IETF Logo Mail Archive

Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)

Martin Thomson <mt@lowentropy.net> Thu, 07 January 2021 22:42 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F22C23A0B58 for <tls@ietfa.amsl.com>; Thu, 7 Jan 2021 14:42:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=fCEYA/1Z; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=GIkzQCRJ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sIsoj909tOwZ for <tls@ietfa.amsl.com>; Thu, 7 Jan 2021 14:42:11 -0800 (PST)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C1FA3A0BD4 for <tls@ietf.org>; Thu, 7 Jan 2021 14:41:45 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 624E25C0105 for <tls@ietf.org>; Thu, 7 Jan 2021 17:41:44 -0500 (EST)
Received: from imap10 ([10.202.2.60]) by compute1.internal (MEProxy); Thu, 07 Jan 2021 17:41:44 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=2zXaKjTBTXaLe3I4erIVFDLV4USwSCT cZbdKu2UgOa8=; b=fCEYA/1ZJrpF9G+kV7CwB9eS5cHyHICIqkiKsS9K3rqT96M LilCB/9v0YAkjuUHwBX9pu4ib2/V1vwtIruOZ9yccVddFR+vVl0c/GhXOlI68dps J2tAqvQl9JB2usKvGoBiKnEII6GUin9cOV9smZq0TNp4gFoYdbQLHdPiuJcMi+cc 4Lw1TkMIMBP21QTBsI78M2D+gDd47mAH2u8txfd+CcOfRqLGWJ3HCpEN+K6ILVBu sXk32xYAc5V61RabMbiJIUcu2mRpCxZ/wg5HFYj8GlXqMxqwzZF03hOojnhZ/wxt Yie5GkMMcVJJoVc3T34DpPY6+9+qTwJbousSYVg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=2zXaKj TBTXaLe3I4erIVFDLV4USwSCTcZbdKu2UgOa8=; b=GIkzQCRJlmfUcBt1pddzEO oumr7GIwiYAkRYiU4Ofha+PWx+XL3V79HIT3nIOmlc4N8Gd+0PdtgwHDlQ39xONS DyG3I1CcsBNKoaxivgifYX415wQ9QknPv8ZImRtAyTUY72QbgeGv48oNqeaCju7f baorOG81Kgz5r/2bPTGUWLgDNELctZhzEp8TjXEo4MfTTpeDWtJyggUfhrn6xtXZ 5taAocDvokRMIZW4pGnnelBZDtzg+YXstgNnWYg3A3VqgOmG0xgrETg1/wv4E++1 ED4cLJudxft9rA6959zYWyZgiLoITz6ly2bJxhY/YfRMohx4MDiiQwT8y24CNJyg ==
X-ME-Sender: <xms:KI73Xx43thd83mBb1YqUATnVSMlgHTWlpGJnGEE6Y6ATJWC4E3wJ2Q> <xme:KI73X-6HuOmnjY-F0mj2sIeTna8-NwC67XvXAFd4ZF_KWf3Afzu4YBLYLzHD_Fz7V WZsjMWmzRDspwWx6UA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrvdegfedgfedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderreejnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpeeiudegffegveekgeffhf duieffhefhvdegfeefveetiedvhfdvkeeugeehjeeuheenucffohhmrghinhepghhithhh uhgsrdgtohhmpdhivghtfhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrh grmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:KI73X4cMevjLXimi2JMWiXut854ePLGT9qqr0WfBD9p7xxz9MnFgRg> <xmx:KI73X6ILkFY4PoWW7uwV384RA3oVt9Wzc-3h_Hh_4tg-CPwxan23Tw> <xmx:KI73X1JEZLc11D00xV-zwbEDg8bW844uh2CknCxJRXaYQChMHPrHZw> <xmx:KI73X6UnX2DLDXPkM9zghYSGC8lAj5RyIs-PIiKEnSOXk-RTtlOfcw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 18B9E2017E; Thu, 7 Jan 2021 17:41:44 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.1-61-gb52c239-fm-20201210.001-gb52c2396
Mime-Version: 1.0
Message-Id: <770e6a49-52fc-4e8b-91af-48f85e581fbb@www.fastmail.com>
In-Reply-To: <CAOgPGoA3U+XpZMY7J+KGovNx6MtAdEzRaGW33xVJdQNWSi4LVg@mail.gmail.com>
References: <160815821055.25925.15897627611548078426@ietfa.amsl.com> <20201216223842.GR64351@kduck.mit.edu> <0f2b05db-5c98-43d4-aae3-cf620814bacc@www.fastmail.com> <A4BBA31B-8754-4D8C-B0F1-D1C6C859F6AE@deployingradius.com> <CAOgPGoBvBzhA0q4gFqpFSm2HkAs6NoyLc6RVZYLtTYsNd02i8A@mail.gmail.com> <e669002f-caff-1e6e-e28b-d09157eb0c07@ericsson.com> <6241F0B6-C722-449E-AC3A-183DE330E7B5@deployingradius.com> <9ddd1593-3131-f5cc-d0db-74bf3db697bf@ericsson.com> <3CB58153-8CCA-4B1E-B530-BA67A6035310@deployingradius.com> <CAOgPGoA3U+XpZMY7J+KGovNx6MtAdEzRaGW33xVJdQNWSi4LVg@mail.gmail.com>
Date: Fri, 08 Jan 2021 09:41:25 +1100
From: Martin Thomson <mt@lowentropy.net>
To: tls@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/GyFge6uc2HPOB2OBZ-ttqjWl74s>
Subject: Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jan 2021 22:42:15 -0000

Hi Joe,

Thanks for doing this, I think that this is a distinct improvement (and I will take your word for the difficulties involved with further splits).

One point that I made poorly perhaps, and was dismissed, might be worth restating:

MSK = TLS-Exporter("EXPORTER_EAP_TLS_MSK", Type-Code, 64) 

The inclusion of a type code as context is, I believe, a misuse of the field.  As this is a fixed value, the value is being used for domain separation.  However, that is the function of the exporter label input.  The label exists to establish that this is EAP-TLS and the key is (in this case) MSK.  If you need different derivations for different type codes, I strongly suggest that this be included in the label.

The Context input exists to pull in variables from the context that endpoints might need to agree on.  It is not for domain separation.  For example, if you thought it necessary to authenticate the Identity values that client and server exchange, you might add those to this field.  (As an aside, you might want to consider that as their value could be used to determine what parameters to feed into the TLS handshake.)

If, however, you have an adjacent usage of EAP that wants its own MSK, then that is domain separation.  The right thing to do would be to create new labels for that usage.

This might be a fine point in light of the fact that these all just get fed into HKDF, but I think that it is important to respect the purpose for which these inputs were designed.

Cheers,
Martin

On Wed, Jan 6, 2021, at 17:24, Joseph Salowey wrote:
> 
> 
> On Tue, Jan 5, 2021 at 8:31 AM Alan DeKok <aland@deployingradius.com> wrote:
> > On Jan 5, 2021, at 11:13 AM, Mohit Sethi M <mohit.m.sethi@ericsson.com> wrote:
> > > 
> > > Hi Alan,
> > > 
> > > Cleaning up the email. The current draft says the exporter should be called once as:
> > > 
> > >>    Key_Material = TLS-Exporter("EXPORTER_EAP_TLS_Key_Material",
> > >>                                Type-Code, 128)
> > >> 
> > > and then split the 128 into MSK (64) and EMSK (64). As said, from initial glance, it seems the exporter is called twice (once in eap_tls_get_emsk and once in eap_tls_getKey). Both the calls are with exactly the same context, context length, and labels. In getKey, the EMSK parts are cleared with
> > >> os_memset(eapKeyData + EAP_TLS_KEY_LEN, 0, EAP_EMSK_LEN);
> > > while in get_emsk, they are read with
> > > 
> > > 
> > >>              os_memcpy(emsk, eapKeyData + EAP_TLS_KEY_LEN,
> > >> 
> > >>                                
> > >> EAP_EMSK_LEN);
> > > Maybe we can live with this. But if exporter is called twice, we should use different labels as suggested by Martin?
> > 
> >   Yes.
> > 
> >   Perhaps as Joe suggested: EXPORTER_EAP_TLS_MSK and EXPORTER_EAP_TLS_EMSK, which seem simple enough.
> > 
> [Joe] I created a pull request 
> (https://github.com/emu-wg/draft-ietf-emu-eap-tls13/pull/17)  with the 
> proposed labels.  Is this change going to cause significant problems 
> for implementation? 
>  
> >   Alan DeKok.
> > 
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email