Re: [TLS] ETSI releases standards for enterprise security and data centre management

Tony Arcieri <bascule@gmail.com> Sat, 01 December 2018 17:24 UTC

Return-Path: <bascule@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 468D6130DCB for <tls@ietfa.amsl.com>; Sat, 1 Dec 2018 09:24:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CkQ0JtrfZc_S for <tls@ietfa.amsl.com>; Sat, 1 Dec 2018 09:24:30 -0800 (PST)
Received: from mail-oi1-x230.google.com (mail-oi1-x230.google.com [IPv6:2607:f8b0:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 960EF130DBE for <tls@ietf.org>; Sat, 1 Dec 2018 09:24:30 -0800 (PST)
Received: by mail-oi1-x230.google.com with SMTP id w13so7485777oiw.9 for <tls@ietf.org>; Sat, 01 Dec 2018 09:24:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cJmjGXQrDfw7qDGFnq8J4bYv8bivJHHHVkM1au8ZXJg=; b=lFinIZSVsvc2PVwaw8DEau5Ye+uNQKlbaFEILDczf/2KfS0CjeInzIO7bLEcMLMWL1 1xa46dGC93sX3dgzN1VWNFb2RU2urt/sIduPwHm42gO6rz5Szo3Ifl3YUNdiRlPQ6Uw7 VwnvlB/pmx3Zxbu51jBblQsHFOV0U4wh+ER4JxHbi0iUyv24yMWRRNho9o6I1un528uB Vqdl4zSZOcC2cUjQYXV42Dmel24IqH+WaA5+8Qy84sASe+KBQS84lyhdIj/PZQHvJObW 6YN8yih7CsyAPX4HYngMmx9aI2yj/BJlHCbNZMEFyA9X4IFFG+Mbp+9djNfLtPjEU0Lh YMZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cJmjGXQrDfw7qDGFnq8J4bYv8bivJHHHVkM1au8ZXJg=; b=WLwL65R5628tYHT2gn4iHGl2nrlrJ0Cnye1CA/WK3K5hmaD/cw3Zik5S23SCc4Q/Xi dT818FrkkLIGFcBGlJeKknyfPe4jlWah55Mgtjedy8C56l0NvuvZEasqmFVJ0EzsNkfc fkDvnPgn1wYSfKs0g3zYi7yiQZlCduOXuAo1+VpqMbzbAm1GXcJ6vwsUMNJT8LvvfsgE 5PCHhlut5TObctG7zhWb750FcJ0B/k73DVyDvmp/L4ygSv3zXitF82w5U8f6WAo0GfLR mffNKOKrA0W0KXKPP7LKltnfIjd2MW+J8yFCfCW70z9WMK0kfktG6KbszMZPZXdIjQjq u3rQ==
X-Gm-Message-State: AA+aEWY3vAK5R4+GScgiW/6efgATw7rz0GG6jCEiO+F0Rpvd3r3RbE2D zVO1zyUIqtCsXPlGaR7R1pRImOEAr95KM0YPmf0=
X-Google-Smtp-Source: AFSGD/Ua2QucACl2caP0nXQ3rTfmqaT/H0z2mKVvLqKQcD7IWIzj6JQ33z9DD+9r6N6YH7LZiZK0VQPxSYKzY4V4GIA=
X-Received: by 2002:aca:ba02:: with SMTP id k2mr6447234oif.177.1543685069711; Sat, 01 Dec 2018 09:24:29 -0800 (PST)
MIME-Version: 1.0
References: <CADqLbzKd-AgDRv2suZ-0Nz4jNUqKg0RNT8sgQd-n793t+gEN3g@mail.gmail.com> <CAHOTMVKZT1ScvHeP3=Kv2zodVimHkaAtG-2DTq6ojnF+q-OMSQ@mail.gmail.com> <CADqLbzL16cnm-WQXj4bh9awOp6Qqnu21cQd3T9XxpVhHse8yoQ@mail.gmail.com>
In-Reply-To: <CADqLbzL16cnm-WQXj4bh9awOp6Qqnu21cQd3T9XxpVhHse8yoQ@mail.gmail.com>
From: Tony Arcieri <bascule@gmail.com>
Date: Sat, 1 Dec 2018 09:24:18 -0800
Message-ID: <CAHOTMV+ppxTmNaBdTOEkXzX_LWWcE=RMu4sxN3CsHTEga_8M2Q@mail.gmail.com>
To: beldmit@gmail.com
Cc: Crypto <cryptography@metzdowd.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000039afd2057bf93012"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/DZ9p7D4wzRuCRFasy5ptr4edrbw>
Subject: Re: [TLS] ETSI releases standards for enterprise security and data centre management
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Dec 2018 17:24:32 -0000

On Sat, Dec 1, 2018 at 8:12 AM Dmitry Belyavsky <beldmit@gmail.com>; wrote:

> I do not understand why the ETSI solution does not provide ability to
> impersonate clients/servers.
>

My understanding of this solution is a "visibility" system would have
access to a not-so-ephemeral ECDHE private key. This gives it access (via
passive observation) to all session keys ultimately derived from ECDHE key
agreement, including the resumption master secret.

See RFC 8446, section 7.1: Key Schedule

(EC)DHE -> HKDF-Extract = Handshake Secret
             |
             +-----> Derive-Secret(., "c hs traffic",
             |                     ClientHello...ServerHello)
             |                     = client_handshake_traffic_secret
             |
             +-----> Derive-Secret(., "s hs traffic",
             |                     ClientHello...ServerHello)
             |                     = server_handshake_traffic_secret
             v
       Derive-Secret(., "derived", "")
             |
             v
   0 -> HKDF-Extract = Master Secret
             |
             +-----> Derive-Secret(., "c ap traffic",
             |                     ClientHello...server Finished)
             |                     = client_application_traffic_secret_0
             |
             +-----> Derive-Secret(., "s ap traffic",
             |                     ClientHello...server Finished)
             |                     = server_application_traffic_secret_0
             |
             +-----> Derive-Secret(., "exp master",
             |                     ClientHello...server Finished)
             |                     = exporter_master_secret
             |
             +-----> Derive-Secret(., "res master",
                                   ClientHello...client Finished)
                                   = resumption_master_secret


-- 
Tony Arcieri