Re: [TLS] Closing on keys used for handshake and data messages
Ilari Liusvaara <ilariliusvaara@welho.com> Sat, 04 June 2016 09:51 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0ADF912D152 for <tls@ietfa.amsl.com>; Sat, 4 Jun 2016 02:51:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.326
X-Spam-Level:
X-Spam-Status: No, score=-3.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ev_8CdrzcaDF for <tls@ietfa.amsl.com>; Sat, 4 Jun 2016 02:51:15 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) by ietfa.amsl.com (Postfix) with ESMTP id D97D712D10D for <tls@ietf.org>; Sat, 4 Jun 2016 02:51:14 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 8207414E1 for <tls@ietf.org>; Sat, 4 Jun 2016 12:51:12 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id gIpxgofBZ2R7 for <tls@ietf.org>; Sat, 4 Jun 2016 12:51:12 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-224-2.bb.dnainternet.fi [87.100.224.2]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 2C945C4 for <tls@ietf.org>; Sat, 4 Jun 2016 12:51:12 +0300 (EEST)
Date: Sat, 04 Jun 2016 12:51:11 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: tls@ietf.org
Message-ID: <20160604095111.GA6537@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAOgPGoB6=eH9059u95RJzt_quCN3+auP2NSx+mxLztePVYqGrw@mail.gmail.com> <201606040226.00867.davemgarrett@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <201606040226.00867.davemgarrett@gmail.com>
User-Agent: Mutt/1.6.0 (2016-04-01)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/EAx0lyRELQvHbIkIYWLskXMaFAo>
Subject: Re: [TLS] Closing on keys used for handshake and data messages
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Jun 2016 09:51:18 -0000
On Sat, Jun 04, 2016 at 02:26:00AM -0400, Dave Garrett wrote: > On Friday, June 03, 2016 05:54:53 pm Joseph Salowey wrote: > > Unfortunately, the TLS record framing is not easily compatible with having > > multiple keys used simultaneously: because we encrypt the content type, it > > is not possible to use it to determine which key to use to decrypt. We > > examined a number of proposals which would allow you to simultaneously have > > encrypted content types and separate keys, but they all appear to be > > nonviable for one reason or another: > > > > - Trial decryption has serious implementation problems > > - Double-encrypting handshake messages in both the handshake key and the > > application key does not actually provide the required key separation > > - Separately encrypting the content type is inefficient in a number of > > ways, especially for DTLS (and would need separate security analysis). This > > is probably the most viable of the “try to get both” designs. > > Could someone please elaborate on why nested encryption would be a > problem? The problem is that nested encryption does not solve the separation problem (application misusing keys it has[1] in ways that interact badly with the (late) handshake[2]). Essentially the difference is "the generated key is safe to use with any protocol" versus "the generated key is safe to use for TLS 1.3". And if the first is not true, proving the second is harder (even if it should be true, barring massive design errors[3] or applications doing utterly crazy stuff[4]). [1] Nevermind it REALLY SHOULD NOT actually have those keys, but only plaintext access to its own mux stream. [2] In normal TLS operation, the protocol mux/demux prevents such interference from actually occuring. [3] Like grossly broken protocol mux. [4] Stuff applications have absolutely no legimate business of doing (if I ever see such things, my first assumption about the cause will be malice). -Ilari
- Re: [TLS] Closing on keys used for handshake and … Douglas Stebila
- [TLS] Closing on keys used for handshake and data… Joseph Salowey
- Re: [TLS] Closing on keys used for handshake and … Dave Garrett
- Re: [TLS] Closing on keys used for handshake and … Ilari Liusvaara
- Re: [TLS] Closing on keys used for handshake and … Björn Tackmann
- Re: [TLS] Closing on keys used for handshake and … Daniel Kahn Gillmor