IETF Logo Mail Archive

Re: [TLS] KeyUpdate and unbounded write obligations

Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 01 September 2016 21:29 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 521BF12D0A3 for <tls@ietfa.amsl.com>; Thu, 1 Sep 2016 14:29:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.548] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rG_zoqH5jJAd for <tls@ietfa.amsl.com>; Thu, 1 Sep 2016 14:29:26 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) by ietfa.amsl.com (Postfix) with ESMTP id 174FE12D7A7 for <tls@ietf.org>; Thu, 1 Sep 2016 14:29:25 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 76D55F3CF; Fri, 2 Sep 2016 00:29:24 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id Edjr8DBF0zZH; Fri, 2 Sep 2016 00:29:24 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-237-87.bb.dnainternet.fi [87.100.237.87]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 1AFF821C; Fri, 2 Sep 2016 00:29:24 +0300 (EEST)
Date: Fri, 02 Sep 2016 00:29:23 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20160901212923.wixkxurtmyxmnsi2@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAMzhQmM+msOti4rChS=dwRpo5YGh4VMpnqQvy4x=GG=rKA7kew@mail.gmail.com> <20160825042343.w6bg6kg75tujhexg@LK-Perkele-V2.elisa-laajakaista.fi> <CAMzhQmPFwE7H5gN-Ua1unGyFCpxh8aZuX4-2u55R0hmLD52FKQ@mail.gmail.com> <CABcZeBNjRvvKWctCy0oNYDpqgFoTck2Ai8iYuVeYQg1d5Jyk-g@mail.gmail.com> <20160828184105.yvrnbispbnpomk4s@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBM=3RPpmGygMmrTU8DMNHQo=k0VTweKjCrY53GR3X4p1A@mail.gmail.com> <95C31431-189C-41ED-A2D2-E370A5FB8F7A@vigilsec.com> <CABcZeBNA_MVO5e-bsnPML4epRjSDVUBf4tewqQ6EY+F1sqooPA@mail.gmail.com> <20160901210952.hj34o2ycel2ssd65@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBPNrNziYoE7T9UcjxUYZr4RN3COm=hazikAsmVF6A11_A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBPNrNziYoE7T9UcjxUYZr4RN3COm=hazikAsmVF6A11_A@mail.gmail.com>
User-Agent: NeoMutt/ (1.7.0)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/AwmMbphJ9cLthg6nGpT0V9TMj_E>
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] KeyUpdate and unbounded write obligations
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Sep 2016 21:29:28 -0000

On Thu, Sep 01, 2016 at 02:20:02PM -0700, Eric Rescorla wrote:
> On Thu, Sep 1, 2016 at 2:09 PM, Ilari Liusvaara <ilariliusvaara@welho.com>
> wrote:
> 
> > I tried to implement this, and discovered an issue:
> >
> > The client handshake traffic secret is needed for deriving client
> > Finished, and client application traffic secret is only needed after
> > that point. However, the derivation of client application traffic
> > secret uses handshake hash post Server Finished.
> >
> > So you either need to buffer the handshake hash value, or have two
> > overlapping client traffic secrets.
> >
> > Changing the client application traffic secret context to extend
> > up to Client Finished would solve the issue.
> >
> 
> Hmm.... having the keys in one direction cover the client's certificate and
> certverify
> and the keys in the other direction not seems pretty sketchy.
> 
> As I understand this, it's just an aesthetic issue, right?

I don't think this is just aesthetic issue:

- If you derive the traffic secret at the moment the right hash is
  available, you need to stash the traffic secret for later (one
  can't overwrite the existing one, since you will need that for
  ClientFinished).
- If you derive the traffic secret just before use, you need to
  have saved the hash value used for derivation, since the
  ClientFinished (and possibly Certificate(Verify)) has altered it.


-Ilari

v2.14.0 | Report a Bug | By Email