Re: [TLS] DTLS Key Separation PR
"Christopher Wood" <caw@heapingbits.net> Fri, 11 October 2019 16:58 UTC
Return-Path: <caw@heapingbits.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 379821200C5 for <tls@ietfa.amsl.com>; Fri, 11 Oct 2019 09:58:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=FzZGJZ1F; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=wv9AdOWe
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qKPl0lBvcwek for <tls@ietfa.amsl.com>; Fri, 11 Oct 2019 09:58:25 -0700 (PDT)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E9061200B8 for <tls@ietf.org>; Fri, 11 Oct 2019 09:58:25 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id CFCD460F for <tls@ietf.org>; Fri, 11 Oct 2019 12:58:24 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute6.internal (MEProxy); Fri, 11 Oct 2019 12:58:24 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=Qan7nFbpmB8k083qjCmZYutiCjvvKht q1K7tZfE/r+k=; b=FzZGJZ1FzoZ8vaD01jWWzubPBSoHb3r2UMMa5+4twJKrwId fFwDdY0vlaqUyhxte+zQso5iuURFwf0YDwlxpuchvlazW1lBbro0FgJFS6QfuAdO ToVgPmFkjyb/dX6nO4cpDBdDFWs6bnqpKMGVK5AJ3BVvKYiBjL3aXqu/yorQ1Kah 8ygbWNoWZb2dpkqERWp5E88eMuDXEQCtWfd4Ubvp1Vs+vQh8aN/UJCQUoEh5kjMp MPNtImngzrreOlinpKo1SQZjwf8XXbtONpJ1ARcfEERqf3MsgmImDpRGMONLGml8 qBMd7O48UxC2wfypA5b3MCsT9PrP9Frikk3fFRw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=Qan7nF bpmB8k083qjCmZYutiCjvvKhtq1K7tZfE/r+k=; b=wv9AdOWeOuZFWEacaRmDLn SgQU7rf92WcOQ4mUZq+PSeLW8prF3P+EumbLCaQCv5Ccbl8oFqEhfvUoEE2qbcju Rlq+tv+VAGNueIf5FciDO5McUp2Bcty57mceHGkTxn7TJC+wrNkdcOhlbBSgo6wE slC8AVoDJnKNJUnulCq/cDNxvkZKcw2zPlRo2TrfXUAZ/LvQSnrDpINyHc+fU2kb 6Mky2XsxWQIIoNgcbxyJyZUGEp/WkuKNzdBFsFoJZLewYcPCR4+z9KFPH/6tNUo0 kzJS5IuJwEmLbpbPqNuqz+wn1l2Qby0tfTB4nbLTws1Ynf1qesDsSBGRH+Gxkl1Q ==
X-ME-Sender: <xms:sLSgXcCldjFKRrqTXWcjBdgy-0RPWLIl_cnaOxdb9NOZUGFw4awTcQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrieehgddutdelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfvehhrhhishhtohhphhgvrhcuhghoohgufdcuoegtrgif sehhvggrphhinhhgsghithhsrdhnvghtqeenucffohhmrghinhepghhithhhuhgsrdgtoh hmpdhivghtfhdrohhrghenucfrrghrrghmpehmrghilhhfrhhomheptggrfieshhgvrghp ihhnghgsihhtshdrnhgvthenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:sLSgXap3Rw8KysEQCiFlnBAdNrQrvF8u1PsXuA5s-boE1JtyB8KcIA> <xmx:sLSgXbsiXuGAVsoEFhAj8H1kWp9QY13ezCS_YQBO5CNX16Z2Ga0eBw> <xmx:sLSgXXa_WgAbgnifvcLQCeVzwpsM7aB5-BaU2Gn-wQUKHxu_QeQLUA> <xmx:sLSgXdSddz0t547Oq25DrggUZHnoRb7eWlEpZI0zxGgSs6_mNOi6nQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 2849A3C00A1; Fri, 11 Oct 2019 12:58:24 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-360-g7dda896-fmstable-20191004v2
Mime-Version: 1.0
Message-Id: <22c919a7-5df4-4b7c-a5da-a2a81fd1471d@www.fastmail.com>
In-Reply-To: <f15bbae0-db5a-468e-8514-e001bc9f2cc3@www.fastmail.com>
References: <CABcZeBMDDyuTQ72sk2UNqpUMk+aHaskrJjSyQkUqt1HZFgnNGw@mail.gmail.com> <69c7cfbd-fe9f-40fa-b92b-e4b65fa6cb5d@www.fastmail.com> <CABcZeBPRMTEYC2b1Z94uDPXy6Y5tPTTjK7yzWff4Eze1wtgfpQ@mail.gmail.com> <f15bbae0-db5a-468e-8514-e001bc9f2cc3@www.fastmail.com>
Date: Fri, 11 Oct 2019 09:56:59 -0700
From: Christopher Wood <caw@heapingbits.net>
To: "TLS@ietf.org" <tls@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/4TjjuS3LWhbIS_2zKXY-uYXbe7g>
Subject: Re: [TLS] DTLS Key Separation PR
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Oct 2019 16:58:37 -0000
This PR has been merged. Thanks, all! Best, Chris On Thu, Oct 10, 2019, at 4:01 PM, Martin Thomson wrote: > Thanks, that was my mistake. I confirmed with our code and we are > indeed right up to the line. > > On Thu, Oct 10, 2019, at 23:37, Eric Rescorla wrote: > > > > > > On Wed, Oct 9, 2019 at 7:01 PM Martin Thomson <mt@lowentropy.net> wrote: > > > tl;dr keep the space. > > > > > > I had a little trouble reproducing the 12 from RFC 8446, so I double-checked. > > > > > > .... > > > > > > Working from the base for SHA-256: > > > > > > The last block of SHA-256 is rounded up to 448 bits (56 bytes), less one to allow for padding. Therefore we have 55 bytes to use without having to run two blocks through SHA-256. > > > > > > HMAC-Hash = H(K XOR opad || H(K XOR ipad || text)) > > > > > > Here `K XOR ipad` is the 32 bytes output size of SHA-256, so we are down to 23 bytes for text before it adds a block. > > > > In HMAC the key consumes an entire input block, so that you are > > guaranteed a compression function cycle before the data is added: > > > > 1) append zeros to the end of K to create a B byte string > > (e.g., if K is of length 20 bytes and B=64, then K will be > > appended with 44 zero bytes 0x00) > > (2) XOR (bitwise exclusive-OR) the B byte string computed in step > > (1) with ipad > > > > https://tools.ietf.org/rfcmarkup?doc=2104#section-2This shifts > > everything to the right 32 bytes, which, because context is 32 bytes, > > gets us back to 12, I think, though I haven't re-worked through it. > > > > Here's Ilari's original analysis, if that's helpful: > > https://mailarchive.ietf.org/arch/msg/tls/n_TFape7L4HHoKLxGo8CkimZziI > > > > -Ekr > > > > > > > > > > > HKDF-Expand = HMAC-Hash(PRK, info | 0x01) > > > > > > This takes one more. Down to 22. > > > > > > HKDF-Expand-Label passes info in the form of: > > > > > > struct { > > > uint16 length = Length; > > > opaque label<7..255> = "tls13 " + Label; > > > opaque context<0..255> = Context; > > > } HkdfLabel; > > > > > > which has a minimal overhead of 2 + 1 + len("tls13 ") + 1 = 10. So we get 12. > > > > > > "c ap traffic" is 12 bytes long, so yeah it *looks* like we're stuck if we care about not adding too many extra hash iterations. > > > > > > .... > > > > > > But if you look at the key schedule, we always provide a context for those cases we use "c ap traffic". Those will always spill over into the next iteration as Context is 32 bytes. So for those cases, we have a whole 32 bytes extra to play with. The only cases with an empty Context are "derived" and "res binder"|"ext binder". Those max out at 10, so we seem to have two whole bytes of wiggle room. > > > > > > You can safely add the space. > > > > > > On Wed, Oct 2, 2019, at 08:40, Eric Rescorla wrote: > > > > Hi folks, > > > > > > > > As discussed in Montreal, I've prepared a PR to give us DTLS/TLS key separation. > > > > > > > > See: > > > > https://github.com/tlswg/dtls13-spec/pull/99 > > > > > > > > Sadly. we didn't have enough space for "dtls13 " so I went for "dtls13" > > > > > > > > -Ekr > > > > > > > > _______________________________________________ > > > > TLS mailing list > > > > TLS@ietf.org > > > > https://www.ietf.org/mailman/listinfo/tls > > > > > > > > > > _______________________________________________ > > > TLS mailing list > > > TLS@ietf.org > > > https://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] DTLS Key Separation PR Eric Rescorla
- Re: [TLS] DTLS Key Separation PR Sean Turner
- Re: [TLS] DTLS Key Separation PR Martin Thomson
- Re: [TLS] DTLS Key Separation PR Eric Rescorla
- Re: [TLS] DTLS Key Separation PR Martin Thomson
- Re: [TLS] DTLS Key Separation PR Christopher Wood