IETF Logo Mail Archive

[TLS] Should exporter keys be updated with post-handshake authentication and/or KeyUpdate?

Douglas Stebila <dstebila@gmail.com> Mon, 11 July 2016 19:39 UTC

Return-Path: <dstebila@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71D2E12D0EC for <tls@ietfa.amsl.com>; Mon, 11 Jul 2016 12:39:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ua3H-7zTZ86B for <tls@ietfa.amsl.com>; Mon, 11 Jul 2016 12:39:49 -0700 (PDT)
Received: from mail-io0-x231.google.com (mail-io0-x231.google.com [IPv6:2607:f8b0:4001:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A3E712D19E for <tls@ietf.org>; Mon, 11 Jul 2016 12:39:46 -0700 (PDT)
Received: by mail-io0-x231.google.com with SMTP id 38so16097372iol.0 for <tls@ietf.org>; Mon, 11 Jul 2016 12:39:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-transfer-encoding:subject:message-id:date:to :mime-version; bh=w8v+y1ngR2vrKUl2NtSDhBr+Nk2OmKZCXUZD89a5DWQ=; b=hU/pE96vdAtNkWCxgj+ZEmjw9FNxiYveNZfa8RYyXwGh8wbsA0k5MlMZoqBcOwHwbc 1rSvgHjjGXCM6ipNxc6OIPlnvejOrskwolhQ7+36Y9N7Qo0Rfhnwyb76e7hexLRmXfMd XmR+dljgXi8LXpLZWVibHwshbuTltR2x3avMaM6xG+/Rxa7vc2GaON1nA+uc6UjnTOhi HFj+XynzQu8kF+T0HtKl/UnxsPl47mP0Qb/FbO7SdH1BPFE0G1E/m+7PgdWQqH3vE8JA CaXGmcfmWRrxBWGCXPZ6CpSD9ltxdclEEC58vgMYcVOrncGUCBMc0hqBmKn43R99Tk3P BgKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-transfer-encoding:subject :message-id:date:to:mime-version; bh=w8v+y1ngR2vrKUl2NtSDhBr+Nk2OmKZCXUZD89a5DWQ=; b=BQ8o2NDganrp7MbvrAq0WYeT1QpvG6LWvHJq4W68geUo2ixhKUKll+UBnOT3P/iS1m enDW650/JP10+byZPbKJfSpv3bDUp6ubwatP1RN6QInPP0kDPupThgzP0wxL5glt+kfU EALZ+DMHKlUnSnqk/KQq/XcYoSoW5uz58gH71wZYqo0c4LKl8LqhlEsCSGGVEzFZW4aX FwP7IDIbAsNo7cswmIBj2F8w8Grnbt2crP53IYUsAdVW680GMnnQ4hhOvA5suxtm88yw SuqtEkXFgbvS6TGW1nb2qEl5wJJabfm0qPHNrYyqXRHlnVmej64LKzi50RBgqgPdEdH8 +QxA==
X-Gm-Message-State: ALyK8tIMi3B6sGWSKjiRp/CiY9M80en70WGAHMlcj+NEhFSJbCHdnPiPO0wu92J16lScvw==
X-Received: by 10.107.187.196 with SMTP id l187mr23711314iof.28.1468265985557; Mon, 11 Jul 2016 12:39:45 -0700 (PDT)
Received: from stebila-imac.cas.mcmaster.ca (stebila-imac.cas.McMaster.CA. [130.113.68.195]) by smtp.gmail.com with ESMTPSA id m70sm8105450itm.1.2016.07.11.12.39.44 for <tls@ietf.org> (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 11 Jul 2016 12:39:44 -0700 (PDT)
From: Douglas Stebila <dstebila@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <C6FAB38B-FF5A-43D3-A0DB-554FAF23ED92@gmail.com>
Date: Mon, 11 Jul 2016 15:39:43 -0400
To: "tls@ietf.org" <tls@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Ia309DiFXCZ7S5e0GZEQEQngCuU>
Subject: [TLS] Should exporter keys be updated with post-handshake authentication and/or KeyUpdate?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jul 2016 19:39:50 -0000

Some of the discussions I've had with people about post-handshake client authentication have raised the question of whether application traffic secrets should be updated automatically upon post-handshake client authentication: the thinking being that every change in context should be accompanied by a change in keying material.  I used to think that was a good idea for TLS 1.3, although it was recently argued to me that if we view the application traffic secrets as being "internal" to the TLS protocol, then the change in client authentication status doesn't change the confidential or integrity properties of the record layer, it just serves as a "marker" to the application that certain portions of the application data were associated with certain authentication contexts.  I was convinced that this can be safely accomplished without a change in application traffic secret key material.

But I'm not sure that the same applies to *exporter* keys.  Should exported keying material change as the authentication context changes?

Consider a long-lived TLS connection, where different users come and go.  For example, a web browser on a public terminal may have established a long-lived TLS connection to a particular website, and send subsequent requests to the same website over the same TLS connection.  Now imagine two users use the terminal one after another:

1: initial handshake on a public terminal
2: [time passes]
3: Alice starts browsing
4: Alice does post-handshake client authentication
5: Alice purchases something
6: Alice hits "logout" at the application layer
7: [time passes]
8: Bob starts using the terminal
9: Bob does post-handshake client authentication
10: Bob purchases something
11: Bob hits "logout" at the application layer

TLS 1.3 will tell the application about events 4 and 9.  Events 6 and 11 happen at the application layer rather than the TLS layer (since I don't think TLS 1.3 has a client-de-authentication option).  But putting this all together, the application will learn all the correct authentication contexts: 1-3 is anonymous, 4-5 is Alice, 6-8 is anonymous, 9-10 is Bob, 11-onwards is anonymous.

Now imagine that we use keying material exporters in on lines 5 and 10:

1: initial handshake on a public terminal
2: [time passes]
3: Alice starts browsing
4: Alice does post-handshake client authentication
*5: Alice presses the "export keying material" button
6: Alice hits "logout" at the application layer
7: [time passes]
8: Bob starts using the terminal
9: Bob does post-handshake client authentication
*10: Bob presses the "export keying material" button
11: Bob hits "logout" at the application layer

Since the exporter master secret is not updated when client authentication changes, Alice and Bob will export the same keying material at steps 5 and 10.  If the intended goal of this exported key is for Alice to obtain confidentiality in some other use, this will not be achieved, since Bob will obtain the same exported key.

Now, a proviso is that RFC 5705 allows for the application to mix a "context value" into the export, which could mitigate this, but that is optional.

So it seems to me like in at least some scenarios, exported keying material should be associated with authentication context.  It is less clear to me if the same holds true for KeyUpdates.

Douglas

v2.23.0 | Report a Bug | By Email