[TLS]Re: Adoption call for Extended Key Update for TLS 1.3

David Benjamin <davidben@chromium.org> Thu, 25 July 2024 22:52 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCEA3C18DB88 for <tls@ietfa.amsl.com>; Thu, 25 Jul 2024 15:52:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.404
X-Spam-Level:
X-Spam-Status: No, score=-9.404 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0i3H-3EbPqqo for <tls@ietfa.amsl.com>; Thu, 25 Jul 2024 15:52:00 -0700 (PDT)
Received: from mail-yb1-xb35.google.com (mail-yb1-xb35.google.com [IPv6:2607:f8b0:4864:20::b35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B742AC1840C7 for <tls@ietf.org>; Thu, 25 Jul 2024 15:52:00 -0700 (PDT)
Received: by mail-yb1-xb35.google.com with SMTP id 3f1490d57ef6-dfdb6122992so1360044276.3 for <tls@ietf.org>; Thu, 25 Jul 2024 15:52:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1721947920; x=1722552720; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=rxTefPvn6rsYNvrXKeQoy8jcuAblMLphMfqSOmZvJ6I=; b=R2KSU6UhDs6LBrsInfvjH25O7BPE6jTEpZDCk+GB0r0d6EFBbA4HM9hXPisH7Z38hW OMQy7PmlUoSweboJWEcJazPRc4wZhYBHWW5bboiM3z6me9Z8zxFTYT1OOLxS7g5ipAZ1 +cSdCFPdPE4SXHiLOromffNV8hTHMH2ZOVI+I=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721947920; x=1722552720; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=rxTefPvn6rsYNvrXKeQoy8jcuAblMLphMfqSOmZvJ6I=; b=wQsOv0cKEbDlQN5p988vpQeMLLybsFBbW/+2+vpytjj+pK9AlCCB6r0VJXtzqAqF8O oqu3uHLtiIhcqSzgCX99cRt38207m4aF+iCXuPB3Lowq66SaI09tqR4Ymfy8UUnlglxX RZGz+6ohEZE6V2mUq+Dhjl7ZEShgf04Gibl8aoTN4nx/HsnNM9yK1KCSO/Qxkg6zm8v/ UNpklZdQamUmjGizN91KbsyXJ+O04VbBLyWUZFvd9yCOA+uHOqWcHyk/yp2/3oThukbO zBbzH9fag6Zi97jHt/t4yOq1Y0bPD3ZMUu7R2uRAlrmFYuBP//I/8fv/JiszFwTww+5P xC1Q==
X-Forwarded-Encrypted: i=1; AJvYcCWH3XMEE8c8CyEGXW94PPK1WmBETcS5pg+tFfIjFQf/jvFcBJVnut6WweIrUE6cD2UgrcK/elQQM3xZY4A=
X-Gm-Message-State: AOJu0Yw8s/lz8QxyORKAW7OA6RJfu1SzbzXc39f9ah7O1gL6Ur38X6rz WBUBM+olMpHDHybP8xiAPF9iitAth5uTDKuabvUyR30OTX5EEZhdQNN1Hxg+lsqqD7dJELlL45x tL+Jv+aQPzOdZSMgzxIffB6KRCrV/c+VZ+0A=
X-Google-Smtp-Source: AGHT+IF/cAhRjDvR5Qu03Ceh6lLoMZELPv0G/gz3btkqCNB6f8EpVVhkOeBEI0u2A28UDE/iNWIT2LEFzMmpYTO2yIc=
X-Received: by 2002:a05:6902:709:b0:e02:ed0f:e83b with SMTP id 3f1490d57ef6-e0b22fae3efmr5916697276.11.1721947919464; Thu, 25 Jul 2024 15:51:59 -0700 (PDT)
MIME-Version: 1.0
References: <595B81B5-6E50-4809-AD56-8646F31C99CD@sn3rd.com> <CE5E830A-7173-46A8-962F-4B92E62A3D3C@lurchi.franken.de>
In-Reply-To: <CE5E830A-7173-46A8-962F-4B92E62A3D3C@lurchi.franken.de>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 25 Jul 2024 15:51:41 -0700
Message-ID: <CAF8qwaCRhpDYL+Nyji=L6ZHbiUSRdh5L_0zFzk21zgptZBwAKA@mail.gmail.com>
To: Michael Tuexen <michael.tuexen@lurchi.franken.de>
Content-Type: multipart/alternative; boundary="00000000000010a937061e1a3e9b"
Message-ID-Hash: WKBT374N5F5OMIWK7TCRCDD4CERGWSYZ
X-Message-ID-Hash: WKBT374N5F5OMIWK7TCRCDD4CERGWSYZ
X-MailFrom: davidben@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: Adoption call for Extended Key Update for TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/GGuQDxsd20DgR47BFt3BFTQNHms>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

I support adoption of the draft to solve this problem, but I suspect the
construction will need some changes. I'm not sure the construction in the
draft actually works.

A single extended key update flow in the draft sends NewKeyUpdate in
*both* directions.
Now, imagine if both client and server initiate an extended key update in
parallel. Messages don't get sent instantaneously, so we can't prevent this
scenario. We will then have two concurrent instances of this flow:

Client-initiated:
C->S: ExtendedKeyUpdateRequest1
S->C: ExtendedKeyUpdateResponse1
C->S: NewKeyUpdate1a; update C->S traffic secret
S->C: NewKeyUpdate1b; update S->C traffic secret

Server-initiated:
S->C: ExtendedKeyUpdateRequest2
C->S: ExtendedKeyUpdateResponse2
S->C: NewKeyUpdate2a <-- updates S->C traffic secret
C->S: NewKeyUpdate2b <-- updates C->S traffic secret

Now, the problem is that NewKeyUpdate1b and NewKeyUpdate2a are the same
message, sent in the same direction and may flow in parallel. Same for
NewKeyUpdate1a and NewKeyUpdate2b. That means you can get in a
situation where *both* flows are waiting for a NewKeyUpdate message and you
can't tell which one to progress. If the client and server disagree on the
order in which to apply the two secrets, the protocol will break.

One could fix this by making the two messages different, but that seems
unnecessary. I believe we only need three messages, not four.

C->S: ExtendedKeyUpdateRequest
S->C: ExtendedKeyUpdateResponse; update the S->C traffic secret
C->S: NewKeyUpdate; update the C->S traffic secret

I might suggest that NewKeyUpdate be called ExtendedKeyUpdateFinish in this
version. This avoids the ambiguity and is simpler.

(Not sure what the consequences of either design is on DTLS? I think I'd
need to spend time with pen and paper there. Perhaps it is sufficient to
just drive the update on ACKs, after apply the fixes described in
https://mailarchive.ietf.org/arch/msg/tls/_ku3-YDcroNmG_QKZsYTtqYzC0M/ )

But, as for adoption, I think solving this problem makes sense, and I think
this draft is still a reasonable starting point.

David

On Thu, Jul 25, 2024 at 1:48 PM Michael Tuexen <
michael.tuexen@lurchi.franken.de> wrote:

> > On 25. Jul 2024, at 09:39, Sean Turner <sean@sn3rd.com> wrote:
> >
> > At the IETF 120 TLS session there was interest in adopting the Extended
> Key Update for TLS 1.3 I-D (
> https://datatracker.ietf.org/doc/draft-tschofenig-tls-extended-key-update/)
> This message starts a two-week call for adoption. If you support adoption
> and are willing to review and contribute text, please send a message to the
> list. If you do not support adoption of this I-D, please send a message to
> the list and indicate why. This call will close on 8 August 2024.
> Dear all,
>
> I do support adoption and I'm willing to work on it, in particular to make
> sure that it works on the contexts of DTLS over SCTP, one of its use cases.
>
> Best regards
> Michael
> >
> > Thanks,
> > Sean
> > _______________________________________________
> > TLS mailing list -- tls@ietf.org
> > To unsubscribe send an email to tls-leave@ietf.org
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>