Re: [TLS] judging consensus on keys used in handshake and data messages
Joseph Salowey <joe@salowey.net> Fri, 08 July 2016 13:50 UTC
Return-Path: <joe@salowey.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8DB512D685 for <tls@ietfa.amsl.com>; Fri, 8 Jul 2016 06:50:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mmk6wkJuLL7s for <tls@ietfa.amsl.com>; Fri, 8 Jul 2016 06:50:03 -0700 (PDT)
Received: from mail-qt0-x235.google.com (mail-qt0-x235.google.com [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA5DE12D6A1 for <tls@ietf.org>; Fri, 8 Jul 2016 06:49:58 -0700 (PDT)
Received: by mail-qt0-x235.google.com with SMTP id m2so22084810qtd.1 for <tls@ietf.org>; Fri, 08 Jul 2016 06:49:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=LiJXHGoD0WhpG6/6vcBPsU/tjbcFbXHMOJIv5v4WzRM=; b=U+pzXVMAoz6D+J1aaRo1sYqNgDBwWW97Y+k4t5QnY4rphFE6HkL1XEuuhDoB98aiYP PwXQ+5APrttiOKvNpXA2xHDp4oRiujRz64emJleXuI1AV9ieU2OLftv6tE2n3lR09W2A k8ILPqzjSYtEwFwDjajG/jPTveKG3ah4JXVKQ0rNWMOgZ+/jcASiGMfU2CxU7aZZsdl0 qFPvfiIxZ6z27ANHVB+PZD6pLVZenJHeDAMMzwYepa/US9IGL5dgHzhtyMfYWTNr9aN8 fQKBTxacYHdHntf5An5Kr1mXJELNdNcrgJH3RioK9kxQ7HR5v6fXnYVkdEjkqoUEAUip Lw8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=LiJXHGoD0WhpG6/6vcBPsU/tjbcFbXHMOJIv5v4WzRM=; b=ZeQGF70JLoTV1RXuQfDRv1/fkcsExdceEeLdczQkpushQbaG66fA+omRObcsM7Gt9M ujVNRdXyAJEEbIRGy00nMo2KMcgdaTURJIwego2qm4K2mD+ZGjpm4MyD8JVh/VzmSkFE /F4/OPWDvuwG1quG0EkenwQU6sf+wLxifEYgJZAVMo8rhK0wm2HzkMNrWfjtyE4lO9CD kcQPGWWOphfULNU+j2CaaCYUbbOre2fPvd7rYfIdrTNhPuZ2SFjAtX44r32poUHT4sjr jovFSbgTtaE1KQFCpy0wYHRIO1HXhChStgUA7GhtsPD2+5SeTawOaMqYgpt68XaybIbl ET1w==
X-Gm-Message-State: ALyK8tJSW/xb0SldkXwXloKhGy3OnNAuKbe9UJ3Uu2C+DFctNh4Ri+Mrg93FkPbhUk0io19pYS6tPN40kSDAPQ==
X-Received: by 10.200.51.34 with SMTP id t31mr1952615qta.61.1467985798007; Fri, 08 Jul 2016 06:49:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.181.134 with HTTP; Fri, 8 Jul 2016 06:49:38 -0700 (PDT)
In-Reply-To: <CADi0yUPXXwdRNJfrP_HiL9-F-8fuqstTpBukWgtEMkpSnQnysg@mail.gmail.com>
References: <CAOgPGoA2RmAUMR=4bOOwepSSdrJ2tUGD1B+hieQzZaRVnwXo=A@mail.gmail.com> <A2C29D69-FF97-4C16-941B-87C0022C6362@gmail.com> <CAF8qwaC+iXoJ_Z9xuB4UqR4-7EmXUmr2pRRcBDxtDP-eZ8LzAg@mail.gmail.com> <201607062024.46745.davemgarrett@gmail.com> <CABcZeBO_Nh_u+++wOqH68j3mNfkM3A+W+4ZR7-J0ciV0-4q1KA@mail.gmail.com> <CAF8qwaArt-kmRf3EBdo4j7Q-xFEe25LZLperxzqtKqV-2sbJ1Q@mail.gmail.com> <4809BB22-BF00-4824-93BD-2C66497CC557@gmail.com> <CADi0yUPXXwdRNJfrP_HiL9-F-8fuqstTpBukWgtEMkpSnQnysg@mail.gmail.com>
From: Joseph Salowey <joe@salowey.net>
Date: Fri, 08 Jul 2016 05:49:38 -0800
Message-ID: <CAOgPGoAOx7P5+DV7X0gd6JySr50CCXDmZLFNF+Ez0+EUiQvoeA@mail.gmail.com>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Content-Type: multipart/alternative; boundary="001a1135729e06a6240537201451"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/HFZf8j13zq1VWerAvc3RIcU3d6o>
Cc: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] judging consensus on keys used in handshake and data messages
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2016 13:50:06 -0000
We would like to have all comments in on this by Friday, July 7, 2016. Also, to clarify, Hugo's interpretation is correct: Option 1 - use the same key for protecting both *post*-handshake and applications messages. On Thu, Jul 7, 2016 at 2:44 AM, Hugo Krawczyk <hugo@ee.technion.ac.il> wrote: > I do not have an objection to option 1 if re-phrased as > Option 1 - use the same key for protecting both *post*-handshake and > applications messages.. > > I believe this is what was intended by that option anyway. Let me clarify. > > I understand the question as relating *only* to post-handshake messages > and not > to the main handshake (three initial flights). For the latter we have key > separation in the sense that none of these main-handshake messages is > encrypted > under the application key but rather under dedicated handshake keys. This > should > not be changed as it provides key indistinguishability to the application > key, a > desirable design and analysis (=proof) modularity property. > > On the other hand, for post-handshake messages, and particularly for > encrypting > post-handshake client authentication messages, preserving key > indistinguishability is not relevant since at the time of post-handshake > client authentication, the application key has already lost its > indistinguishability > by the mere fact that the key was used to encrypt application data. Key > indistinguishability is the main reason to insist in key separation and > this > principle does not apply here anymore hence removing the objection to 1. > > I'd note that the best one could hope for in the post-handshake setting is > that > as a result of post-handshake client authentication the application key > becomes > a secure mutually-authenticated key for providing "secure channels" > security. > As pointed out by others in previous posts I have an analysis showing that > this > delayed mutual authentication guarantee is achieved even if one uses the > application key to encrypt the post-handshake messages. I have circulated a > preliminary version of the paper among cryptographers working on TLS 1.3 > and I will post a public copy next week so this can be scrutinized > further. > > Hugo > > > On Thu, Jul 7, 2016 at 1:10 AM, Karthikeyan Bhargavan < > karthik.bhargavan@gmail.com> wrote: > >> If we are left with 1 or 3, the miTLS team would prefer 1. >> >> On the cryptographic side, Hugo has a recent (draft) paper that seems to >> provide >> some more justification for (1), at least for client authentication. >> >> I know this is a bit off-topic, but the miTLS team would also like to get >> rid of 0-RTT ClientFinished >> if that is the only message left in the 0-RTT encrypted handshake flight. >> That should remove >> another Handshake/Data key separation from the protocol, leaving only 3 >> keys: 0-RTT data, >> 1-RTT handshake, and 1-RTT data. >> >> Best, >> -Karthik >> >> >> On 07 Jul 2016, at 02:49, David Benjamin <davidben@chromium.org> wrote: >> >> On Wed, Jul 6, 2016 at 5:39 PM Eric Rescorla <ekr@rtfm.com> wrote: >> >>> On Wed, Jul 6, 2016 at 5:24 PM, Dave Garrett <davemgarrett@gmail.com> >>> wrote: >>> >>>> On Wednesday, July 06, 2016 06:19:29 pm David Benjamin wrote: >>>> > I'm also curious which post-handshake messages are the problem. If we >>>> were >>>> > to rename "post-handshake handshake messages" to "post-handshake bonus >>>> > messages" with a distinct bonus_message record type, where would there >>>> > still be an issue? (Alerts and application data share keys and this >>>> seems >>>> > to have been fine.) >>>> >>>> Recasting all the post-handshake handshake messages as not something >>>> named "handshake" does make a degree of sense, on its own. (bikeshedding: >>>> I'd name it something more descriptive like "secondary negotiation" >>>> messages or something, though.) Even if this doesn't directly help with the >>>> issue at hand here, does forking these into a new ContentType sound like a >>>> useful move, in general? >>> >>> >>> I'm not sure what this would accomplish. >>> >> >> Me neither. To clarify, I mention this not as a suggestion, but to >> motivate asking about the type of message. If the only reason the proofs >> want them in the handshake bucket rather than the application data bucket >> is that they say "handshake" in them then, sure, let's do an >> inconsequential re-spelling and move on from this problem. >> >> But presumably something about the messages motivate this key separation >> issue and I'd like to know what they are. >> >> David >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> >> >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> >> > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- Re: [TLS] judging consensus on keys used in hands… Watson Ladd
- Re: [TLS] judging consensus on keys used in hands… Joseph Salowey
- Re: [TLS] judging consensus on keys used in hands… Cas Cremers
- Re: [TLS] judging consensus on keys used in hands… Douglas Stebila
- Re: [TLS] judging consensus on keys used in hands… Hugo Krawczyk
- Re: [TLS] judging consensus on keys used in hands… Ilari Liusvaara
- Re: [TLS] judging consensus on keys used in hands… Karthikeyan Bhargavan
- Re: [TLS] judging consensus on keys used in hands… David Benjamin
- Re: [TLS] judging consensus on keys used in hands… Eric Rescorla
- Re: [TLS] judging consensus on keys used in hands… Dave Garrett
- Re: [TLS] judging consensus on keys used in hands… David Benjamin
- Re: [TLS] judging consensus on keys used in hands… Yoav Nir
- Re: [TLS] judging consensus on keys used in hands… Hannes Tschofenig
- [TLS] judging consensus on keys used in handshake… Joseph Salowey
- Re: [TLS] judging consensus on keys used in hands… Hugo Krawczyk