Re: [TLS] Babel-HMAC [was: are we holding TLS wrong?]

Juliusz Chroboczek <jch@irif.fr> Wed, 14 November 2018 10:49 UTC

Return-Path: <jch@irif.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E1A312D4E7; Wed, 14 Nov 2018 02:49:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GuzPx9s884p0; Wed, 14 Nov 2018 02:49:45 -0800 (PST)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F491124408; Wed, 14 Nov 2018 02:49:45 -0800 (PST)
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id wAEAnapq018807; Wed, 14 Nov 2018 11:49:36 +0100
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 2901C440CC; Wed, 14 Nov 2018 11:49:43 +0100 (CET)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id 6faPEvZB3MmX; Wed, 14 Nov 2018 11:49:41 +0100 (CET)
Received: from pirx.irif.fr (unknown [78.194.40.74]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id D68E5440CA; Wed, 14 Nov 2018 11:49:39 +0100 (CET)
Date: Wed, 14 Nov 2018 11:49:39 +0100
Message-ID: <87muqcc4sc.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: dschinazi.ietf@gmail.com, "<tls@ietf.org>" <tls@ietf.org>, draft-ietf-babel-dtls@ietf.org
In-Reply-To: <CABkgnnXFWvLKKcgxCs=AwPJifFwUANH_87ocQV+FNYiVoHH_XA@mail.gmail.com>
References: <CAPDSy+7-ceNNLJpFK0Z4SitBaUgxTpxiea8Z0QtpeSr+MNLKFg@mail.gmail.com> <CABkgnnWF6_cqhMCKMWHYNcdOTU=4BjRYaYMtfz-A3jtxprRAHA@mail.gmail.com> <87wopmw7sh.wl-jch@irif.fr> <CABkgnnXFWvLKKcgxCs=AwPJifFwUANH_87ocQV+FNYiVoHH_XA@mail.gmail.com>
User-Agent: Wanderlust/2.15.9
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Wed, 14 Nov 2018 11:49:37 +0100 (CET)
X-Miltered: at korolev with ID 5BEBFDC0.001 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 5BEBFDC0.001 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 5BEBFDC0.001 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/3U__YDIeeEPePPRtFA6y2-Miklc>
Subject: Re: [TLS] Babel-HMAC [was: are we holding TLS wrong?]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2018 10:49:48 -0000

>> Unless I've missed something -- they are not, assuming you have
>> a sufficiently strong random number generator.  The challenge mechanism
>> rebuilds the shared state in a secure manner, and the index mechanism
>> ensures that an (index, seqno) pair is never reused.

> I had a really hard time understanding this, even with this help.
> Right now, I don't know what key is used for HMAC.  I think that the
> expectation is that each peer has a fixed HMAC key, but the contents
> of the packet always change, thereby ensuring that the resulting MAC
> is different for every packet.

That's the general idea, yes.  I'm not a cryptographer myself, and I don't
know how original this is.

> I would suggest that a formal analysis would be a good idea.

Yes, we're hoping to do that.  If you could point us to examples of papers
that contain a proof of correctness of a cryptographic protocol that you
believe is well done, that'd be helpful.

-- Juliusz