IETF Logo Mail Archive

Re: [TLS] [kitten] Fwd: Last Call: <draft-ietf-kitten-tls-channel-bindings-for-tls13-09.txt> (Channel Bindings for TLS 1.3) to Proposed Standard

Sam Whited <sam@samwhited.com> Wed, 10 November 2021 01:26 UTC

Return-Path: <sam@samwhited.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86A6E3A0E5D; Tue, 9 Nov 2021 17:26:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=samwhited.com header.b=KzN99cDu; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=XAn80ReW
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q3KfmKcw0YKA; Tue, 9 Nov 2021 17:26:36 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AD0A3A0E60; Tue, 9 Nov 2021 17:26:36 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 1BF515C0126; Tue, 9 Nov 2021 20:26:35 -0500 (EST)
Received: from imap42 ([10.202.2.92]) by compute6.internal (MEProxy); Tue, 09 Nov 2021 20:26:35 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samwhited.com; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type:content-transfer-encoding; s=fm1; bh=gT jYR8/S2StTO6BX0IQBoz3vVgcrrKBhaXBh/ShJCds=; b=KzN99cDuAae+nUKtQd GSHNkVQIhEWkUtRYyiOAhJpx4iCM391fGQUym7Yc9f/pnk+rXKe8kYR4k20xKGjN SFMft/pC6KgErBf0U6Qe/wozep0qQF4NlUR/yTCL0RuDZql6p3kCgMsxl2XZj8Yl mJahcaiAh/6M6SQGngQocpmvm3s0W9A7XBCjeHA0RY3TL8BvpmOc4YG/7W60BQI4 Z7iEZZ6nG50uIbwJCKkNy9zieDZRh05IKDMUp0rCmtkcf95IZfziKytOkxIiuB1T Vz6WgP5PjQFvo/MRl0wSyWdIAOyxHo/e8QLkUWgWczzE+ag2LGFbj9UnTdtFqj9r acGA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=gTjYR8/S2StTO6BX0IQBoz3vVgcrrKBhaXBh/ShJC ds=; b=XAn80ReWkmbk/2iU9efqnIarZ/bJT7i5p3agn7xDPzVnHmZck/sGgS08J s9U6s1MRrrNxHWCXkKwZDbTteslFRGh/jEF6EeN09DZ1vWE9uNQTzSzSpj9DV3PB VYEQ83Dynk/Q9jc9Gw32NuZmotNOfY1RucztmtMH/22hGUV6uje5mtqJLeb8xML+ pUqG8uhAIi6s9RnwGjCeM0Ux07VLQcPo/5yZm75pVPYaj26gTVNe1BEgKFJTC2OI UUUgoi4UYVCoUpj1hzWmh5a7B0b0ZEyrMJYRWlMjnTbZZDID5AUggw7oNCCQ855b TqHZIsLv+gmPV00U6/iYYaj3s59nw==
X-ME-Sender: <xms:yh-LYafSbNCR7YfxZ-7jlk-aXnnEdKO9N_pmiWclIYa1YE_t1W0rGg> <xme:yh-LYUPXgc-87t_O4U7kqjJpPrga1tZPAiv3cxmrkrdLOQRoSQXZUCxHhFXnKxbLH K08l9JPyMP1fzKCJQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrudehgdeftdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtgfesthhqredtreerjeenucfhrhhomhepfdfurghm ucghhhhithgvugdfuceoshgrmhesshgrmhifhhhithgvugdrtghomheqnecuggftrfgrth htvghrnhepvdffuedvudfhfedvieehueekfffhkeejvefggfegtdelhffhhfeiveekudev hfejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepsh grmhesshgrmhifhhhithgvugdrtghomh
X-ME-Proxy: <xmx:yh-LYbgx04SOw4PdxZJxiNa2sY33HNiF7Q7aDtf-85tRJrtfKqh3VQ> <xmx:yh-LYX_nGvebc3G1sXx9ccVwGSmSt15QCIqAG9WM75PDMFO63ZiYrA> <xmx:yh-LYWtvyCmNXOTKSGPoz0E7UFgUBV1a-apjSJPNEydvlaehVEHNmw> <xmx:yx-LYbXD8QG5294CQTBnvW-zFFGTb3PoZlgfYMN-Npg-JPbZ852N1g>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 67C3E2180087; Tue, 9 Nov 2021 20:26:34 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-1371-g2296cc3491-fm-20211109.003-g2296cc34
Mime-Version: 1.0
Message-Id: <e34601de-0d2f-4500-8d7f-deec90250fc7@www.fastmail.com>
In-Reply-To: <CACykbs276AwcN=FSfXhZ3X64S8GP268AYVz4c4ksdOSuykm0Ow@mail.gmail.com>
References: <163311243544.13917.11736165165419008870@ietfa.amsl.com> <20211001190002.GC98042@kduck.mit.edu> <CABcZeBPQG82xJdwMrmj4-=9aJymo1xts=D6VZedBW5X9k+34cQ@mail.gmail.com> <92ed26c1-bfde-43c1-93f4-2bbdbd4f6ec1@www.fastmail.com> <CAChr6Sw6Rs42DfS8KgD3qasPcWM_gGZhWN5C4b7W7JsPy0wDzw@mail.gmail.com> <8796f867-12b8-41f8-b124-82b3ab0e2d32@www.fastmail.com> <CAChr6SyKAnBcE9t68coGGXFt9WPLuDuWtVKoCXrK+QrwAVtPXw@mail.gmail.com> <f1bcd676-13ad-49b3-a8e8-8a272e0124e3@www.fastmail.com> <CABcZeBNo0gKjNZOKPYJYraioaw6G=z5ibTqh-o9GkWsDkfDmSQ@mail.gmail.com> <c4d6f2e5-0712-42a6-aef5-0cbada7e149e@www.fastmail.com> <CABcZeBM6y-6ZqaLGZ=8qr+uBnWOOgczhcx=ruy5S=n-YrHweKg@mail.gmail.com> <ca676a77-b2c9-4926-9842-d1d6587206ed@www.fastmail.com> <CACykbs11rHUweXmR1NSU0N2rRjcQ8Sf1S+DY2LO7T+e6cLt+5w@mail.gmail.com> <CAKHUCzz5ErY0xuBXVRuoNeZ3RS-7MwKrGH37kgZ=qwyqb-CgOg@mail.gmail.com> <CACykbs251Tn77jMN_YjcL8RxSax0NcFp8RNRT+oJp1Z=Z+qB2A@mail.gmail.com> <CAKHUCzw=_QRTdOovSBwV0VeN1M-7b9fSXonTyfF_oo4_VAGaBQ@mail.gmail.com> <CACykbs276AwcN=FSfXhZ3X64S8GP268AYVz4c4ksdOSuykm0Ow@mail.gmail.com>
Date: Tue, 09 Nov 2021 20:26:08 -0500
From: Sam Whited <sam@samwhited.com>
To: Jonathan Hoyland <jonathan.hoyland@gmail.com>, Dave Cridland <dave@cridland.net>
Cc: KITTEN Working Group <kitten@ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NJkzC9Vjhma3QK2tlwjZw_bl9jU>
Subject: Re: [TLS] [kitten] Fwd: Last Call: <draft-ietf-kitten-tls-channel-bindings-for-tls13-09.txt> (Channel Bindings for TLS 1.3) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2021 01:26:42 -0000

I'm still struggling to figure out what the exact problem is you're
describing or if you have an actual class of attack in mind that might
be possible due to this, but the following in your previous email jumped
out at me:

On Tue, Nov 9, 2021, at 13:03, Jonathan Hoyland wrote:
> If you include channel bindings in your key derivation then you cannot
> assume that the keys are unrelated.

Is this the crux of the issue you're pointing out? If so, I'd say surely
you need to do a formal analysis of a specific key derivation mechanism
instead of the data being mixed into it, and you can't (and shouldn't)
worry about all future mechanisms.

If a key derivation mechanism is so weak that mixing in the same
arbitrary string to two keys results in related keys that can be
correlated or attacked, this is a weakness in the key derivation
function and not something that can be solved by adding more
randomness to every possible set of bytes that could ever be hashed
into those keys.

In other words: keys should be unpredictable and not leak data used to
derive them; if they do, the data is not at fault.

—Sam

v2.23.0 | Report a Bug | By Email