[TLS] cryptanalysis vs. encrypted parts of the TLS handshake [was: Re: Simplifying the proof]

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 05 September 2014 16:09 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 753D41A0739 for <tls@ietfa.amsl.com>; Fri, 5 Sep 2014 09:09:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08QbI6hUe0-P for <tls@ietfa.amsl.com>; Fri, 5 Sep 2014 09:09:03 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 840B51A034D for <tls@ietf.org>; Fri, 5 Sep 2014 09:09:03 -0700 (PDT)
Received: from [10.70.10.54] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 2BF70F984; Fri, 5 Sep 2014 12:08:59 -0400 (EDT)
Message-ID: <5409E00D.1070703@fifthhorseman.net>
Date: Fri, 05 Sep 2014 12:08:45 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Icedove/32.0
MIME-Version: 1.0
To: Markulf Kohlweiss <markulf@microsoft.com>, "tls@ietf.org" <tls@ietf.org>
References: <C90F31503317124C8A9B59786EF212EA032D2C@AMSPRD3001MB017.064d.mgd.msft.net>
In-Reply-To: <C90F31503317124C8A9B59786EF212EA032D2C@AMSPRD3001MB017.064d.mgd.msft.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/KUcz5L9X0R4R-c6n9NEHP4olqPo
Subject: [TLS] cryptanalysis vs. encrypted parts of the TLS handshake [was: Re: Simplifying the proof]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Sep 2014 16:09:06 -0000

Hi Markulf--

Thanks for your post encouraging ongoing collaboration between the 
theoretical and engineering sides of the security community.  This is a 
worthwhile goal.

Can you provide clarification on this point below?

On 09/02/2014 11:03 AM, Markulf Kohlweiss wrote:
> * To remove distraction and be closer to standard models like Bellare
>    & Rogaway, we would prefer unencrypted finished messages. In
>    practice this means that the finished message should be sent before
>    the ChangeCipherSuite message.

I understand that the goal here is to be able to improve cryptanalysis 
of the confidentiality guarantees provided to the application data 
stream.  Does this mean that the finished message needs to be 
unencrypted, or does it just mean that the finished message (and/or 
other parts of the handshake) should not be encrypted using the same 
keying material/session as the application data?

That is, would the cryptanalytic side of the community be OK with having 
the handshake messages encrypted as long as they were using keys/session 
material that are distinct from the keys/session material used for the 
application data?

Part of the TLS WG's charter for 1.3 is to encrypt as much of the 
handshake data as possible.  I don't want that goal to interfere with 
theoretical cryptanalysis, but there are serious privacy concerns 
related to the handshake data that is sent in the clear in TLS 1.2 and 
below.  If the cryptanalysis community insists on entirely cleartext 
handshake data, that will be in direct opposition to one of the two 
major prongs of the TLS charter.

(as an aside, it would be nice to get some cryptanalytic review of any 
confidentiality/integrity we attempt to provide for the handshake 
material itself, though i understand this may be a separate question 
from the confidentiality/integrity guarantees we strive for in the 
application data)

Regards,

	--dkg