Re: [TLS] Do we really need two 0-RTT keys?
Christian Huitema <huitema@microsoft.com> Sat, 19 December 2015 00:41 UTC
Return-Path: <huitema@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4F3A1A014B for <tls@ietfa.amsl.com>; Fri, 18 Dec 2015 16:41:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TlVdvQOY0mmU for <tls@ietfa.amsl.com>; Fri, 18 Dec 2015 16:41:30 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0139.outbound.protection.outlook.com [65.55.169.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75F391A014D for <tls@ietf.org>; Fri, 18 Dec 2015 16:41:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=6nZZiv+irn8P1v0qXRbwyvHHo04fSu6Udcx/7aqZ9A4=; b=cG6PJT/05vaBV4r/2CG8Ip60xGhqHcbCACvy7bEHpzl5AdbnZ+U/fkEHrLKHA8w1NPOYhcVtdBK+V005aR8mlqUBHQRVwXvee+szTLf4yraJ9OFRCyHPAEFmkL0OzE7CnIn80noWzzPmHXia8Oli+RQzz/hMnlVGwZr6pVbdxys=
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com (10.160.96.17) by DM2PR0301MB0654.namprd03.prod.outlook.com (10.160.96.16) with Microsoft SMTP Server (TLS) id 15.1.361.13; Sat, 19 Dec 2015 00:41:28 +0000
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com ([10.160.96.17]) by DM2PR0301MB0655.namprd03.prod.outlook.com ([10.160.96.17]) with mapi id 15.01.0361.006; Sat, 19 Dec 2015 00:41:28 +0000
From: Christian Huitema <huitema@microsoft.com>
To: Eric Rescorla <ekr@rtfm.com>
Thread-Topic: [TLS] Do we really need two 0-RTT keys?
Thread-Index: AdE545+dJMVvs5LHSUe65W5oKcLEUQABH+iAAALoXtA=
Date: Sat, 19 Dec 2015 00:41:28 +0000
Message-ID: <DM2PR0301MB06553304E0A2F75EDA7F52AEA8E20@DM2PR0301MB0655.namprd03.prod.outlook.com>
References: <DM2PR0301MB065560395A8F3BD86855348DA8E10@DM2PR0301MB0655.namprd03.prod.outlook.com> <CABcZeBNQM5nUjBZL1QPtB789ODmuZ5iF59kNtfAWp5x+yP4NNg@mail.gmail.com>
In-Reply-To: <CABcZeBNQM5nUjBZL1QPtB789ODmuZ5iF59kNtfAWp5x+yP4NNg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=huitema@microsoft.com;
x-originating-ip: [131.107.159.119]
x-microsoft-exchange-diagnostics: 1; DM2PR0301MB0654; 5:OPsp6JiPRplMS1/9b1WlLQLCBxAJhsqYRNfXINfG/2AvcMvua2k8MzGH+sWIzLzz7mnINmAyvrPTwF/CjpiXSCRNDyWgKjnqH8DBQiwIp4ueNe6pi7+D6pklHU/pUEQkINdOkkR9fd4KTwUXjHX50g==; 24:TzAyY9v/bP2yRxDJQufP91bt7496Ai8+MekENHDBC4PPmXPtxBRrPJyUKWp2Jn44fDLzStXjvixZNp5uaXs4ofFQlpwPwMUGICA5YAWLCEQ=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB0654;
x-o365ent-eop-header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
x-microsoft-antispam-prvs: <DM2PR0301MB0654343AA12B5EB5FC7B9D29A8E20@DM2PR0301MB0654.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(5005006)(520078)(8121501046)(10201501046)(3002001)(61426038)(61427038); SRVR:DM2PR0301MB0654; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0301MB0654;
x-forefront-prvs: 07954CC105
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(189002)(377454003)(199003)(24454002)(106356001)(5001960100002)(189998001)(54356999)(76176999)(81156007)(99286002)(105586002)(110136002)(19580405001)(86612001)(86362001)(101416001)(97736004)(5003600100002)(50986999)(74316001)(66066001)(19580395003)(33656002)(76576001)(2950100001)(3846002)(11100500001)(87936001)(77096005)(8990500004)(10400500002)(40100003)(92566002)(5002640100001)(5004730100002)(2900100001)(5005710100001)(10090500001)(586003)(122556002)(6116002)(10290500002)(1096002)(102836003)(1220700001)(5008740100001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB0654; H:DM2PR0301MB0655.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Dec 2015 00:41:28.3513 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0301MB0654
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/30ynBuhEwwFaHZeW1luPPX8xO9k>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Do we really need two 0-RTT keys?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Dec 2015 00:41:33 -0000
On Friday, December 18, 2015 3:02 PM, Eric Rescorla wrote: > On Fri, Dec 18, 2015 at 2:45 PM, Christian Huitema <huitema@microsoft.com> wrote: >... >> The text indicates that client auth and application data messages are protected by "keys >> derived from the static secret." But then, hidden in section 7.2 is an interesting twist -- >> two different keys are supposed to be derived from the static secret, one for 0-RTT >> handshake, another for 0-RTT Application. If I understand correctly, the Certificate, >> CertificateVerify and Client Finished message would be protected with the "0-RTT >> Handshake" key, and the Application data and end-of-early data message would >> be protected with the "0-RTT Application" key. > > Yes, that's correct. > >> I assume that there is a good reason for this extra complexity, even if it eludes me. > > The motivation for this was that a number of people working on analysis complained > that using the same key to encrypt handshake traffic and application traffic (as > is done in TLS 1.2 with Finished and application messages) made analysis harder. > I'm not equipped to take a position on this, but that's what I have been told. We > already do that for the 1-RTT keys and we're doing the same thing here. Actually, we do both. In section 6.2.3, the diagram shows [NewSessionTicket] between square brackets, i.e. encrypted with the same key as Application Data. Which makes sense, because it will be received after the Server Finished message. I assume the same is true for other Post Handshake messages. >> But I worry a bit about what that would do when we start working on DTLS 1.3. UDP >> messages can arrive out of order. Yes, there is a message number, but the record layer >> is not necessarily well positioned to interpret it -- the certificate and verify message >> are optional, so when a record layer receives packet #3 before packet #2, it does not >> know whether this is a CertificateVerify message (handshake key) or an application >> message (application key). > > Note: the Certificate message isn't optional in the sense that the server doesn't > know if it's coming. Whether it's sent is conditioned on the configuration (in WIP-11) > an on the client's EarlyDataInfication (in WIP-10). Yes, I realize that. But in theory we have a "layered protocol." What you describe is somewhat of a layer violation. > But your general point is right in that you can have loss and reordering. So, for instance, > say that the client sends messages with seq nums as follows: > > ClientHello: 0 (in clear) > Finished: 1 (with Handshake Key) > AppData: 2 (with app key) > > Now, 1 and 2 are lost, and the client retransmits: > > Finished: 3 (with Handshake Key) > AppData: 4 (with app key) > > If #3 is now lost, the server may not know if #4 is handshake or application data > since (for instance) the client might have fragmented the Finished over two > records. > > Now, I think there are several ways to deal with this. First, the server can just > continue to attempt to process records with the handshake key until the handshake > is completed, in which case it will drop #4 and then get the retransmit of the > Finished (#5, presumably). Second, DTLS has an epoch # used to indicate which > generation key you are using. We should come down on some deterministic use of > that in which case things will be obvious. The obvious workaround is to have several keys available at the record layer, and if one fails try the other. Of course, it opens the gates for interesting bugs... >> Yes, there are solutions, yes, it can be managed, but are we sure that this particular bit >> of complexity is worth it? > > Karthik? Others? :) > >> And if it worth it, can we add a description of the key switching logic in section 6.2.2? > > That seems like a good plan... Yes please! -- Christian Huitema
- [TLS] Do we really need two 0-RTT keys? Christian Huitema
- Re: [TLS] Do we really need two 0-RTT keys? Eric Rescorla
- Re: [TLS] Do we really need two 0-RTT keys? Christian Huitema