so5872549wiv.6 for <tls@ietf.org>; Fri, 07 Nov 2014 14:02:08 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=77KgWw4l6e1vCpOnkoQ8IpZR4RwiK2q14AtYvaGrpM8=; b=dJIrlNMErX3Rw31p8qBBmLzJvljLnLWeQsLiU2MXV5QOj0+i31weBMpbv8XinOXrre wvfjZ2q0VEdeI4Y8zgiStqseVNQJUsp4DTtjw/vDHitekNO060Ff/ovu3d+0vSn8cQA1 0gAehkZTF4xRaa4nUfh4NWB7A62s5e1Cc6vn86cbFNoc/PDxJUFSrqAUbhhJeqRB/oyx FeaAv8wq2xbSa05zh5xRu/ncAKt+alWihC7hlKb5fjRZxjcGzUbQGg96OQagkJcUtGmr TWoJmZwWgHAnxPMp8zpQ0mrQyAcpRcsAIT2KSPGBde5ykto2c6WskwM0r49WZZfylBF1 imfw==
X-Gm-Message-State: ALoCoQm9P/zRArkLJ2zN50P3LDvo1R75lQiEWPGbASYqjHkLZ3rSUadmtU4tVgvPka3PdRUnjeg6
X-Received: by 10.180.88.68 with SMTP id be4mr8934970wib.36.1415397728094; Fri, 07 Nov 2014 14:02:08 -0800 (PST)
MIME-Version: 1.0
Received: by 10.216.49.198 with HTTP; Fri, 7 Nov 2014 14:01:27 -0800 (PST)
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 7 Nov 2014 14:01:27 -0800
Message-ID: <CABcZeBNj2n-UM-qwVH8PSV+7MgS6kNxzqQZ20J3DtfZ8tLg9-Q@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=f46d04428f1acca35e05074bf639
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/30O7AEXDrZw19inkm-QgIIvtsbM
Subject: [TLS] Pull request for session hash
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Nov 2014 22:02:12 -0000

I've created a preliminary pull request to adapt the session hash fix for
TLS 1.3
for feedback from the WG.

Points to note:

- IMPORTANT: Because the initial handshake messages are encrypted
  under separate keys from the application data traffic, it seems like we
need
  to have 2 sets of CCS messages or none. In anticipation of removing
  renegotiation (see PR https://github.com/tlswg/tls13-spec/pull/88).
  Based on conversations with Alfredo and Martin, it seemed easier
  to remove them. Warning: analysis needed here.

- I created a separate resumption master secret that is fed into the
  key hierarchy. This makes the description of that simpler but will
  need revisiting if we adopt either Rich's unification of session hash
  and tickets or Karthik's PSK-as-tickets unification, but that seemed
  like a separate issue.

- If we adopt the Update proposal we will also need to split the master
  keys into two directional keys, but that's distinct as well.

- I still need to add the names of the session hash authors t
  acknowledgements.

This will probably need another revision before it is ready for merging, but
I wanted to get it out there for feedback.

-Ekr