Re: [TLS] DTLS Key Separation PR

"Martin Thomson" <mt@lowentropy.net> Thu, 10 October 2019 02:01 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34AC6120072 for <tls@ietfa.amsl.com>; Wed, 9 Oct 2019 19:01:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=nR0QCkDx; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=TWYvN2Si
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3V9VG3QnNfQk for <tls@ietfa.amsl.com>; Wed, 9 Oct 2019 19:01:20 -0700 (PDT)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BED3120020 for <tls@ietf.org>; Wed, 9 Oct 2019 19:01:20 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 9306C5DA for <tls@ietf.org>; Wed, 9 Oct 2019 22:01:19 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Wed, 09 Oct 2019 22:01:19 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm3; bh=CQDxSVKOgkpCnkypM0VUPtl8snCf83+ 0Knn+72tFSZ0=; b=nR0QCkDxGOcccBQgVsZpunyJAvsk2JzbCWAhJ1h90DxGQA/ yr9CVSDuJ85fY+kRGt0iupiYp1jQDQZbcdCxG8Z1oTGAzKVBB1vTFo3HCvPhLTpw KF+qyDeIpHp/H+GGfYWWgYxeW+QBWUdrgRGeDUI7QjJ76pdySoBUnCBauCtz3CPm w6j8DtMTiQkjIzezsJKWM+6RWWYXR2FSgXEYS09Sw4kUuWCLq2qzHXCbwfIBcmik KFINy1bSiWmxxJYvzc1GziCyNEAIGRMRA/SPI9JqSIVGJL8h0FvT1vUkkFlZph54 CC5uibljAV1omvOFyNXJmnn+zX2GDAzqwhtOStg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=CQDxSV KOgkpCnkypM0VUPtl8snCf83+0Knn+72tFSZ0=; b=TWYvN2Si7fIyhNoFo5ngNZ hwltf/kw/SvX3Vzm3Sr8/OkK9I2VECitvgeU4EmTGfxaC30boPR7+yDTCVF7u/hp irVGN1Tyhwdar7CjWZBavNDFWFnOL0q+F0I1LtNaTU60AYenWupqFf2wt89smFW6 cAiUginmrEzd9zu+Nvcvl/KUZ0MJhyGCIW8ahPjUm+UX0m984JMbmcLntOUTce6W cUjzy1R6qfp0gSnXPyxME7f3MGUGBL/tXRJ9XqHPnf4HXqRydgJDB9URhgLb4J4Y 1+LuqgqSSK073Xz7fogH02taom/G3+ZcL/qdT6JC26DpFjljDf+zyK4Ixmbrto5Q ==
X-ME-Sender: <xms:7pCeXdbag9TPRQCM9OQJc2fEguGK1PziAYTM9NDXIzXcDEof4VZ-3g>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedriedvgdehhecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohif vghnthhrohhphidrnhgvtheqnecuffhomhgrihhnpehgihhthhhusgdrtghomhdpihgvth hfrdhorhhgnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophih rdhnvghtnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:7pCeXRUvldfkC0gqSw-1PNP7kn4xRJN6BN9i1J25J-aFrJc9pv0U4A> <xmx:7pCeXbkHF-XCzhgbgl4ZDEoR3abeJZzZztmlZ01EmPP1pu0XQOh9kg> <xmx:7pCeXUAOifCaCIxfN28G3YBzyjWs0f1wLvzrhosB6_OdOE03y2ncqA> <xmx:75CeXW_JmkhBnNYdYvfqII7qx91PeU5PyBobmHkjTJPJ488o6qcClA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 918C3E00AF; Wed, 9 Oct 2019 22:01:18 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-360-g7dda896-fmstable-20191004v2
Mime-Version: 1.0
Message-Id: <69c7cfbd-fe9f-40fa-b92b-e4b65fa6cb5d@www.fastmail.com>
In-Reply-To: <CABcZeBMDDyuTQ72sk2UNqpUMk+aHaskrJjSyQkUqt1HZFgnNGw@mail.gmail.com>
References: <CABcZeBMDDyuTQ72sk2UNqpUMk+aHaskrJjSyQkUqt1HZFgnNGw@mail.gmail.com>
Date: Thu, 10 Oct 2019 13:00:58 +1100
From: "Martin Thomson" <mt@lowentropy.net>
To: tls@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ByvHF1qVdOv-jE99bmhucNC9zsQ>
Subject: Re: [TLS] DTLS Key Separation PR
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Oct 2019 02:01:22 -0000

tl;dr keep the space.

I had a little trouble reproducing the 12 from RFC 8446, so I double-checked.

...

Working from the base for SHA-256:

The last block of SHA-256 is rounded up to 448 bits (56 bytes), less one to allow for padding.  Therefore we have 55 bytes to use without having to run two blocks through SHA-256.

HMAC-Hash = H(K XOR opad || H(K XOR ipad || text))

Here `K XOR ipad` is the 32 bytes output size of SHA-256, so we are down to 23 bytes for text before it adds a block.

HKDF-Expand =  HMAC-Hash(PRK, info | 0x01)

This takes one more.  Down to 22.

HKDF-Expand-Label passes info in the form of:

       struct {
           uint16 length = Length;
           opaque label<7..255> = "tls13 " + Label;
           opaque context<0..255> = Context;
       } HkdfLabel;

which has a minimal overhead of 2 + 1 + len("tls13 ") + 1 = 10.  So we get 12.

"c ap traffic" is 12 bytes long, so yeah it *looks* like we're stuck if we care about not adding too many extra hash iterations.

...

But if you look at the key schedule, we always provide a context for those cases we use "c ap traffic".  Those will always spill over into the next iteration as Context is 32 bytes.  So for those cases, we have a whole 32 bytes extra to play with.  The only cases with an empty Context are "derived" and "res binder"|"ext binder".  Those max out at 10, so we seem to have two whole bytes of wiggle room.

You can safely add the space.

On Wed, Oct 2, 2019, at 08:40, Eric Rescorla wrote:
> Hi folks,
> 
> As discussed in Montreal, I've prepared a PR to give us DTLS/TLS key separation.
> 
> See: 
> https://github.com/tlswg/dtls13-spec/pull/99
> 
> Sadly. we didn't have enough space for "dtls13 " so I went for "dtls13"
> 
> -Ekr
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>