IETF Logo Mail Archive

Re: [TLS] Should exporter keys be updated with post-handshake authentication and/or KeyUpdate?

Douglas Stebila <dstebila@gmail.com> Tue, 12 July 2016 14:46 UTC

Return-Path: <dstebila@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1024112D8B9 for <tls@ietfa.amsl.com>; Tue, 12 Jul 2016 07:46:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id myE03vPlhtH8 for <tls@ietfa.amsl.com>; Tue, 12 Jul 2016 07:46:21 -0700 (PDT)
Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E258F12DCCE for <tls@ietf.org>; Tue, 12 Jul 2016 07:00:37 -0700 (PDT)
Received: by mail-io0-x233.google.com with SMTP id q83so17178217iod.1 for <tls@ietf.org>; Tue, 12 Jul 2016 07:00:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=9BLU23SrWq9nuBC+5x3/51Vr64RB0cnk5cSw6BimVjM=; b=xKgIgjcIgmvCIMn2URh2QAvOKWHItZ6hrJFMsV9j17GinA8vmgwGhTzcP+pawzmUqE /G/QscYnbEjyRwr1kd57zKeq/viJsaQM2hKpG/RIz+ocaQ6ftuQBY2/uuMZLmXfu/HcN 2Pr+pHs1bGN8esD4et/ZlADtqdOk6kwjOGCEJhEnL/jDyXFUCytsiF094KRNWI2zdRWT kslTWmRDa4yllXPyf+yaKPP3Edc5gqBnqTZO3wp/9ompztPPbbRP2T7v4qzHfjKTTH8B V/BpWJBXoJqOPKozt2+O2JgTgw1G+TWe99+vK5mFlcHQOsBwdQZj3Ei90W9zLN+Q9UbU B3iA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=9BLU23SrWq9nuBC+5x3/51Vr64RB0cnk5cSw6BimVjM=; b=fU29LTb2yEr6U0nSqDXjiZhlmb8+CEWF42n0LYmtvP4/AwY8kkrCj8t+j/xSItkzJP Zwdn1ggjEteJaUI+y6nw5acQQ6PCc54XdH4SEnZKhBZJeK0v0Qzc89nKQ9DHcdjlBsAv sxLrbEABHSSJ+0T7qTEmqkEviJhxLNa+BCFWVG2m9htBgvDTvjfY0nBXL00OmiOmOeIS EQ0mky89YDgq6elYn/7212hRWXXLAar5oEhbIZ+Ljtkkx0T7ri9k3xO3t9KFO+LbZXu2 XX6OBcmlVYL+1KQl0pZyD+cra0DRsyhuYd0lrKsrAXr1RpZzDuqNgrNpIh1FnJ8mXDBI 9AsA==
X-Gm-Message-State: ALyK8tKcvCmAHn5I8vlP6b55wVRJPSt+zwIXQLrIVoqXilAL5OxdHIMaSXKoXjnxM5db3Q==
X-Received: by 10.107.44.194 with SMTP id s185mr3458795ios.0.1468332036943; Tue, 12 Jul 2016 07:00:36 -0700 (PDT)
Received: from stebila-imac.cas.mcmaster.ca (stebila-imac.cas.McMaster.CA. [130.113.68.195]) by smtp.gmail.com with ESMTPSA id p21sm12758750iop.0.2016.07.12.07.00.35 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 12 Jul 2016 07:00:35 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Douglas Stebila <dstebila@gmail.com>
In-Reply-To: <CY1PR03MB21554CF98C27A89230DDD5F18C3F0@CY1PR03MB2155.namprd03.prod.outlook.com>
Date: Tue, 12 Jul 2016 10:00:35 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <3F568B47-BE31-4EBB-AA95-C3045911956B@gmail.com>
References: <C6FAB38B-FF5A-43D3-A0DB-554FAF23ED92@gmail.com> <CY1PR03MB21554CF98C27A89230DDD5F18C3F0@CY1PR03MB2155.namprd03.prod.outlook.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>, Martin Thomson <martin.thomson@gmail.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/AHSHdcUsmjXkVkoCFSMPX5CZprQ>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Should exporter keys be updated with post-handshake authentication and/or KeyUpdate?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2016 14:46:23 -0000

> On Jul 11, 2016, at 19:24, Andrei Popov <Andrei.Popov@microsoft.com> wrote:
> 
> As currently defined, post-handshake client auth allows the same client to present different identities, but not to repudiate a previously presented identity. So in your example, from the TLS perspective, the client is both Alice and Bob, and therefore I think the same EKM value makes sense.

Even if that's how it's defined, we cannot be sure that applications which use EKM will realize that.  We should not underestimate how much applications may abuse TLS or misunderstand TLS's security properties.

> On Jul 11, 2016, at 21:13, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> Back to the question...
> One challenge with this is that exporters are often used to compare
> things.  For instance, one side signs an exported value, the other
> validates the signature by independently exporting the same value.
> Getting different values for a particular exporter will cause some
> classes of things to fail in subtle ways.

Agreed, this does create the possibility that the endpoints will export different values at different times due to unsynchronized context switches.  

However, we should compare this failure mode (which might cause two "partnered" parties to not get the same exporter key) with the failure mode if we use the same EKM for the whole session (which might cause more parties than we expect to get the same exporter key).  Fail-closed versus fail-open.

Douglas


> On 12 July 2016 at 05:39, Douglas Stebila <dstebila@gmail.com> wrote:
>> Some of the discussions I've had with people about post-handshake client authentication have raised the question of whether application traffic secrets should be updated automatically upon post-handshake client authentication: the thinking being that every change in context should be accompanied by a change in keying material.  I used to think that was a good idea for TLS 1.3, although it was recently argued to me that if we view the application traffic secrets as being "internal" to the TLS protocol, then the change in client authentication status doesn't change the confidential or integrity properties of the record layer, it just serves as a "marker" to the application that certain portions of the application data were associated with certain authentication contexts.  I was convinced that this can be safely accomplished without a change in application traffic secret key material.
>> 
>> But I'm not sure that the same applies to *exporter* keys.  Should exported keying material change as the authentication context changes?
>> 
>> Consider a long-lived TLS connection, where different users come and go.  For example, a web browser on a public terminal may have established a long-lived TLS connection to a particular website, and send subsequent requests to the same website over the same TLS connection.  Now imagine two users use the terminal one after another:
>> 
>> 1: initial handshake on a public terminal
>> 2: [time passes]
>> 3: Alice starts browsing
>> 4: Alice does post-handshake client authentication
>> 5: Alice purchases something
>> 6: Alice hits "logout" at the application layer
>> 7: [time passes]
>> 8: Bob starts using the terminal
>> 9: Bob does post-handshake client authentication
>> 10: Bob purchases something
>> 11: Bob hits "logout" at the application layer
>> 
>> TLS 1.3 will tell the application about events 4 and 9.  Events 6 and 11 happen at the application layer rather than the TLS layer (since I don't think TLS 1.3 has a client-de-authentication option).  But putting this all together, the application will learn all the correct authentication contexts: 1-3 is anonymous, 4-5 is Alice, 6-8 is anonymous, 9-10 is Bob, 11-onwards is anonymous.
>> 
>> Now imagine that we use keying material exporters in on lines 5 and 10:
>> 
>> 1: initial handshake on a public terminal
>> 2: [time passes]
>> 3: Alice starts browsing
>> 4: Alice does post-handshake client authentication
>> *5: Alice presses the "export keying material" button
>> 6: Alice hits "logout" at the application layer
>> 7: [time passes]
>> 8: Bob starts using the terminal
>> 9: Bob does post-handshake client authentication
>> *10: Bob presses the "export keying material" button
>> 11: Bob hits "logout" at the application layer
>> 
>> Since the exporter master secret is not updated when client authentication changes, Alice and Bob will export the same keying material at steps 5 and 10.  If the intended goal of this exported key is for Alice to obtain confidentiality in some other use, this will not be achieved, since Bob will obtain the same exported key.
>> 
>> Now, a proviso is that RFC 5705 allows for the application to mix a "context value" into the export, which could mitigate this, but that is optional.
>> 
>> So it seems to me like in at least some scenarios, exported keying material should be associated with authentication context.  It is less clear to me if the same holds true for KeyUpdates.
>> 
>> Douglas
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email