Re: [TLS] Thoughts on Hardware Support
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Sun, 15 February 2015 06:54 UTC
Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B65531A047A for <tls@ietfa.amsl.com>; Sat, 14 Feb 2015 22:54:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.301
X-Spam-Level:
X-Spam-Status: No, score=-1.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_35=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id un-9VHY5rfbn for <tls@ietfa.amsl.com>; Sat, 14 Feb 2015 22:54:26 -0800 (PST)
Received: from emh04.mail.saunalahti.fi (emh04.mail.saunalahti.fi [62.142.5.110]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CEBA1A0318 for <tls@ietf.org>; Sat, 14 Feb 2015 22:54:26 -0800 (PST)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh04.mail.saunalahti.fi (Postfix) with ESMTP id F0EF51A261D; Sun, 15 Feb 2015 08:54:22 +0200 (EET)
Date: Sun, 15 Feb 2015 08:54:22 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Watson Ladd <watsonbladd@gmail.com>
Message-ID: <20150215065422.GA5364@LK-Perkele-VII>
References: <CACsn0cnuHDwOXtqrFwqzVvUQTWxawBRea9it9_URVvZJsjHjWg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CACsn0cnuHDwOXtqrFwqzVvUQTWxawBRea9it9_URVvZJsjHjWg@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/NNXXAWty2HMEtGM2hi_8UrNbErI>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Thoughts on Hardware Support
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Feb 2015 06:54:29 -0000
On Sat, Feb 14, 2015 at 11:23:30AM -0800, Watson Ladd wrote: > Dear all, > > A while ago I promised Michael St. Johns to think hard about his goal > of making it possible to use hardware to secure the record layer > without dirty hacks. For those unaware of the problem, the same key is > used to derive encryption keys that shouldn't go out on the wire, and > IVs that do, and so it becomes difficult to ensure that keys can't be > leaked, if you expose the IV generation. IVs derived from keys do not go on the wire, at least not in any AEAD cipher defined for TLS I have seen. The schemes I am aware have two styles here: 1) First 4 octets are fixed per connection (derived from MS), the remaining 8 are given for each record (too short for nondeteministic operation!). 2) First 4 octets are fixed per connection (derived from MS), the remaining 8 are taken from RSN+epoch (saves 8 octets/record). IIRC, the problem was that by specifying garbage parameters for key derivation, it was possible to get the key as IV. > I think the easiest way is to eliminate the IV derivation entirely, > and have the record layer send the entire nonce each time. if that's > too much a waste of bandwidth, then we can specify entirely the > portion that is in TLS 1.2 derived from the MS. I think this is in > spirit similar to his proposal, but I don't recall the exact details. I think his proposal was to feed the key derivation parameters (complete with key types) to the PRF (and doing odd things with the IV). But if one has typed keys, one can easily define a IV type and use that for IVs (safe if the PRF is any good). So I think the simplest fix would be to append a array of (type, length) descriptors to the current client and server randoms in seed for the subkeys PRF invocation (no need for length of array). E.g. <type byte, 0=>AEAD key, 1=>IV, others reserved> <bit-7-mpint (shortest) length for subkey in bytes> For AES-128-GCM: <server random, 32 bytes> //As currently <client random, 32 bytes> //As currently 00 10 //AEAD encryption subkey, 16 bytes. 00 10 //AEAD encryption subkey, 16 bytes. 01 04 //IV, 4 bytes. 01 04 //IV, 4 bytes. (Total of 72 bytes). For AES-256-GCM and CHACHA-POLY1305: <server random, 32 bytes> //As currently <client random, 32 bytes> //As currently 00 20 //AEAD encryption subkey, 32 bytes. 00 20 //AEAD encryption subkey, 32 bytes. 01 04 //IV, 4 bytes. 01 04 //IV, 4 bytes. (Total of 72 bytes). For XXX-1024-HMAC-YYY256 (128 byte keys, 32 byte IVs): <server random, 32 bytes> //As currently <client random, 32 bytes> //As currently 00 80 01 //AEAD encryption subkey, 128 bytes. 00 80 01 //AEAD encryption subkey, 128 bytes. 01 20 //IV, 32 bytes. 01 20 //IV, 32 bytes. (Total of 74 bytes). -Ilari
- [TLS] Thoughts on Hardware Support Watson Ladd
- Re: [TLS] Thoughts on Hardware Support Michael StJohns
- Re: [TLS] Thoughts on Hardware Support Michael StJohns
- Re: [TLS] Thoughts on Hardware Support Ilari Liusvaara