Re: [TLS] Should exporter keys be updated with post-handshake authentication and/or KeyUpdate?
Eric Rescorla <ekr@rtfm.com> Tue, 12 July 2016 03:14 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DF2212D73D for <tls@ietfa.amsl.com>; Mon, 11 Jul 2016 20:14:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lml-YU1i-btb for <tls@ietfa.amsl.com>; Mon, 11 Jul 2016 20:14:05 -0700 (PDT)
Received: from mail-yw0-x233.google.com (mail-yw0-x233.google.com [IPv6:2607:f8b0:4002:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24DF812B046 for <tls@ietf.org>; Mon, 11 Jul 2016 20:14:05 -0700 (PDT)
Received: by mail-yw0-x233.google.com with SMTP id l125so2847465ywb.2 for <tls@ietf.org>; Mon, 11 Jul 2016 20:14:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xqS8DuupRY0HWfiDAR9xqo1JOQTDzOvG4VYl15wLeU0=; b=Sn3CfjFO+YkEvdU7QWKPcAlLfIBdnSVY3AWcAy4qcK9ROZE2+jSJ7kFKeAK0v90NeY XyB4uBoM3g7s7GtTSeKTzZDxhG3QzQXWbSvPEL61tEFA4GMbcpZHXpRORbMeHHmS6PXC OXHOucPqDUecHOEDyotHpVyusN9U1d8b0fYOtaPP21gvAQmZfc02Zl6+JcDwLBuEdrxx NaqNd8qSz1aCaCDLSD51JSqmRwM1SyC0DIXMFlaTxtg0tP3kAeA+p4dGUIBw6nvQDuge 9e9fiIQQkdUHr24shg7X3U+eR9wxpGkUUrp98bQq9qW7F1Xk8uqalDLn0VPRQQG1zNic BD1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xqS8DuupRY0HWfiDAR9xqo1JOQTDzOvG4VYl15wLeU0=; b=iRBdjC/yyPsQW4UX/l5F07U4iUTVWoYJ6XUfdJtJyFYw4qQiZx6eQSo09lDajzYYPs Rr5Q/Spu2PP+bfFice7H1Yllv7fk7qsFpBDz3XaloDHzIqYqOIcVFEHCdD4sQIM8yRD5 c5PnDMZ2SH3ZknwNHJNTMB+xK+961Czf1IhCj3cjCYBWJvJ9mCrrTZeWI4AzG1JwIbbJ w/iJPPK4m9H2dqysBOG0WgnZGLLPlF1w8oChEErUe6rwxk3jcNlrcWFTKKtMc85JoOsP xUurntOOYZVnWa8JH+jkdWZWW3vvLyw7RsB2NfP789p9L7oUesqYfmTiga4i8bUUjDIb cZvg==
X-Gm-Message-State: ALyK8tIE8g322egmVpf8Ib0Y2Fhox7i5AATP70ieoxfBBHqwRatI2Wox2VXkBOwIlPGn6nvUtxUwp/fey9Z/Kg==
X-Received: by 10.129.161.129 with SMTP id y123mr9297121ywg.214.1468293244392; Mon, 11 Jul 2016 20:14:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.152.13 with HTTP; Mon, 11 Jul 2016 20:13:24 -0700 (PDT)
In-Reply-To: <CADi0yUMbjJHn3Bb+p52QBwSVptp-eDJRZs8-Yxa6dOLFMhCqzw@mail.gmail.com>
References: <C6FAB38B-FF5A-43D3-A0DB-554FAF23ED92@gmail.com> <CABkgnnXjoQnAmsUBnU1MjF5cotFCRYF9VHUayv3K9xD+dN1QUQ@mail.gmail.com> <CADi0yUMbjJHn3Bb+p52QBwSVptp-eDJRZs8-Yxa6dOLFMhCqzw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 11 Jul 2016 20:13:24 -0700
Message-ID: <CABcZeBN0sK5LXEKeBEELQ9Y4SdVc6oG4HupyCmBMQsQMvRb50g@mail.gmail.com>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Content-Type: multipart/alternative; boundary="001a114f8db2424ae0053767a9cb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/L_Zs9R-HR-JcjywNJHKlFez5Wa0>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Should exporter keys be updated with post-handshake authentication and/or KeyUpdate?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2016 03:14:07 -0000
On Mon, Jul 11, 2016 at 7:56 PM, Hugo Krawczyk <hugo@ee.technion.ac.il> wrote: > > > On Mon, Jul 11, 2016 at 9:13 PM, Martin Thomson <martin.thomson@gmail.com> > wrote: > >> Not taking any position on the question, which I think is a fine thing >> to ask, but... >> >> I'd just like to point out that the example is flawed in the sense >> that the system permits both users to share state. When Alice logs >> out, that needs to include any state that might have been accumulated >> to Alice. This necessarily includes any sessions, including that TLS >> connection. >> >> If we imagine that this is a browser, then you also need to flush >> caches and remove cookies before the system is usable by another user. >> There might be operating system level things as well. Machines in >> internet cafes often create temporary accounts, or even rebuild the >> entire machine between users for this reason. >> >> Back to the question... >> One challenge with this is that exporters are often used to compare >> things. For instance, one side signs an exported value, the other >> validates the signature by independently exporting the same value. >> Getting different values for a particular exporter will cause some >> classes of things to fail in subtle ways. >> > > This is unrelated > to the issue > s > raised by Douglas > , but if the exporter *key* is intended for use as a unique session > identifier > > (or a sort of "channel binding") then calling it a "key" is misleading. > For example, while a key of 128 bits is perfectly fine (e.g. for AES-128), > such length is insufficient as a channel binding string (where resistance > to birthday attacks seems necessary). I do not see a note on this in the > TLS document or RFC 5705. > I filed the following issue so we would remember this: https://github.com/tlswg/tls13-spec/issues/540 -Ekr > Hugo > > >> >> On 12 July 2016 at 05:39, Douglas Stebila <dstebila@gmail.com> wrote: >> > Some of the discussions I've had with people about post-handshake >> client authentication have raised the question of whether application >> traffic secrets should be updated automatically upon post-handshake client >> authentication: the thinking being that every change in context should be >> accompanied by a change in keying material. I used to think that was a >> good idea for TLS 1.3, although it was recently argued to me that if we >> view the application traffic secrets as being "internal" to the TLS >> protocol, then the change in client authentication status doesn't change >> the confidential or integrity properties of the record layer, it just >> serves as a "marker" to the application that certain portions of the >> application data were associated with certain authentication contexts. I >> was convinced that this can be safely accomplished without a change in >> application traffic secret key material. >> > >> > But I'm not sure that the same applies to *exporter* keys. Should >> exported keying material change as the authentication context changes? >> > >> > Consider a long-lived TLS connection, where different users come and >> go. For example, a web browser on a public terminal may have established a >> long-lived TLS connection to a particular website, and send subsequent >> requests to the same website over the same TLS connection. Now imagine two >> users use the terminal one after another: >> > >> > 1: initial handshake on a public terminal >> > 2: [time passes] >> > 3: Alice starts browsing >> > 4: Alice does post-handshake client authentication >> > 5: Alice purchases something >> > 6: Alice hits "logout" at the application layer >> > 7: [time passes] >> > 8: Bob starts using the terminal >> > 9: Bob does post-handshake client authentication >> > 10: Bob purchases something >> > 11: Bob hits "logout" at the application layer >> > >> > TLS 1.3 will tell the application about events 4 and 9. Events 6 and >> 11 happen at the application layer rather than the TLS layer (since I don't >> think TLS 1.3 has a client-de-authentication option). But putting this all >> together, the application will learn all the correct authentication >> contexts: 1-3 is anonymous, 4-5 is Alice, 6-8 is anonymous, 9-10 is Bob, >> 11-onwards is anonymous. >> > >> > Now imagine that we use keying material exporters in on lines 5 and 10: >> > >> > 1: initial handshake on a public terminal >> > 2: [time passes] >> > 3: Alice starts browsing >> > 4: Alice does post-handshake client authentication >> > *5: Alice presses the "export keying material" button >> > 6: Alice hits "logout" at the application layer >> > 7: [time passes] >> > 8: Bob starts using the terminal >> > 9: Bob does post-handshake client authentication >> > *10: Bob presses the "export keying material" button >> > 11: Bob hits "logout" at the application layer >> > >> > Since the exporter master secret is not updated when client >> authentication changes, Alice and Bob will export the same keying material >> at steps 5 and 10. If the intended goal of this exported key is for Alice >> to obtain confidentiality in some other use, this will not be achieved, >> since Bob will obtain the same exported key. >> > >> > Now, a proviso is that RFC 5705 allows for the application to mix a >> "context value" into the export, which could mitigate this, but that is >> optional. >> > >> > So it seems to me like in at least some scenarios, exported keying >> material should be associated with authentication context. It is less >> clear to me if the same holds true for KeyUpdates. >> > >> > Douglas >> > _______________________________________________ >> > TLS mailing list >> > TLS@ietf.org >> > https://www.ietf.org/mailman/listinfo/tls >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- Re: [TLS] Should exporter keys be updated with po… Eric Rescorla
- Re: [TLS] Should exporter keys be updated with po… Ilari Liusvaara
- Re: [TLS] Should exporter keys be updated with po… Andrei Popov
- Re: [TLS] Should exporter keys be updated with po… Eric Rescorla
- Re: [TLS] Should exporter keys be updated with po… Bill Cox
- Re: [TLS] Should exporter keys be updated with po… Douglas Stebila
- Re: [TLS] Should exporter keys be updated with po… Eric Rescorla
- Re: [TLS] Should exporter keys be updated with po… Hugo Krawczyk
- Re: [TLS] Should exporter keys be updated with po… Martin Thomson
- Re: [TLS] Should exporter keys be updated with po… Andrei Popov
- [TLS] Should exporter keys be updated with post-h… Douglas Stebila