Re: [TLS] ETSI releases standards for enterprise security and data centre management
Tony Arcieri <bascule@gmail.com> Sat, 01 December 2018 17:24 UTC
Return-Path: <bascule@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 468D6130DCB for <tls@ietfa.amsl.com>; Sat, 1 Dec 2018 09:24:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CkQ0JtrfZc_S for <tls@ietfa.amsl.com>; Sat, 1 Dec 2018 09:24:30 -0800 (PST)
Received: from mail-oi1-x230.google.com (mail-oi1-x230.google.com [IPv6:2607:f8b0:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 960EF130DBE for <tls@ietf.org>; Sat, 1 Dec 2018 09:24:30 -0800 (PST)
Received: by mail-oi1-x230.google.com with SMTP id w13so7485777oiw.9 for <tls@ietf.org>; Sat, 01 Dec 2018 09:24:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cJmjGXQrDfw7qDGFnq8J4bYv8bivJHHHVkM1au8ZXJg=; b=lFinIZSVsvc2PVwaw8DEau5Ye+uNQKlbaFEILDczf/2KfS0CjeInzIO7bLEcMLMWL1 1xa46dGC93sX3dgzN1VWNFb2RU2urt/sIduPwHm42gO6rz5Szo3Ifl3YUNdiRlPQ6Uw7 VwnvlB/pmx3Zxbu51jBblQsHFOV0U4wh+ER4JxHbi0iUyv24yMWRRNho9o6I1un528uB Vqdl4zSZOcC2cUjQYXV42Dmel24IqH+WaA5+8Qy84sASe+KBQS84lyhdIj/PZQHvJObW 6YN8yih7CsyAPX4HYngMmx9aI2yj/BJlHCbNZMEFyA9X4IFFG+Mbp+9djNfLtPjEU0Lh YMZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cJmjGXQrDfw7qDGFnq8J4bYv8bivJHHHVkM1au8ZXJg=; b=WLwL65R5628tYHT2gn4iHGl2nrlrJ0Cnye1CA/WK3K5hmaD/cw3Zik5S23SCc4Q/Xi dT818FrkkLIGFcBGlJeKknyfPe4jlWah55Mgtjedy8C56l0NvuvZEasqmFVJ0EzsNkfc fkDvnPgn1wYSfKs0g3zYi7yiQZlCduOXuAo1+VpqMbzbAm1GXcJ6vwsUMNJT8LvvfsgE 5PCHhlut5TObctG7zhWb750FcJ0B/k73DVyDvmp/L4ygSv3zXitF82w5U8f6WAo0GfLR mffNKOKrA0W0KXKPP7LKltnfIjd2MW+J8yFCfCW70z9WMK0kfktG6KbszMZPZXdIjQjq u3rQ==
X-Gm-Message-State: AA+aEWY3vAK5R4+GScgiW/6efgATw7rz0GG6jCEiO+F0Rpvd3r3RbE2D zVO1zyUIqtCsXPlGaR7R1pRImOEAr95KM0YPmf0=
X-Google-Smtp-Source: AFSGD/Ua2QucACl2caP0nXQ3rTfmqaT/H0z2mKVvLqKQcD7IWIzj6JQ33z9DD+9r6N6YH7LZiZK0VQPxSYKzY4V4GIA=
X-Received: by 2002:aca:ba02:: with SMTP id k2mr6447234oif.177.1543685069711; Sat, 01 Dec 2018 09:24:29 -0800 (PST)
MIME-Version: 1.0
References: <CADqLbzKd-AgDRv2suZ-0Nz4jNUqKg0RNT8sgQd-n793t+gEN3g@mail.gmail.com> <CAHOTMVKZT1ScvHeP3=Kv2zodVimHkaAtG-2DTq6ojnF+q-OMSQ@mail.gmail.com> <CADqLbzL16cnm-WQXj4bh9awOp6Qqnu21cQd3T9XxpVhHse8yoQ@mail.gmail.com>
In-Reply-To: <CADqLbzL16cnm-WQXj4bh9awOp6Qqnu21cQd3T9XxpVhHse8yoQ@mail.gmail.com>
From: Tony Arcieri <bascule@gmail.com>
Date: Sat, 01 Dec 2018 09:24:18 -0800
Message-ID: <CAHOTMV+ppxTmNaBdTOEkXzX_LWWcE=RMu4sxN3CsHTEga_8M2Q@mail.gmail.com>
To: beldmit@gmail.com
Cc: Crypto <cryptography@metzdowd.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000039afd2057bf93012"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/DZ9p7D4wzRuCRFasy5ptr4edrbw>
Subject: Re: [TLS] ETSI releases standards for enterprise security and data centre management
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Dec 2018 17:24:32 -0000
On Sat, Dec 1, 2018 at 8:12 AM Dmitry Belyavsky <beldmit@gmail.com> wrote: > I do not understand why the ETSI solution does not provide ability to > impersonate clients/servers. > My understanding of this solution is a "visibility" system would have access to a not-so-ephemeral ECDHE private key. This gives it access (via passive observation) to all session keys ultimately derived from ECDHE key agreement, including the resumption master secret. See RFC 8446, section 7.1: Key Schedule (EC)DHE -> HKDF-Extract = Handshake Secret | +-----> Derive-Secret(., "c hs traffic", | ClientHello...ServerHello) | = client_handshake_traffic_secret | +-----> Derive-Secret(., "s hs traffic", | ClientHello...ServerHello) | = server_handshake_traffic_secret v Derive-Secret(., "derived", "") | v 0 -> HKDF-Extract = Master Secret | +-----> Derive-Secret(., "c ap traffic", | ClientHello...server Finished) | = client_application_traffic_secret_0 | +-----> Derive-Secret(., "s ap traffic", | ClientHello...server Finished) | = server_application_traffic_secret_0 | +-----> Derive-Secret(., "exp master", | ClientHello...server Finished) | = exporter_master_secret | +-----> Derive-Secret(., "res master", ClientHello...client Finished) = resumption_master_secret -- Tony Arcieri
- [TLS] ETSI releases standards for enterprise secu… Dmitry Belyavsky
- Re: [TLS] ETSI releases standards for enterprise … Tony Arcieri
- Re: [TLS] ETSI releases standards for enterprise … Dmitry Belyavsky
- Re: [TLS] ETSI releases standards for enterprise … Tony Arcieri
- Re: [TLS] ETSI releases standards for enterprise … Christian Huitema
- Re: [TLS] ETSI releases standards for enterprise … Stephen Farrell
- Re: [TLS] ETSI releases standards for enterprise … Christian Huitema
- Re: [TLS] ETSI releases standards for enterprise … Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] ETSI releases standards for enterprise … Nico Williams
- Re: [TLS] ETSI releases standards for enterprise … Jonathan Hoyland
- Re: [TLS] ETSI releases standards for enterprise … Salz, Rich
- Re: [TLS] ETSI releases standards for enterprise … Nico Williams
- Re: [TLS] ETSI releases standards for enterprise … Tony Arcieri
- Re: [TLS] ETSI releases standards for enterprise … Jonathan Hoyland
- Re: [TLS] ETSI releases standards for enterprise … Nico Williams
- Re: [TLS] ETSI releases standards for enterprise … Daniel Kahn Gillmor
- Re: [TLS] ETSI releases standards for enterprise … Bret Jordan
- Re: [TLS] ETSI releases standards for enterprise … Stephen Farrell
- Re: [TLS] ETSI releases standards for enterprise … Daniel Kahn Gillmor
- Re: [TLS] ETSI releases standards for enterprise … Benjamin Beurdouche
- Re: [TLS] ETSI releases standards for enterprise … Bret Jordan
- Re: [TLS] ETSI releases standards for enterprise … Stephen Farrell
- Re: [TLS] ETSI releases standards for enterprise … Bret Jordan
- Re: [TLS] ETSI releases standards for enterprise … Daniel Kahn Gillmor
- Re: [TLS] ETSI releases standards for enterprise … Tony Arcieri
- Re: [TLS] ETSI releases standards for enterprise … Salz, Rich
- Re: [TLS] ETSI releases standards for enterprise … Salz, Rich
- Re: [TLS] ETSI releases standards for enterprise … R duToit
- Re: [TLS] ETSI releases standards for enterprise … Christopher Wood
- Re: [TLS] ETSI releases standards for enterprise … Melinda Shore
- Re: [TLS] ETSI releases standards for enterprise … Andrei Popov
- Re: [TLS] ETSI releases standards for enterprise … Daniel Kahn Gillmor
- Re: [TLS] ETSI releases standards for enterprise … Daniel Kahn Gillmor
- Re: [TLS] ETSI releases standards for enterprise … Andrei Popov
- Re: [TLS] ETSI releases standards for enterprise … Tony Arcieri
- Re: [TLS] ETSI releases standards for enterprise … Viktor Dukhovni
- Re: [TLS] ETSI releases standards for enterprise … Daniel Kahn Gillmor
- Re: [TLS] ETSI releases standards for enterprise … Andrei Popov
- Re: [TLS] ETSI releases standards for enterprise … Nico Williams
- Re: [TLS] ETSI releases standards for enterprise … Tony Arcieri
- Re: [TLS] ETSI releases standards for enterprise … Arnaud.Taddei.IETF
- Re: [TLS] ETSI releases standards for enterprise … Sean Turner
- Re: [TLS] ETSI releases standards for enterprise … Eric Rescorla
- Re: [TLS] ETSI releases standards for enterprise … Sean Turner
- Re: [TLS] ETSI releases standards for enterprise … Kurt Roeckx
- Re: [TLS] ETSI releases standards for enterprise … Daniel Kahn Gillmor
- Re: [TLS] ETSI releases standards for enterprise … Salz, Rich
- Re: [TLS] ETSI releases standards for enterprise … Ryan Sleevi
- Re: [TLS] ETSI releases standards for enterprise … Arnaud.Taddei.IETF