[TLS] Traffic secrets: What's in handshake transcripts?
Ben Smyth <research@bensmyth.com> Wed, 06 May 2020 08:08 UTC
Return-Path: <research@bensmyth.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46E023A07EA for <tls@ietfa.amsl.com>; Wed, 6 May 2020 01:08:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bensmyth.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CiJoGiKeBzmH for <tls@ietfa.amsl.com>; Wed, 6 May 2020 01:08:43 -0700 (PDT)
Received: from 1.smtp.34sp.com (1.smtp.34sp.com [46.183.9.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 658A73A07E9 for <tls@ietf.org>; Wed, 6 May 2020 01:08:42 -0700 (PDT)
Received: from smtpauth3.mailarray.34sp.com (lvs5.34sp.com [46.183.13.73]) by 1.smtp.34sp.com (Postfix) with ESMTPS id 6FA2A14800CA for <tls@ietf.org>; Wed, 6 May 2020 09:08:03 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bensmyth.com; s=dkim; t=1588752483; bh=3u8FvvT8r+vrhExTLkeBYZPGCuqAM3BVrvL2zFjJLRQ=; h=Reply-To:From:Date:Subject:To; b=R9s8/bacHVfik4UNYL4XQorKKeoyyfMNvqwQ0xb1kbteKT3tgJfYuPk0x40+ETFoU b68aTtJHMbUwJQzszIPAxJCRD3hc6pUH13NPWNFr4knn131akm1LPjXYREZxrvLnZI ODz5bUc9O5E0bsMgeKlpJUwubp74Akz1ObOXX5aI=
Received: from mail-ej1-f50.google.com ([209.85.218.50]:38523) by smtpauth3.mailarray.34sp.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92) (envelope-from <research@bensmyth.com>) id 1jWF63-0000M8-GG for tls@ietf.org; Wed, 06 May 2020 09:08:03 +0100
Received: by mail-ej1-f50.google.com with SMTP id rh22so554896ejb.12 for <tls@ietf.org>; Wed, 06 May 2020 01:08:03 -0700 (PDT)
X-Gm-Message-State: AGi0PuZ5+ffLL8L+EjeWIIe56nngis9VkE5MZAAsdaixGXlvIhPQKR8e w0pgQwo8w68zEXypG1Pi7cEno1DweKvqu/TKGNU=
X-Google-Smtp-Source: APiQypK3Mec8b/UAtnA1f4oYLZttOUTfdMHcfXQeqNfXg9uqt1LsYdh3pprxbp6suR95lqUKBzvNYXKw2Eep8ysqiko=
X-Received: by 2002:a17:906:1387:: with SMTP id f7mr5997949ejc.333.1588752483160; Wed, 06 May 2020 01:08:03 -0700 (PDT)
MIME-Version: 1.0
Reply-To: research@bensmyth.com
From: Ben Smyth <research@bensmyth.com>
Date: Wed, 06 May 2020 10:07:36 +0200
X-Gmail-Original-Message-ID: <CA+_8xu3=U3iTs3CHTc6Qi5e+PLFeTm+fKbP=sn2Mza55TjyiOA@mail.gmail.com>
Message-ID: <CA+_8xu3=U3iTs3CHTc6Qi5e+PLFeTm+fKbP=sn2Mza55TjyiOA@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006518eb05a4f64364"
X-Authenticated-As: research@bensmyth.com
X-OriginalSMTPIP: 209.85.218.50
X-34spcom-MailScanner-Information: Please contact the ISP for more information
X-34spcom-MailScanner-ID: 6FA2A14800CA.A7426
X-34spcom-MailScanner: Found to be clean
X-34spcom-MailScanner-SpamCheck: not spam, SpamAssassin (score=-20.1, required 6.5, autolearn=disabled, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, HTML_MESSAGE 0.00, SPF_PASS -0.00, X34SP_ALLOW_GMAIL_EVEN_IF_BLACKLISTED -10.00, X34SP_OVERRIDE -10.00)
X-34spcom-MailScanner-From: research@bensmyth.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NBJJv1gICx_d39gRYy09FfXumNk>
Subject: [TLS] Traffic secrets: What's in handshake transcripts?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2020 08:08:45 -0000
As far as I can tell, secret [sender]_handshake_traffic_secret is computed over transcript CH || SH or CH || HRR || CH || SH. (A server can compute their secret once they've computed SH, whereas a client must wait until they've received SH before computing their secret.) Secret server_application_traffic_0 is computed over an extended transcript which additionally includes EE, (optionally) CR, (optionally) CT & CV, and FIN, and secret client_application_traffic_0 further extends that transcript to include (optionally) EndOfEarlyData, (optionally) CT, (optionally) CV, and FIN. Is that right? Best regards, Ben