Re: [TLS] Key Schedule (PRs #453, #454).
Eric Rescorla <ekr@rtfm.com> Thu, 19 May 2016 19:14 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 530AF12D62D for <tls@ietfa.amsl.com>; Thu, 19 May 2016 12:14:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6vIk0GxaxlEF for <tls@ietfa.amsl.com>; Thu, 19 May 2016 12:14:28 -0700 (PDT)
Received: from mail-yw0-x231.google.com (mail-yw0-x231.google.com [IPv6:2607:f8b0:4002:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6D2512DBC4 for <tls@ietf.org>; Thu, 19 May 2016 12:14:25 -0700 (PDT)
Received: by mail-yw0-x231.google.com with SMTP id g133so88150197ywb.2 for <tls@ietf.org>; Thu, 19 May 2016 12:14:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Xa8Wk4NbVFs/cVQ9N8fDUK73+BypT4yjiU8ZdHQDFoU=; b=mxKIayr15XzOjg3R87+ay5wFF8LPGGlKaRmnUeRqLXDqL4O/WSrtNoUtpx2uslI7VA 75gAKgn2nR5W7uX9x06s8U7BNjwnfVX3RjigbvIqP4mkcja5YFcPJkTlmLPr8beoAzG4 rhI7eKlzofrEHbWLM8Z9KgSDaKHBkXiU1nJ6U3KItR2+7NPWZt0cEvafa3qpunULFHmN sUz+qHce9DoTLKUlmV5WFUjDVzZHnFEh0qfTb94bZwN9jr+6gD5qFZsVSir9Wd6H6FwF K+1QmnIuCPimB+D+9CwJ8aATriKYaHtX2Q/tayC8AUdbGlpCvsdi5vOb2GrmiaRtImLA svyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Xa8Wk4NbVFs/cVQ9N8fDUK73+BypT4yjiU8ZdHQDFoU=; b=AFCRB6lnSFby+WMVV0gf+ZIyNKZbOg2qa/+//C4g5pk/Yl7BAIGeH/pJQe+byja03R IdFnVl8KEzC0Og9uzLKBcuNeIZc7BN9hj0FrJmaebZPpWfs+/loNiuHjuYj2JM46H/Xp LCJk0A7vaObNJLZdvJHIuxROpBJFmB71r7A0GUWPE8zECjoy1I0QVtnM2NtcsnQlSrJo 1mzQj4Y6+nSTmp3/+2+mVBQfbBOJccm/Bpe0Up+nBnIkRLb5O4Ig+o1YHp0zCOY7r16D vJIudct8RDf1DM1kaKCSMp7q12cH4EC8vs7WrmnmEjUCFdmpa6oJ2kB5gBoa22eLHQy0 77Kw==
X-Gm-Message-State: AOPr4FV3bdTsn6cryafTamNtT5MXNMa91xrx6npXf3p7J6Yi4NRJ1JFCeDgm7T/MEpq92ikti8a5nantETeKFw==
X-Received: by 10.13.233.1 with SMTP id s1mr8205976ywe.286.1463685264999; Thu, 19 May 2016 12:14:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.132.12 with HTTP; Thu, 19 May 2016 12:13:45 -0700 (PDT)
In-Reply-To: <20160519191152.GA4667@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABcZeBN+T1uAc8Eye3Q7M7W96XJoG8+=Ng+uZNzzf-XeJWY_7Q@mail.gmail.com> <20160519191152.GA4667@LK-Perkele-V2.elisa-laajakaista.fi>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 19 May 2016 12:13:45 -0700
Message-ID: <CABcZeBOe6AvohAoBn_SqWm_7Ki5dXhTSc0jYyQKrN6H+cq-EYQ@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="94eb2c07cfb448bc4b053336c81d"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/5T_8QIAszocHarYRzjIPNB900CU>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Key Schedule (PRs #453, #454).
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 May 2016 19:14:29 -0000
On Thu, May 19, 2016 at 12:11 PM, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Thu, May 19, 2016 at 10:41:16AM -0700, Eric Rescorla wrote: > > > > An additional nice point about this design is that it easily > > accomodates additional keys. For instance, if we had some post-quantum > > key exchange method, we could easily add its key in the final > > Add-Secret or add an extra Add-Secret stage before HS. Similarly, if > > we had a long-term DH key as in OPTLSv1, it could replace the 0 in the > > final Add-Secret. > > Just one thing to be careful of: If one has off-handshake counter- > keys[1] (like the now-removed GDH 0-RTT mode had), one needs to hash > those in, or one gets all kinds of crypto screw (which may or may not > be actually exploitable...) > > The "context identifier" looks real handy for that purpose.. Yep. We were thinking that too! Thanks for the quick look. -Ekr > > > CONTEXT IDENTIFIER > > > > The resumption_psk is then used as the PSK for resumption and the > > resumption_context is added to the hash of the handshake messages > > whenever you use them, currently just by appending to the hash, as in: > > > > Hash(handshake messages) +resumption_context > > > > This is used *both* to derive the keys and for the input to > > the CertificateVerify/Finished. For convenience, I've > > Oh, even better than the original "contexts" proposal, as this is > non-checked. As said, if you ever need off-handshake counterkeys > (as above, and you most probably do for adding any sort of realistic > post-quantum capabilities[2]), this looks real handy for mixing those > in. > > > [1] Any server-side key that isn't explicitly sent as part of the hand- > shake (most probably having been sent before in prior handshake) but > still is involved in the handshake. > > [2] There does exist PQ Key Agreement, but it currently just provoded by > one system that is relatively slow (through not completely impractical) > and severly underanalyzed (major problem). > > > -Ilari >
- [TLS] Key Schedule (PRs #453, #454). Eric Rescorla
- Re: [TLS] Key Schedule (PRs #453, #454). Ilari Liusvaara
- Re: [TLS] Key Schedule (PRs #453, #454). Eric Rescorla
- Re: [TLS] Key Schedule (PRs #453, #454). Ilari Liusvaara
- Re: [TLS] Key Schedule (PRs #453, #454). Eric Rescorla
- Re: [TLS] Key Schedule (PRs #453, #454). Ilari Liusvaara
- Re: [TLS] Key Schedule (PRs #453, #454). Eric Rescorla
- Re: [TLS] Key Schedule (PRs #453, #454). Martin Thomson
- Re: [TLS] Key Schedule (PRs #453, #454). Eric Rescorla