IETF Logo Mail Archive

Re: [TLS] KeyUpdate and unbounded write obligations

Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 01 September 2016 21:09 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76DC912D772 for <tls@ietfa.amsl.com>; Thu, 1 Sep 2016 14:09:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.548] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cZx4AlXW7NcS for <tls@ietfa.amsl.com>; Thu, 1 Sep 2016 14:09:56 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) by ietfa.amsl.com (Postfix) with ESMTP id C959712D729 for <tls@ietf.org>; Thu, 1 Sep 2016 14:09:55 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id F249A109DB; Fri, 2 Sep 2016 00:09:53 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id 5lNMttZRdJTo; Fri, 2 Sep 2016 00:09:53 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-237-87.bb.dnainternet.fi [87.100.237.87]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 6A465C4; Fri, 2 Sep 2016 00:09:53 +0300 (EEST)
Date: Fri, 02 Sep 2016 00:09:52 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20160901210952.hj34o2ycel2ssd65@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAMzhQmN8=pw4LGHtZHyRQcVsx4DGwE89GNpHPUSENfbxcTHwRA@mail.gmail.com> <974CF78E8475CD4CA398B1FCA21C8E99565C26C5@PRN-MBX01-4.TheFacebook.com> <CAMzhQmM+msOti4rChS=dwRpo5YGh4VMpnqQvy4x=GG=rKA7kew@mail.gmail.com> <20160825042343.w6bg6kg75tujhexg@LK-Perkele-V2.elisa-laajakaista.fi> <CAMzhQmPFwE7H5gN-Ua1unGyFCpxh8aZuX4-2u55R0hmLD52FKQ@mail.gmail.com> <CABcZeBNjRvvKWctCy0oNYDpqgFoTck2Ai8iYuVeYQg1d5Jyk-g@mail.gmail.com> <20160828184105.yvrnbispbnpomk4s@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBM=3RPpmGygMmrTU8DMNHQo=k0VTweKjCrY53GR3X4p1A@mail.gmail.com> <95C31431-189C-41ED-A2D2-E370A5FB8F7A@vigilsec.com> <CABcZeBNA_MVO5e-bsnPML4epRjSDVUBf4tewqQ6EY+F1sqooPA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBNA_MVO5e-bsnPML4epRjSDVUBf4tewqQ6EY+F1sqooPA@mail.gmail.com>
User-Agent: NeoMutt/ (1.7.0)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/3MQmMSm5AGfGCpYLlo8WAJxtIqc>
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] KeyUpdate and unbounded write obligations
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Sep 2016 21:09:59 -0000

On Thu, Sep 01, 2016 at 12:55:29PM -0700, Eric Rescorla wrote:
> I have created a PR for this at:
> https://github.com/tlswg/tls13-spec/pull/611
> 
> As it seems there was rough consensus for this change, I will merge this
> weekend
> absent some violent objections or direction to the contrary from the chairs.
> 
> -Ekr

I tried to implement this, and discovered an issue:

The client handshake traffic secret is needed for deriving client
Finished, and client application traffic secret is only needed after
that point. However, the derivation of client application traffic
secret uses handshake hash post Server Finished.

So you either need to buffer the handshake hash value, or have two
overlapping client traffic secrets.

Changing the client application traffic secret context to extend
up to Client Finished would solve the issue.

Additionally:
- That would make the implementation look nicely symmetric
- Would also prevent having "not yet" keys. One can derive keys
  from present state and install them immediately.



-Ilari

v2.14.0 | Report a Bug | By Email