Re: [TLS] KeyUpdate and unbounded write obligations

Keith Winstein <> Fri, 19 August 2016 00:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E12BE12D159 for <>; Thu, 18 Aug 2016 17:18:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EhKkOhXDClFE for <>; Thu, 18 Aug 2016 17:18:54 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9EBEF12D08F for <>; Thu, 18 Aug 2016 17:18:54 -0700 (PDT)
Received: by with SMTP id d10so10850543ybi.1 for <>; Thu, 18 Aug 2016 17:18:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=mZeqA9MsMO57u9EHR/UkdpRr3nrnyPWgKVMmC/GA+H8=; b=WJ0UOK0JvnUXbf/ol1HlzMEQ/E8XCSS2O1dw1GCu+YgPqE6dVhnDs8iUgmC+0NVB4o qZjJy7nO7lJKukAF2fLOK5heKozgr3I1iSxHyyttJkjvejq4WhdGVK6gMOm/lNs/rulh ljs/iyw9pvZ+FcwlJE52A7o4p3zbKnPDhb+Lyt0ovhnuwTJ5obfecKgou1+VgmXopuXp Up6GopsAueMMxyb9T4YbBKRQf+PyrEuJbOMiqSb67vkV72UXfLcZvj70xg/V+BatQYxD r4UWZaYfY1AdwH6lUQ06VIrza1XGg0xy39Zu+KgWwxsUJ1MH2KK+1hh66L4YzJV6sNlZ eT3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=mZeqA9MsMO57u9EHR/UkdpRr3nrnyPWgKVMmC/GA+H8=; b=DBLKsuqKuplKeoJJIk2Plz+XLPJi+uum6sulonstQn80Nt43PE4LshoOH54ytf2/4n 2u/sNAVWLwZDjKVeQ++V7Il1tSM6K4SgOFjh8q1W89Xy3kaVCLzXgyjkLry8LL4pyKFE JaOVJKtHqiTJStEyPO12hu1RTD+ghajkNnRH2wefVDGzt72/6LLpnV8hxOXII48VjtUk v34OrFelFyXBcEcLZIFTFWonOPDqyZ315TEtKLuBGpbVaB9pLvTut+HDfnAO/M3GHaCR yt6iXMXicQW3nTdf7DrlXz0fFZ2vrBdHIJ6nQQOqfZsv/ie67z7vrRJZp3OhpyWvKsM0 LIow==
X-Gm-Message-State: AEkoout43cHv4PEx6zeqg2ERo2QRPF2yqPZy2VfKAyjoQsdFTr1hTxQIP7076sWqdYaGY3K1njayJ9z+IUAztw==
X-Received: by with SMTP id n125mr3783832yba.32.1471565933579; Thu, 18 Aug 2016 17:18:53 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Thu, 18 Aug 2016 17:18:13 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <>
From: Keith Winstein <>
Date: Thu, 18 Aug 2016 17:18:13 -0700
X-Google-Sender-Auth: gHOnaInh04DL6woA_4taqdoB76U
Message-ID: <>
To: Adam Langley <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] KeyUpdate and unbounded write obligations
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 19 Aug 2016 00:18:57 -0000

On Thu, Aug 18, 2016 at 2:26 PM, Adam Langley <> wrote:

> I think I was because I hadn't seen your Berlin presentation. But I'm still
> going to hijack this thread and ask you to expand on some of these points so
> that I understand your motivation :)

Fair enough. :-)

>> - An embedded device may wish to fully rotate the session keys before
>> going to sleep.
> I imagine the argument here goes:
> 1) Sleep is good because it saves power.
> 2) To sleep we need to power down (and erase) most memory.
> 3) So to keep a TLS connection across sleep/wake secrets have to be saved to
> flash, but that's hard to erase so we don't want to expose keys that were
> used to encrypt traffic.

Yeah, our reasoning follows yours and goes a little further:

4) I don't know when I'm going to wake up again.
5) I don't want a subsequent compromise of me *or* the other side to
reveal prior plaintext from the session.
6) Because I'm going to sleep, it's now or never to make sure the
session keys aren't retained.
7) Therefore, I'd like to make sure both sides have ratcheted forwards
before I go to sleep.

> For that I see why one needs KeyUpdate to be echoed: as the embedded device,
> you want the peer to rotate keys so that you can write only fresh keys to
> flash. On wake you want the other side to rotate again so that the keys in
> flash were only used to authenticate a new KeyUpdate.
> But why do you need the other side to have confirmed that it has erased your
> keys? I think you only care that it echos your KeyUpdate messages promptly.

Agreed, P1+P2 is sufficient if the device only cares about making sure
*it* is not going to leak keying material (that can reveal prior
plaintext) if there is a compromise during sleep. You need P3 if you
are also concerned the peer might be holding on to an old key.

>> - A paranoid device might fully rotate the session keys before closing
>> the session. (If confirmation is absent, the device might use a
>> higher-level mechanism to forcibly log out all open sessions from that
>> user.)
> The worry here is that a peer might be seized and subject to a cold-boot
> attack to lift the TLS connection keys? So if you don't hear from it every
> $x seconds you'll log it out?

Probably nothing that elaborate.

The device is concerned that after the session is over (from its
perspective), the server might get compromised, and the attacker reads
the key for a long-dormant session out of the server's /dev/mem, and
uses it to decrypt prior ciphertext.

One approach is that the device should make sure to close every
session with a secure bidirectional close, where the server actually
confirms that the session is dead in both directions. But TLS does not
have a secure bidirectional close. (Even when used, close_notify only
promises there will be no more data in *that* direction.)

However, the device can try to guarantee that both sides have
ratcheted past all the keys that could reveal prior plaintext.

> Again does the confirmation here help?

The confirmation is the way for the device to know that the server has
read its request to ratchet the client-to-server traffic key forwards.
(And the idea would be, if the device doesn't get that confirmation
and really wants it, it may have to raise a warning and handle this at
the application layer -- e.g. by opening a new session to the server
and issuing a "kill all sessions" command.)

> What if you send a KeyUpdate and receive a change password request? The peer
> might well have sent it before receiving your KeyUpdate, or maybe it was seized and
> will just choose not to echo your KeyUpdate.

Sure, there's nothing you can do if the peer gets compromised while
important keys still live on it. But the idea here is for the device
to be able to make sure the keys get ratcheted after all the data is
sent but before there can be a later compromise. Basically
approximating (some of) the semantics of an actual secure
bidirectional close.

> If they have a channel to the user where they are sending a stream of old
> keys, couldn't they just mirror the plaintext of the connection to keep
> things simple? I guess you worry about a device that's cooperative enough to
> put in the effort to have their audit channel but lies about the plaintext?

Right, exactly. (Ideally, the device doesn't even know it's being
audited until the user logs in to the Web UI and says, "okay, now,
ratchet the session and then share the old keys with this auditor that
I am going to introduce you to, so it can decrypt some earlier
ciphertext I've been capturing." So we don't want a parallel channel
and we don't even want the device to have to know about the audit