IETF Logo Mail Archive

Re: [TLS] Premaster/Master convention

Michael StJohns <msj@nthpermutation.com> Wed, 30 July 2014 20:43 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78C5B1A0125 for <tls@ietfa.amsl.com>; Wed, 30 Jul 2014 13:43:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e16X4inB-4zI for <tls@ietfa.amsl.com>; Wed, 30 Jul 2014 13:43:29 -0700 (PDT)
Received: from mail-qg0-f50.google.com (mail-qg0-f50.google.com [209.85.192.50]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7942A1A0146 for <tls@ietf.org>; Wed, 30 Jul 2014 13:43:28 -0700 (PDT)
Received: by mail-qg0-f50.google.com with SMTP id q108so2587392qgd.23 for <tls@ietf.org>; Wed, 30 Jul 2014 13:43:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=50wHh1onqG18i7aL5ce169sCfHptrzoJrejzRofX7uE=; b=cR+VxawO+6rI04E7e5j3Py5ihFbWquDd/OqYd95hXRgNUbXtBsVBl2Wu+gjxaaCiuw 1zM31z1H6qYUKaYzXNanBh0d7CqTTX4vdtcZuE7o2u2CIdDd2cWi9GH1sAvsmBnMuWX2 JYR98cY5tC4DRoyGr+1SJ/ok4YwWlz7rZNzs2RwW1VkhfwR9HsfQB18h2SLUUQUh8PIf dn0unszIy6dOQ/uuPVcsztQ5OFRmSTMNZApgZ4eolJPzsIMWdNrTtKQcmCIjVwo3W/Kr kX4MHa6TK2OwQfPQct0ae6u7C94qXJrtZO/3hGHUsmPD6yFVyE5Xr06uZtX4U2NIGkIL MfSA==
X-Gm-Message-State: ALoCoQnGHS6w7VheYztnDaEn0FCI09Z6tYNDs6gGJTrr/A37HaT1TNr5u1d3N6Eggq+cuoMKXnX3
X-Received: by 10.140.50.133 with SMTP id s5mr10255802qga.33.1406753007761; Wed, 30 Jul 2014 13:43:27 -0700 (PDT)
Received: from [172.27.7.54] (75-104-68-185.mobility.exede.net. [75.104.68.185]) by mx.google.com with ESMTPSA id c6sm5763143qag.36.2014.07.30.13.43.23 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 30 Jul 2014 13:43:27 -0700 (PDT)
Message-ID: <53D958E8.6080907@nthpermutation.com>
Date: Wed, 30 Jul 2014 16:43:20 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Eric Rescorla <ekr@rtfm.com>
References: <53D907B0.3000006@nthpermutation.com> <CABcZeBOCC5-=PVmMyORL7H4BTiixrVWC4TK8=D=sMnqx_Gpcqg@mail.gmail.com> <53D91B89.3020506@nthpermutation.com> <CABcZeBNRvceBdgA16ojEPYAzbAHWcPwTo=C8e26NugoUNkWEJA@mail.gmail.com>
In-Reply-To: <CABcZeBNRvceBdgA16ojEPYAzbAHWcPwTo=C8e26NugoUNkWEJA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------090505080707040208060905"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/NagIZQQdf8RmcNh_ANLM7X1E8ns
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Premaster/Master convention
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 20:43:32 -0000

On 7/30/2014 12:26 PM, Eric Rescorla wrote:
>
>
>
> On Wed, Jul 30, 2014 at 9:21 AM, Michael StJohns 
> <msj@nthpermutation.com <mailto:msj@nthpermutation.com>> wrote:
>
>     On 7/30/2014 12:00 PM, Eric Rescorla wrote:
>>     As discussed in the interim we are going to want to roll over the
>>     MS periodically. Life will be a lot easier if it has a uniform
>>     structure.
>>
>>     Moreover, just because we aren't using key transport doesn't mean
>>     there aren't other mechanisms with funky shared secrets, e.g.,
>>     PSK.
>
>     I don't think either of these are show stoppers - although I don't
>     know exactly what you mean by "uniform structure" here.  Do you
>     mean "because that's the way its done in TLS1.2 and before and we
>     want backwards compatibility"?
>
>
> I mean always have the secret you use for key derivation be
> the same size and unstructured and get to it the same way,
> regardless of the starting secret.
>
> Thus, I would prefer to stick with the same PMS->MS flow.

You already have a disconnect in size on with respect to the premaster 
secret - it's going to be 32 bytes for P256 ECDH, something larger for 
DH depending on the group. (random length) -> (48 bytes)

You also have a disconnect on the output - any number of keys of any 
size.  (48 bytes) -> (random sizes)

So why you think that its important to have an impedence match of 
(random size} -> 48 bytes -> (random sizes) is unclear to me.

Is there a specific technical issue with {random length} -> { random 
lengths} that you can see?  I understand you have a preference, I'm 
asking if you can see a reason why this would weaken security?

There's the final issue that  - as I read the HMAC document and the 
precursor technical papers - you don't really get anything with respect 
to security using keys over the native output length of the underlying 
hash, and that you weaken security if you use less bits than that.  So 
48 bytes is fine up to a hash of 384 bits, but is the possibly limiting 
security factor for anything larger.  I don't know that we're going to 
be going to anything above 192 bits of (to include 384 bit hash 
functions) any time soon, but I would hate for this 48 bit legacy value 
to be the unforeseen security ceiling.

*My* preference is for the input keys and the output keys to be matched 
to the needs of the cryptographic suite.  That 384 bits of premaster 
secret is good up to SHA384, but may represent a smaller security 
strength for non-NIST hashes.   I *think* this 48 octet value is the 
last fixed length security key in the standard.

Mike

>
> -Ekr
>
>
>     In the former case, its pretty simple to do:
>
>     (KA)->master_secret -> next_master_secret  - either as part of the
>     first context call (to derive the session and handshake keys), or
>     as a separate context call (to specifically generate a new master
>     secret.
>
>     E.g. the derive looks like:
>
>     (KA) -> master_secret
>                      -> next_master_secret
>                      -> handshake key
>                      -> client_write_AEAD
>                      -> server_write_AEAD
>
>     next_master_secret
>              -> next_master_secret
>              -> handshake_key
>              -> client_write_AEAD
>              -> server_write_AEAD
>
>     Or it looks like
>
>     (KA) -> master_secret (key expand)
>              -> handshake key
>              -> client_write_AEAD
>              -> server_write_AEAD
>
>     master_secret (nextmaster)
>           -> next_master_secret
>
>     (where key expand and nextmaster are differing labels and KDF
>     contexts).
>
>     In the PSK case, with key transport, doing the pre_master->master
>     derive allows you to mix in random data from both sides so that
>     the master_secret isn't only chosen by one side so there's some
>     security benefit there.  In the PSK model, that's not an issue as
>     both sides have already agreed upon a key.
>
>     Mike
>
>
>
>>
>>     -Ekr
>>
>>
>>
>>     On Wed, Jul 30, 2014 at 7:56 AM, Michael StJohns
>>     <msj@nthpermutation.com <mailto:msj@nthpermutation.com>> wrote:
>>
>>         Given that TLS1.3 only does KeyAgreement, is there still any
>>         reason for the premaster -> master_secret derivation step?
>>          We do (KA)->premaster and then premaster -> master and then
>>         master->(session keys).   We could probably do
>>         (KA)->master->(session keys) where the master secret is now
>>         the KA shared secret rather than premaster.
>>
>>         1) Is there any security reason for retaining the extra step
>>         given there is no longer a KeyTransport mechanism in TLS1.3?
>>         2) Are there other *good* - non-security - reasons for
>>         retaining the extra step?
>>
>>         Mike
>>
>>
>>
>>         _______________________________________________
>>         TLS mailing list
>>         TLS@ietf.org <mailto:TLS@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/tls
>>
>>
>
>

v2.23.0 | Report a Bug | By Email