Re: [TLS] Closing on keys used for handshake and data messages
Douglas Stebila <dstebila@gmail.com> Wed, 15 June 2016 19:38 UTC
Return-Path: <dstebila@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C13812DB39 for <tls@ietfa.amsl.com>; Wed, 15 Jun 2016 12:38:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UTAnP7qbmFoX for <tls@ietfa.amsl.com>; Wed, 15 Jun 2016 12:38:46 -0700 (PDT)
Received: from mail-it0-x236.google.com (mail-it0-x236.google.com [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7883E12DB41 for <tls@ietf.org>; Wed, 15 Jun 2016 12:38:45 -0700 (PDT)
Received: by mail-it0-x236.google.com with SMTP id h190so30142243ith.1 for <tls@ietf.org>; Wed, 15 Jun 2016 12:38:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=idgYe4y/Lhn2UPBQlltjyhTU9AZ8jdJrBumNc3anRms=; b=vCGU6UqBwZfL/E2qhoIPavl0N0fKlBT+8UXlSKuqb9K+4gOqsgWguGBpTacM7qMlGU h1db256r9kfvR7Md4i3tI/P4Wa36ZfuJ/2XtOgpRnttl/gm85i1QyBxX300cW999gsvh OtRlWjoZSZc2SRGP5G8lnpnJ1t0Cli4AzUGLq9nbL6dKpH1RniXwEOcBcF82nqeql6jT QljpEkMcVQxE8nGmmJa8lXb51U/d1e4xIEHtvFhatCs2KohR5zIIAE5lBl7zv3x1k+sA Wfap7gUpVSIMBvE9FCoE2Ug8TH49LLjlKgyfXYXJV5X+GdsEjFXfwBltpRUNcGzKKOd8 VltA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=idgYe4y/Lhn2UPBQlltjyhTU9AZ8jdJrBumNc3anRms=; b=eDcykO/VWjD2unLOO0hmKGQHus1vIfDWWaKHFzNXARrGTv8swnkTJauFRHWF6HcXMD Vw1BKihziU2zIwstpNIo/Vu493aYlBpHdrBJKONaJiUNDPNCsLlstnFFVe6I/wwpyK8s axkeUeO8L+pZVyr9+VO20kS344gahJ7udRJU7U8Mf/Yrj6ETrQ1d/xl2UzpUosomD7wY wb6lIEvbLDZB1QL5jDn8MC3JTu0ZQC0QA/YIWt8c1Fy0vxenkvYRKsWArY/YZQTwCl82 ruNgazbjGvievijRgWh0Mdijl6tqv6JCPbEcimDgZDRcIMBtXFvG/wR7B+tUd77BsbTq +TSQ==
X-Gm-Message-State: ALyK8tIkaP1CqdrscLYQSw6/lPaqX9YPTM+DXg3LxU8wMd80tXgw6zHRTI1ZZC98YdsKRA==
X-Received: by 10.36.122.210 with SMTP id a201mr1924995itc.13.1466019524539; Wed, 15 Jun 2016 12:38:44 -0700 (PDT)
Received: from stebila-imac.cas.mcmaster.ca (stebila-imac.cas.McMaster.CA. [130.113.68.195]) by smtp.gmail.com with ESMTPSA id g73sm17750035iog.6.2016.06.15.12.38.42 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 15 Jun 2016 12:38:43 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Douglas Stebila <dstebila@gmail.com>
In-Reply-To: <CAOgPGoB6=eH9059u95RJzt_quCN3+auP2NSx+mxLztePVYqGrw@mail.gmail.com>
Date: Wed, 15 Jun 2016 15:38:42 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <A7935161-5856-4140-823E-2A13ED239D6B@gmail.com>
References: <CAOgPGoB6=eH9059u95RJzt_quCN3+auP2NSx+mxLztePVYqGrw@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/5F_hvEe-MupOGvNQJAhadZ4tBME>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Closing on keys used for handshake and data messages
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2016 19:38:47 -0000
On Jun 3, 2016, at 17:54, Joseph Salowey <joe@salowey.net> wrote: > > Unfortunately, the TLS record framing is not easily compatible with having multiple keys used simultaneously: because we encrypt the content type, it is not possible to use it to determine which key to use to decrypt. We examined a number of proposals which would allow you to simultaneously have encrypted content types and separate keys, but they all appear to be nonviable for one reason or another: [...] > • Separately encrypting the content type is inefficient in a number of ways, especially for DTLS (and would need separate security analysis). This is probably the most viable of the “try to get both” designs. I'd also like more information about the reasoning behind saying that separately encrypting the content type is inefficient. There was some discussion off-list (but not much) about a proposal to encrypt content type (handshake or application) with a separate key, then encrypting data with the corresponding key (handshake key or application key). The content type would be encrypted using unauthenticated encryption, resulting in a single byte of ciphertext. The authenticated encryption using the corresponding key would include the type as associated data to authenticate it. This had a few drawbacks as I remember it: 1) requires one additional byte in the communication; 2) requires deriving and keeping an extra key (the "content type key") around; 3) requires additional encryption/decryption 4) composability of the application key would still be lost because of post-handshake client authentication. In the off-list discussion, Eric had a potential solution to (1). (3) was unavoidable but in my opinion relatively minimal cost. (4) is true, but we now have Hugo's results that give a form of restricted composability that accommodate post-handshake client authentication. There may have been additional discussions that I wasn't around for. I have heard it suggested that (2) is the particularly problematic aspect for DTLS, but I do not know enough about DTLS to understand this. Even if it is problematic for DTLS, if it is not so problematic for TLS, then why not do it for at least TLS? Douglas
- Re: [TLS] Closing on keys used for handshake and … Douglas Stebila
- [TLS] Closing on keys used for handshake and data… Joseph Salowey
- Re: [TLS] Closing on keys used for handshake and … Dave Garrett
- Re: [TLS] Closing on keys used for handshake and … Ilari Liusvaara
- Re: [TLS] Closing on keys used for handshake and … Björn Tackmann
- Re: [TLS] Closing on keys used for handshake and … Daniel Kahn Gillmor