Re: [TLS] Doing without renegotiation
Watson Ladd <watsonbladd@gmail.com> Thu, 17 April 2014 16:33 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECCDA1A0241 for <tls@ietfa.amsl.com>; Thu, 17 Apr 2014 09:33:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.6
X-Spam-Level:
X-Spam-Status: No, score=-0.6 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U479ULR8ZIRZ for <tls@ietfa.amsl.com>; Thu, 17 Apr 2014 09:33:34 -0700 (PDT)
Received: from mail-yk0-x22c.google.com (mail-yk0-x22c.google.com [IPv6:2607:f8b0:4002:c07::22c]) by ietfa.amsl.com (Postfix) with ESMTP id DFB191A01FE for <tls@ietf.org>; Thu, 17 Apr 2014 09:33:33 -0700 (PDT)
Received: by mail-yk0-f172.google.com with SMTP id 200so532159ykr.17 for <tls@ietf.org>; Thu, 17 Apr 2014 09:33:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=iGOGnI3AoeIUhPiDkX0usRo/7NpVUM7735Q9Iuuo9BU=; b=NnN/ml5NpZnc6TSDqUImfj8qzB8MgTPnxpyJxeKVHBTFpMPr5IXJKE9Rqk27WwQVQa n9rTGnh6djs6kT1/taYutJaPyleMrQLcRGZtr0IxSNIdSRoPOs234yOPUArFbQ8Xfe15 Ifk33keN1K4BZvu9uWGXrQ0olnLb/y4Llfw1k3HzcFb3huOLZCtbmUhCtLiWI57p/uYs dGWPSJNijoMLqG/ReThpx7y+FD8XoJYRUawjOZO/leET0D9bpmRC5shWY8ObH9KO629M uaHemfjpcgA10SNfsz8idku9umOs+tf+98EHbfANNBnu/j9GtlYgGxLppj9ygTF3yZUO g24g==
MIME-Version: 1.0
X-Received: by 10.236.179.162 with SMTP id h22mr23588144yhm.107.1397752410092; Thu, 17 Apr 2014 09:33:30 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Thu, 17 Apr 2014 09:33:30 -0700 (PDT)
In-Reply-To: <CAK3OfOhMsuEQcWRrqOGBumQHev3obo8SDXB=-jA2E8pEC=zfcQ@mail.gmail.com>
References: <20140417035011.GA25499@localhost> <534F6A06.6090508@streamsec.se> <CAK3OfOhMsuEQcWRrqOGBumQHev3obo8SDXB=-jA2E8pEC=zfcQ@mail.gmail.com>
Date: Thu, 17 Apr 2014 09:33:30 -0700
Message-ID: <CACsn0c=OizQmiCPRyCkYLn03Z5PwterLR4YKyxzJtncqnaz9sg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/LaDJJ7PRpI41rL5AlHcy5IntUCA
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Doing without renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Apr 2014 16:33:38 -0000
On Thu, Apr 17, 2014 at 9:03 AM, Nico Williams <nico@cryptonector.com> wrote: > On Thu, Apr 17, 2014 at 12:43 AM, Henrick Hellström > <henrick@streamsec.se> wrote: >> On 2014-04-17 05:50, Nico Williams wrote: >>> - For rekeying just introduce a CCS-like record whose purpose is to >>> indicate that the sender is changing to new keys on the send side. >>> The new keys are derived from the same master secret as the preceding >>> keys, in the same way, but with a counter appended to the "key >>> expansion" salt. >>> >>> There's no need to synchronize, but DTLS requires retransmission of >>> such messages else when dropped the recipient will not be able to >>> decrypt any subsequent messages. >> >> >> This might be an option if the purpose of the renegotiation is just to >> reduce the risk of state collisions in the bulk encryption cipher, but it is > > Yes, much like SSHv2 recommends rekeying after 2^L/4 packets, where L > is the cipher's block length (sadly no reference is given for this). Real or random security. If we instantiate CBC mode with a PRF instead of a PRP the security declines quadratically as we might call the PRF on the same block with birthday bound issues. The PRP->PRF replacement is another quadratic factor. So we get a probability of distinguishing that is quartic in the number of blocks. I don't know if this is an upper bound as well, or if other proof techniques can increase this bound. For CTR mode the only loss is quadratic from PRP->PRF. > >> no replacement for renegotiation of DHE/ECDHE sessions in order to refresh >> the perfect forward secrecy. > > This could be done with a single round trip, no need for a full > handshake. The payloads containing the ephemeral keys for rekeying > could be sent opportunistically when the application writes. This actually doesn't work as well as you think it does. Suppose Alice is sending a long message to Bob and needs to rekey in the middle of the message. Alice sends her half of the ephemeral key exchange. Before Bob can read the rest of the long message, he needs to send data to Alice. It's cleaner than renegotiation, but still has the C problem. However, what it does isn't worth doing. PFS means that revelation of the long term keys doesn't compromise a connection made before the revelation. This holds true even if the connection lasts beyond the compromise. If you leak the long term keys and the connection keys, it's game over. If you leak only the connection keys, then we need to reestablish a connection using the long term keys, and can't use the compromised keys for authentication. I do see the issue with letting keys stay in memory that can decrypt lots of communications, but I think a cleaner method is to do the proposed rekeying in such a way that the state transformation is irreversible. Sincerely, Watson Ladd > > Nico > -- > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [TLS] Doing without renegotiation Nico Williams
- Re: [TLS] Doing without renegotiation Henrick Hellström
- Re: [TLS] Doing without renegotiation Yoav Nir
- Re: [TLS] Doing without renegotiation Nico Williams
- Re: [TLS] Doing without renegotiation Nico Williams
- Re: [TLS] Doing without renegotiation Watson Ladd
- Re: [TLS] Doing without renegotiation Martin Thomson
- Re: [TLS] Doing without renegotiation Martin Thomson