[TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis)
Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> Mon, 11 November 2024 15:19 UTC
Return-Path: <muhammad_usama.sardar@tu-dresden.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3794C151548 for <tls@ietfa.amsl.com>; Mon, 11 Nov 2024 07:19:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tu-dresden.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LhKhICcqaKMa for <tls@ietfa.amsl.com>; Mon, 11 Nov 2024 07:19:26 -0800 (PST)
Received: from mailout4.zih.tu-dresden.de (mailout4.zih.tu-dresden.de [141.30.67.75]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60B6EC14F6FC for <tls@ietf.org>; Mon, 11 Nov 2024 07:19:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tu-dresden.de; s=dkim2022; h=In-Reply-To:References:CC:To:From:Subject: MIME-Version:Date:Message-ID:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=o0otBVDgWHM25X2G9wd4vV3FHOmwlMFi9CUrerLCiSg=; b=y2pzyyHt2hZ+XkTEGOiYJUbsXV b0U0UEy6UUDhjGom5lm8o69ik9oOoiEL/Wym56isWw1dOd++ULIidSshJHHznVPgruIERmD61coc/ +e7biEg1XU+Koi+4o9uVnvIi+gU/zAVzciG5Ptp6p+Bj4s+JkL0wWjC3zZcc1B6bDHxolMxGeI7RN p7BcL8/aICvICCV+HuWq2awc3mVhXLimNi0aKTFTuFotO1lvpbh7TFab51hVeXPKYxxkNQpIaiWrI m/fw86bam5Ax4kxYSNFRZ/NCRDzGGcQml2HggMnhSeDGjYkNIC8YL08tPfYq7YfFObetVTMoYmAp2 OgtsBLbA==;
Received: from [172.26.35.111] (helo=msx.tu-dresden.de) by mailout4.zih.tu-dresden.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <muhammad_usama.sardar@tu-dresden.de>) id 1tAWCK-00GKJA-67; Mon, 11 Nov 2024 16:19:25 +0100
Received: from msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) by MSX-T311.msx.ad.zih.tu-dresden.de (172.26.35.111) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Mon, 11 Nov 2024 16:19:20 +0100
Received: from [192.168.1.2] (89.12.235.214) by msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Mon, 11 Nov 2024 16:19:20 +0100
Content-Type: multipart/alternative; boundary="------------a0CesT7h0qup0Ll0DHvLO7qK"
Message-ID: <b805cab0-1395-44cc-9dfb-8599e491226d@tu-dresden.de>
Date: Mon, 11 Nov 2024 16:19:19 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
From: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
To: tls@ietf.org
References: <90bdd3cd-a5d0-4a82-b28c-2965536a7154@tu-dresden.de> <CADi0yUP27w+gcLvfWjn=+EqxfiWebFiyaNa1aUomVai8AUAU5w@mail.gmail.com> <f16029e7-33ea-449d-9a6d-936b649d30d5@tu-dresden.de>
Content-Language: en-US
In-Reply-To: <f16029e7-33ea-449d-9a6d-936b649d30d5@tu-dresden.de>
X-ClientProxiedBy: msx-l318.msx.ad.zih.tu-dresden.de (172.26.34.118) To msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139)
X-TUD-Virus-Scanned: mailout4.zih.tu-dresden.de
Message-ID-Hash: EJTC4DA7KOVCSQVDCDN747FT6SNNMW5J
X-Message-ID-Hash: EJTC4DA7KOVCSQVDCDN747FT6SNNMW5J
X-MailFrom: muhammad_usama.sardar@tu-dresden.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/3pv0hPi6XjX1ZcGNj_3kTNPqHbk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Just a quick update/reminder on this: The authors acknowledged that their implementation of key schedule in ProVerif was incorrect [5-6]. So this part of the mystery was resolved. However, it is still unclear whether there are any /practical/ attacks if Derive-Secret is skipped in generating handshake and master secrets. Again, I am not much into computational analysis. I may be missing something but I would very much like to know what I am missing. Is there any intuitive explanation for understanding why Derive-Secret is required? Usama On 22.12.23 11:11, Muhammad Usama Sardar wrote: > > Hi Hugo, > > Following the related sources [1-4], it appears to be - as Eric called > it - a theoretical and futuristic concern. In my understanding, the > main concern was that with the key hierarchy of draft 18: > > * the Handshake Secret could collide with binder_key if the attacker > is somehow able to match (EC)DHE secret with the label to the > corresponding Derive-Secret. > * the Handshake Secret could collide with > client_early_traffic_secret if the attacker is somehow able to > match (EC)DHE secret with the label to the corresponding > Derive-Secret. > > The reasoning for 2nd Derive-Secret is even more far-fetched. If in > the future the IKM input to HKDF-Extract (zero) changes, then similar > collision may happen between Master Secret and > client_handshake_traffic_secret or server_handshake_traffic_secret. So > my question more precisely is: > > * Is there any /practical/ security implication for missing the > additional Derive-Secrets? Has this ever been /practically/ > exploited? Has anyone else explored this? > > Now about the Inria paper that you have mentioned, I am not much > knowledgeable about computational analysis. I understand that it > helped them remove the assumption (that DH group elements do not match > the corresponding labels) in their proof in CryptoVerif but the > corresponding formal analysis in ProVerif in the same paper does not > support this view, i.e., all properties remain the same regardless of > the additional Derive-Secret. > > Moreover, the implementation of key hierarchy in draft 20 in ProVerif > by the authors is incorrect [5-6]. For instance, due to a strange > reason and beyond our understanding, the draft 20 implementation does > not use the Derive-Secret for Master Secret [5]. Do you have any > thoughts/opinion on this? The same implementation is being used by > other extensions as a baseline, including Lurk [7]. > > Usama > > [1] https://github.com/tlswg/tls13-spec/pull/875 > > [2] https://mailarchive.ietf.org/arch/msg/tls/cS4vdMvENOGdpall7uos9iwZ5OA/ > > [3] > https://datatracker.ietf.org/meeting/98/materials/slides-98-tls-tls13-00 > > [4] > https://www.youtube.com/watch?v=oSwXkhVd2ts&list=PLC86T-6ZTP5jo6kIuqdyeYYhsKv9sUwG1&ab_channel=IETF-InternetEngineeringTaskForce > > [5] https://github.com/Inria-Prosecco/reftls/issues/6 > > [6] https://github.com/Inria-Prosecco/reftls/issues/7 > > [7] https://github.com/lurk-t/proverif > > > On 17.12.23 21:05, Hugo Krawczyk wrote: >> See full thread here >> https://mailarchive.ietf.org/arch/msg/tls/cS4vdMvENOGdpall7uos9iwZ5OA/ >> >> See also how this helped analysis here (search for reference [73] >> https://inria.hal.science/hal-01528752v3/file/RR-9040.pdf >> >> On Sat, Dec 16, 2023 at 1:16 PM Muhammad Usama Sardar >> <muhammad_usama.sardar@tu-dresden.de> wrote: >> >> Hi all, >> >> In the key schedule (section 7.1) of RFC8446(bis), what is the >> rationale for using /*Derive-Secret(., "derived", "")*/in the >> derivations of Handshake and Master Secrets? Since this change >> was made in draft 19, I expect there should be some reasoning of >> why this was added. Specifically, what are the security >> implications if this step is missed, i.e., >> >> * if Early Secret is directly used as the Salt argument for >> HKDF-Extract of Handshake Secret; >> * and similarly if Handshake Secret is directly used as the >> Salt argument for HKDF-Extract of Master Secret. >> >> Regards, >> >> Usama >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >>
- [TLS] Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- Re: [TLS] Key Hierarchy TLS 1.3 RFC8446(bis) Hugo Krawczyk
- Re: [TLS] Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Fwd: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Eric Rescorla
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Eric Rescorla
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Eric Rescorla
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Eric Rescorla
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar