Re: [TLS] Pull request for session hash

Eric Rescorla <ekr@rtfm.com> Mon, 22 December 2014 21:33 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D338D1A8755 for <tls@ietfa.amsl.com>; Mon, 22 Dec 2014 13:33:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.078
X-Spam-Level:
X-Spam-Status: No, score=-0.078 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ki8JS8R7LWtf for <tls@ietfa.amsl.com>; Mon, 22 Dec 2014 13:33:55 -0800 (PST)
Received: from mail-wi0-f179.google.com (mail-wi0-f179.google.com [209.85.212.179]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 771311A8753 for <tls@ietf.org>; Mon, 22 Dec 2014 13:33:55 -0800 (PST)
Received: by mail-wi0-f179.google.com with SMTP id ex7so9174785wid.6 for <tls@ietf.org>; Mon, 22 Dec 2014 13:33:54 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; bh=IARd7nZr6e4j24AkAVI8/34+irnvq4Sph86P/Ft6xDE=; b=ehsaw8T+1z4oDLgqU35/kP9aFNfw7ix88T6oJtSOC5CcaoUcpqn3CDeqD+ZbloCabA 6Z+952A1EciAJpBKOjchGJbi4F6mSEoex4PYLs7rWKnZWawRRGnh/WwFR5s3LPFygkXj 0qK9c9jonWY1tcmI9s3GLQSfEmr86ZJViF38G4n8W9IwaPvW9q7yMF89RgpVGZ+D9Omt LcO6JgkKC2CvMOrBweILcc+SZpOJcjOghSyLjH3Q79RIsJThh0DNYZmJhPyKaYJwTHQz xbJ8mVYOx2ik/T4x7+griLHp5D8UZhxUcByQOkOgna3bvHdO8fZNUV6PftySOxaoRL+/ +XNQ==
X-Gm-Message-State: ALoCoQktW/6qkXiuiSgxLFFXaGBgFqyK06vhNPmus0Xu8DLcbfuDivSreU4x/27ZVncATLmF5YUT
X-Received: by 10.180.19.193 with SMTP id h1mr35078871wie.10.1419284034117; Mon, 22 Dec 2014 13:33:54 -0800 (PST)
MIME-Version: 1.0
Received: by 10.27.130.34 with HTTP; Mon, 22 Dec 2014 13:33:13 -0800 (PST)
In-Reply-To: <CABcZeBNj2n-UM-qwVH8PSV+7MgS6kNxzqQZ20J3DtfZ8tLg9-Q@mail.gmail.com>
References: <CABcZeBNj2n-UM-qwVH8PSV+7MgS6kNxzqQZ20J3DtfZ8tLg9-Q@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 22 Dec 2014 13:33:13 -0800
Message-ID: <CABcZeBM9BonSs0PUF4BvRvRQ7L3-TL7n-XLGm_AtDypbWj3a5w@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=bcaec53d526fb07a73050ad4d03c
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/EYjH-a06jktMQNDd-VnJypElKKg
Subject: Re: [TLS] Pull request for session hash
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Dec 2014 21:33:58 -0000

I've posted an updated PR at:

https://github.com/tlswg/tls13-spec/pull/89

Note that I did not restore the ChangeCipherSpec message as my sense of
the WG discussion and private conversations was that people preferred to
have it gone. If you feel strongly about this change one way or the other,
and haven't already posted to the list about it, please do so now, as I'd
like to resolve this and merge this PR this week.

Best,
-Ekr



On Fri, Nov 7, 2014 at 2:01 PM, Eric Rescorla <ekr@rtfm.com>; wrote:

> I've created a preliminary pull request to adapt the session hash fix for
> TLS 1.3
> for feedback from the WG.
>
> Points to note:
>
> - IMPORTANT: Because the initial handshake messages are encrypted
>   under separate keys from the application data traffic, it seems like we
> need
>   to have 2 sets of CCS messages or none. In anticipation of removing
>   renegotiation (see PR https://github.com/tlswg/tls13-spec/pull/88).
>   Based on conversations with Alfredo and Martin, it seemed easier
>   to remove them. Warning: analysis needed here.
>
> - I created a separate resumption master secret that is fed into the
>   key hierarchy. This makes the description of that simpler but will
>   need revisiting if we adopt either Rich's unification of session hash
>   and tickets or Karthik's PSK-as-tickets unification, but that seemed
>   like a separate issue.
>
> - If we adopt the Update proposal we will also need to split the master
>   keys into two directional keys, but that's distinct as well.
>
> - I still need to add the names of the session hash authors t
>   acknowledgements.
>
> This will probably need another revision before it is ready for merging,
> but
> I wanted to get it out there for feedback.
>
> -Ekr
>
>
>
>