IETF Logo Mail Archive

Re: [TLS] Consensus call for keys used in handshake and data messages

Eric Rescorla <ekr@rtfm.com> Tue, 21 June 2016 00:39 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 434D512D86D for <tls@ietfa.amsl.com>; Mon, 20 Jun 2016 17:39:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 94Q9soaRnJVp for <tls@ietfa.amsl.com>; Mon, 20 Jun 2016 17:39:52 -0700 (PDT)
Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EAA412D84F for <tls@ietf.org>; Mon, 20 Jun 2016 17:39:52 -0700 (PDT)
Received: by mail-yw0-x22b.google.com with SMTP id i12so767587ywa.1 for <tls@ietf.org>; Mon, 20 Jun 2016 17:39:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=X2anUbegAQSgS45zi0FDcAX/CRvKnQsqEr21vyogVsY=; b=uB78sErWwRzfsI7FZ+MkqrI31NLWSjTqjmXa3A6VsWvanJORDaYhih9vTQi/fCQtzk ZkICviCZJcH4769s9m/WsR1c9pwjgCxReBR8buSPLSqeFkFk+80xQjwXUOuSETy2N4SY +VOolE3NT2SOYFOgBVay7mDgxVouUsOdFcC/jDeiEOkqqp7KxWTDuKZ8mTPk0xPGq2v0 1EkgViytVj1yf2AhaotkizTyu+s40pRhm06FO/sUknW12VjZ4seC3mtvv+Rx94OgBIZz pwvnBTVL4Jo1dQ5nn34MlDXU70hKPq4z6Kzq6JbE3KnhzU0KDX8baBJayhYI0513IrC+ a9Yg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=X2anUbegAQSgS45zi0FDcAX/CRvKnQsqEr21vyogVsY=; b=MljntovsmqY62mL0MtL/Q4IBxL74F/2DnX6NmNjWWvs8pZFZ7G04f7vuUWFP+2oC7u fSNl7Nz8Lv+p9EqMdxc7FP/15huX6xk0In6NiBKMtZCb50bGix4v8FcQgHxKk5n+bLHJ uPVHill61yOid/6Ra+3OATCX67RZFNNGBAWkcN7SuSn8m1IMpX5c0WuhNP72E/PRliLf qJ12co8/sdCf6sNUn7kKyyq0NxijXMfxndnGshjmoPO40PN81JNOcejf8qsvshMjJAOz mx9Lo8ogCqy75l1OjyaE3HklnQZ5+wAeq4Aupdlg0vEER3RsxoP9LbsTgitZBQ7Rfjyb 9HpQ==
X-Gm-Message-State: ALyK8tLqC5Phg1bBwjQ2XdNf24GbmZG4r7NfT2PYmoZB5DVXxNM9y2ocuqlUWJyccqD3ZMLbotehCoENNiItTw==
X-Received: by 10.129.83.213 with SMTP id h204mr11613285ywb.276.1466469591391; Mon, 20 Jun 2016 17:39:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.132.136 with HTTP; Mon, 20 Jun 2016 17:39:11 -0700 (PDT)
In-Reply-To: <CADi0yUN=FxZHMUtDke4qdaHuvDM2y0aFVCvVJkkpbzXFS0+LsQ@mail.gmail.com>
References: <CAOgPGoDRZdJN7DY10tDoEEidVkxeKabCcW_U3vQqaaH6x162gw@mail.gmail.com> <CADi0yUN=FxZHMUtDke4qdaHuvDM2y0aFVCvVJkkpbzXFS0+LsQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 20 Jun 2016 17:39:11 -0700
Message-ID: <CABcZeBOU2a0NER+OQRb4ouhpKkF53ZNyKn5_amAANLrpOBnGWg@mail.gmail.com>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Content-Type: multipart/alternative; boundary="001a114d8e1611a4a80535bf0fbc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/EGzxKPODhoqLmmP1SrNheprfSnA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Consensus call for keys used in handshake and data messages
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jun 2016 00:39:55 -0000

Nobody seems super-excited about either Option 1 or Option 2, so it's
at least worth noting that there's one of the options I claimed was
rejected earlier, namely separately encrypting the content type in
roughly the manner suggested by DKG, Ilari, and Kenny. Thanks for
Doug/Felix for prompting me on this.


NOTE: I don't promise any of the below is secure, though it probably
can be made so with enough work. Actually doing so is an exercise
for the reader.


The basic idea is as follows:

1. In each direction generate a separate "content_type_key"
2. Separately encrypt the content type from the rest of the record
   using the content_type_key.
3. On the receiving side, first decrypt the content type and then use
   that to determine what key to decrypt the record.

The trivial version of this is just to AEAD encrypt the content type
separately, but this has unacceptable bandwidth and CPU properties, so
is probably not viable. However, there are more efficient designs,
which can get the overhead down to modest levels (<= 1 byte of
expansion and <=1/16 of a block computation/record).

The obvious construction is to use the content_type_key to compute a
per-record masking value (effectively an ad hoc stream cipher) and
then use that to encrypt the content type (or potentially just a key
type bit) without integrity (though you might later protect it in the
additional data block under the main key). This gives you an
encryption function without expansion. If you have a mask function
which outputs one block at a time, you can use pieces of the block for
each record (e.g., for record N you use byte N/16) [1]


Obvious objections to this:
1. This isn't integrity protected. This is probably the most serious
complaint and has the potential to actually leak information about
the content type unless you're careful [2], even if you eventually
integrity protect this information.

2. It's odd to just use a piece of the AEAD cipher (the encryption
function), especially if we ever had a really non-composite cipher.
This can be alleviated by using HKDF-Expand to produce the stream
of bits.

3. Maybe it doesn't get the whole job done, especially wrt the fact
that we're not rekeying the app data after client auth.

4. It's gross. Yes, yes it is.


I'm not really in love with this idea, but I did want people to know
that maybe we don't *have* to choose between option 1 and option 2
in case that changes people's opinions.

-Ekr


[0] Note, I'm specifically not trying to protect length here. That
might be attractive, but my sense is that for the reasons Kenny
indicates it's harder to get right and I'm generally pretty skeptical
of length hiding in TLS given that we already have added padding.

[1] There are some subtleties about not breaking the record format.
If we don't care, then we can strip the first three bytes and then
steal a bit from the length to use for "key type" (the length will
never hage the high bit set). If we do care, then we could use the
key bit to toggle between "app data" and "handshake" in the dummy
record type byte.

[2] Naively, if you try encrypting the whole content type, some
transformations on the encrypted value will produce invalid types,
which leaks information if the receiver sends an alert.


On Fri, Jun 17, 2016 at 1:18 PM, Hugo Krawczyk <hugo@ee.technion.ac.il>
wrote:

> I am abstaining on the choice of alternative 1 and 2 since I do not
> understand
> enough the engineering considerations and ramifications of the different
> choices. Also, I have not put any thought into the privacy issues related
> to
> hiding content type and I certainly did not do any formal analysis of these
> aspects.
>
> I do want to say that from a cryptographic design and analysis point of
> view,
> key separation is of great importance. It allows to have more modular
> analysis
> and design, and prove composability properties of protocols and
> applications.
> I believe it has significant practical advantages particularly with
> respect to
> "maintaining" a protocol, namely, making sure that changes and extensions
> to a
> protocol are secure and do not jeopardize its security. The more modular
> the
> design the easier it is to reason about changes and additions to the
> protocol
> (and for a protocol like TLS, future changes and adaptations to different
> settings are unavoidable).
>
> As for the specific cryptographic considerations in TLS 1.3, I would have
> "fought" greatly to preserve key separation at the level of the basic
> handshake
> protocol (three first flights). It guarantees that the application key is
> *fresh* at its first use for protecting application data. Freshness means
> that
> the key can serve any purpose for which a shared random secret key can be
> used.
> (In contrast, a non-fresh key, e.g. one used during the handshake itself,
> can
> only be used with applications that are aware of how exactly the key was
> used
> in the handshake.) Since my understanding is that the current
> base-handshake
> specification does preserve the freshness of the application key, I am
> happy
> with that design.
>
> The issue of using the application key to protect post-handshake messages
> is
> more involved. First, post-handshake client authentication authenticates
> ("a
> posteriori") the application key but only after this key has already been
> used.
> In this sense this mechanism cannot possibly achieve key freshness for the
> application key. The best one can hope for is that this post-authentication
> authenticates the key without jeopardizing its use in the particular
> application
> it is intended for, namely, protecting TLS record layer data. Luckily,
> this can
> be proved. So now the question is whether using the application key to
> encrypt
> the very messages that provide post-handshake authentication (e.g.,
> client's
> signature) may lower the security of this key. The answer is that it does
> not.
> That is, the security of the key for protecting record layer data is not
> jeopardized by using it to encrypt post-handshake messages.
>
> I feel moderately confident about the above paragraph as I have been
> working on
> the analysis of client authentication, including (encrypted) post-handshake
> authentication. On the other hand, I have not studied the effects of
> encrypting
> other post-handshake messages such as New Ticket or re-keying messages so I
> don't have an "educated conclusion" here. I do expect that there are
> analytical
> advantages for not using the application key for encrypting these messages
> but I
> cannot say for sure.
>
> In all, it is good and prudent practice (not just theory) to enforce key
> separation wherever possible, and I would be happier if there was no
> instance
> where the application key is applied to non-application data. But I also
> know
> that one has to weigh other engineering considerations and in this case the
> trade-off does not seem obvious to me. Hence, as said, I abstain.
>
> Hugo
>
>
> On Mon, Jun 13, 2016 at 3:00 PM, Joseph Salowey <joe@salowey.net> wrote:
>
>> For background please see [1].
>>
>> Please respond to this message indicating which of the following options
>> you prefer by Monday June, 20, 2016
>>
>> 1. Use the same key for handshake and application traffic (as in the
>> current draft-13)
>>
>> or
>>
>> 2. Restore a public content type and different keys
>>
>> Thanks,
>>
>> J&S
>>
>>
>> [1] https://www.ietf.org/mail-archive/web/tls/current/msg20241.html
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>

v2.23.0 | Report a Bug | By Email