IETF Logo Mail Archive

[TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis)

Eric Rescorla <ekr@rtfm.com> Mon, 02 June 2025 17:53 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 2F0B62FD3952 for <tls@mail2.ietf.org>; Mon, 2 Jun 2025 10:53:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5HO0j74dIANC for <tls@mail2.ietf.org>; Mon, 2 Jun 2025 10:53:00 -0700 (PDT)
Received: from mail-yb1-xb31.google.com (mail-yb1-xb31.google.com [IPv6:2607:f8b0:4864:20::b31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 731B62FD394B for <tls@ietf.org>; Mon, 2 Jun 2025 10:53:00 -0700 (PDT)
Received: by mail-yb1-xb31.google.com with SMTP id 3f1490d57ef6-e7dd151f79eso4385951276.2 for <tls@ietf.org>; Mon, 02 Jun 2025 10:53:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1748886780; x=1749491580; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=x6ScROlWdW3rlWyfDASDoT3NHm6jn7Gd6Xu/6vFZ2v8=; b=F52Ksxm/P5CW5lCiBZsxkyMASIl8aJRZ8zI9BacN93LFGtE6x0OiqBAEo/OMBfTVZi u0jJwzhRM7CvlqBeJZtImK0vQDNig0VCQ+DlrOBV10w6GQX7+PopKJwRTPXBwchuhRjQ ffv+KQ4V4MPM9VN6FCDwTssai55JfX+VpbMu6kBfN034lER5egKTajHHlx7hcVP9ul18 VqlYpZnMO0QPm3gvCkZfw1P/z27Atq3kxPpgeH/YkL+Y75bz6tHQcLUEhJGLlZQaCObw Z4R3jLDM4zswEmGg4h4WiPnl6Cg4rOU+q9Kq0LOtwkwhgKefnomx2rguvS88rw/XKOud 2aVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748886780; x=1749491580; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=x6ScROlWdW3rlWyfDASDoT3NHm6jn7Gd6Xu/6vFZ2v8=; b=QUI77trSMY+B3ghrOIagBNQL/TSgZcO8If8+ogLlvpF4THkAdNOOhpYe24g73v4T63 cT8+0JMQA5aTZi4DsyUKcZf+WIrHpKVCL2Emy5bsGSY7UoKRH3NY6RaB5obYEAQC4514 PqNphddcnnCJE5DrrpEbN/cCGGttz5qh1DWUOglpI+YLqgZOGygD+EjX3+MJvpLZfmeP gsNJJmGo6pJZ7SDAWjgnCYTXfdCYcrfiZ9owUYhXtbHhA0ZtPgxUvSDY2I8QzI2AeeiU mAGuktyQBwF8BwOWTiQQ0DIzto2smQTTiGoV79bMlNfbL9WijhdTHbIY4cbuNvf/jIP8 AY0w==
X-Gm-Message-State: AOJu0YyDpRNZhI+7rxIaBlmVOen178QZUOzzIQrZQLKbjChBNv/55aJo wQLG4FMlO5I20YpsVsRojDqoS49fYavJNZk8IB55EvuMlfDY4mzJ4ZKs8fthvRaSf4fmV7LZHnj xx/mk5yOxZrtNSktRfxxgCPp7Jk41kGa/yXPPymKCegu5JnF6dlPGW6w=
X-Gm-Gg: ASbGnctJ85lyRONs7a0CA2VqPDWPsqqQr5ryDbTx5W6IJaPw1qTC4m32Tat8+7NOstT D+D40xpdg05kGostfC1poqf7WhGrgJpJVi+UQodwHA2Y+DMe8cGnXLzdLk/a/Km4Aul40567VcI y5tazNv9HUVldAe8UyOPF3kAFWBdE5n2P5+Rj5pYIGVmy+Yw==
X-Google-Smtp-Source: AGHT+IFwn1/vWzQD2smHrZAXKsXO/RSZj0+uknfsNGSkdyhZjtzWaFe396JciGxEVHrKMuyDmHrHGuX9gHptgNWxIy4=
X-Received: by 2002:a05:6902:154c:b0:e81:2740:2d96 with SMTP id 3f1490d57ef6-e81274032f1mr12730038276.17.1748886779732; Mon, 02 Jun 2025 10:52:59 -0700 (PDT)
MIME-Version: 1.0
References: <90bdd3cd-a5d0-4a82-b28c-2965536a7154@tu-dresden.de> <CADi0yUP27w+gcLvfWjn=+EqxfiWebFiyaNa1aUomVai8AUAU5w@mail.gmail.com> <f16029e7-33ea-449d-9a6d-936b649d30d5@tu-dresden.de> <b805cab0-1395-44cc-9dfb-8599e491226d@tu-dresden.de> <CABcZeBP_fqYBjUhNdEhZJcUorVYhAiTnP-2x6zqU9BQTs=Rm+A@mail.gmail.com> <42ac6c35-6277-4c64-a479-553edd70627d@tu-dresden.de> <CABcZeBN5UkzZesn+AoSObFqosisnOn6KnVfeTn=C3p-2yzBvxA@mail.gmail.com> <85357124-bb8e-4caf-9a41-94d3e51fe07c@tu-dresden.de>
In-Reply-To: <85357124-bb8e-4caf-9a41-94d3e51fe07c@tu-dresden.de>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 02 Jun 2025 10:52:22 -0700
X-Gm-Features: AX0GCFvMRbyM_-6v08Dk8LrCwAjvQbM-vXredvVQ1rH2vfvNG22EGZLhmV0h8OQ
Message-ID: <CABcZeBNsOSshrpnw7GQvjEVUyF4CrcmxERqO1x3ucs=_EEJAow@mail.gmail.com>
To: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
Content-Type: multipart/alternative; boundary="0000000000004246e806369a6ff4"
Message-ID-Hash: MSMC32KOVYJVGBL7GOTUBPCM2L724W5H
X-Message-ID-Hash: MSMC32KOVYJVGBL7GOTUBPCM2L724W5H
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/EjFQUNAZHEQ84FmeCgqkNkAsd9w>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

I'd like to take a step back here and talk about the overall setting.

This is a minor revision to RFC 8446, which has already been published.
It includes useful clarifications and we'd like to get it out the door.

You're proposing an expansion to the scope of work that will then have
to be carefully checked for correctness, as the whole principle is that it's
supposed to be comprehensive. I'd be happy to see that on the TLS wiki,
but I don't think it's helpful to try to cram it into the RFC at this time.

A few more detailed comments below.

-Ekr


On Mon, Jun 2, 2025 at 10:35 AM Muhammad Usama Sardar <
muhammad_usama.sardar@tu-dresden.de> wrote:

>
> On 30.05.25 18:08, Eric Rescorla wrote:
>
>
>
>> > Issue 2: "Binder Finished Key"
>>
>> I would appreciate an explicit entry in Table 2, rather than burying it
>> deep in Section 4.2.11.2. Something like:
>>
>> Mode = PSK | Handshake Context = ... | Base Key = binder_key
>>
>
> I don't think this change is indicated. It is not a Finished key.
>
> ok fine, but the least we should do is to make PSKBinderEntry explicit. I
> have submitted a PR [1]. Please check.
>
> [1] https://github.com/tlswg/tls13-spec/pull/1392
>
This does not appear to be correct. But more generally, I'm just not
following
why you think this is necessary. The text says:

   The PskBinderEntry is computed in the same way as the Finished
   message (Section 4.4.4) but with the BaseKey being the binder_key
   derived via the key schedule from the corresponding PSK which is
   being offered (see Section 7.1).

And then 4.4.4 provides the expansion:

   finished_key =
       HKDF-Expand-Label(BaseKey, "finished", "", Hash.length)

Why is this confusing?



>    - The formal model of ECH [3] has invented a new key in the key
>    schedule, namely "client_fkad" [4] which they claim to be modeling
>    "[sender]_finished_key" (in addition to the two finished keys). I don't
>    find anything like this in the TLS or ECH specs. So where is this coming
>    from?
>
> This appears to be the Finished key used for post-handshake
authentication. The third line in the table at the end of 4.4.4.

v2.35.0 | Report a Bug | By Email | System Status