Re: [TLS] Closing on keys used for handshake and data messages
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 09 June 2016 21:56 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA09012DA14 for <tls@ietfa.amsl.com>; Thu, 9 Jun 2016 14:56:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lweHtuvmS9Vc for <tls@ietfa.amsl.com>; Thu, 9 Jun 2016 14:56:43 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by ietfa.amsl.com (Postfix) with ESMTP id 3712412D9EC for <tls@ietf.org>; Thu, 9 Jun 2016 14:56:42 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id EBA06F98B; Thu, 9 Jun 2016 17:56:41 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 235752022D; Thu, 9 Jun 2016 17:56:41 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Joseph Salowey <joe@salowey.net>, "tls@ietf.org" <tls@ietf.org>
In-Reply-To: <CAOgPGoB6=eH9059u95RJzt_quCN3+auP2NSx+mxLztePVYqGrw@mail.gmail.com>
References: <CAOgPGoB6=eH9059u95RJzt_quCN3+auP2NSx+mxLztePVYqGrw@mail.gmail.com>
User-Agent: Notmuch/0.22+47~g4441900 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Thu, 09 Jun 2016 17:56:37 -0400
Message-ID: <87d1nqc9gq.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/I3tp9QQsusWrhwyDR8y8vOlR_Sw>
Subject: Re: [TLS] Closing on keys used for handshake and data messages
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jun 2016 21:56:45 -0000
On Fri 2016-06-03 17:54:53 -0400, Joseph Salowey wrote:
> Trial decryption has serious implementation problems
> -
> Double-encrypting handshake messages in both the handshake key and the
> application key does not actually provide the required key separation
> -
> Separately encrypting the content type is inefficient in a number of
> ways, especially for DTLS (and would need separate security analysis). This
> is probably the most viable of the “try to get both” designs.
I'm saddened by this analysis :( I understand that trial decryption
precludes inplace decryption, and i can see why that makes it a
non-starter for some implementations.
I confess i was hoping that double-encrypting would provide some measure
of useful key separation for cryptanalysis. I don't think i understand
Ilari's explanation in this thread, though, so i'd appreciate any other
attempts to clarify.
> This leaves us with two primary alternatives:
>
> 1. Use the same key (as in the current draft-13)
> 2. Restore a public content type and different keys
Between these two options, I strongly prefer option 1.
> PUBLIC CONTENT TYPES
>
> Clearly, having a public content type and separate keys for handshake and
> application data provides full key separation, at the cost of revealing
> whether a given record is handshake or application data (and potentially
> alerts). The major question that the group had was whether it was actually
> possible to conceal this information effectively, even with encrypted
> content types, since hiding the handshake messages in the application
> traffic requires detailed knowledge about the application traffic pattern
> (e.g., packet lengths, timing, response patterns, etc.). It’s clear some
> analysis of this is needed.
We know that traffic analysis is difficult, and may in some cases be
impossible. This is an area in need of active research. However,
deciding to make it *always* impossible to protect because we don't know
how to protect it absolutely is "security nihilism", and i hoped we were
moving beyond that mindset as a community.
If we don't have a mechanism to hide this metadata, then we certainly
won't develop any useful practice around actually making it
indistinguishable. Protecting users is a multidimensional problem. We
should provide a mechanism to make this information indistinguishable in
the axis we know how to handle (encrypting the material itself) so that
there is a reason for people to work on the axes we don't yet know how
to handle (protecting against traffic analysis).
--dkg
- Re: [TLS] Closing on keys used for handshake and … Douglas Stebila
- [TLS] Closing on keys used for handshake and data… Joseph Salowey
- Re: [TLS] Closing on keys used for handshake and … Dave Garrett
- Re: [TLS] Closing on keys used for handshake and … Ilari Liusvaara
- Re: [TLS] Closing on keys used for handshake and … Björn Tackmann
- Re: [TLS] Closing on keys used for handshake and … Daniel Kahn Gillmor