IETF Logo Mail Archive

Re: [TLS] KeyUpdate and unbounded write obligations

David Benjamin <davidben@chromium.org> Thu, 01 September 2016 21:35 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F86C12B076 for <tls@ietfa.amsl.com>; Thu, 1 Sep 2016 14:35:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.247
X-Spam-Level:
X-Spam-Status: No, score=-3.247 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Puue8KkxfEks for <tls@ietfa.amsl.com>; Thu, 1 Sep 2016 14:35:57 -0700 (PDT)
Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69BF812B039 for <tls@ietf.org>; Thu, 1 Sep 2016 14:35:57 -0700 (PDT)
Received: by mail-it0-x22e.google.com with SMTP id c198so4900254ith.1 for <tls@ietf.org>; Thu, 01 Sep 2016 14:35:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=I+47GWVpYSx1JBA9cq9ixtfpx8vLmjhh/D8PsMDhrro=; b=X0cjZtUZgLM9PBYeAXWG3+KH00NbVx53y/cGQvSJb1CbD9Q+Mb5KXwL24k5Mq2jJil 1/hN8bvg+++XqB9CogJ1Ma6wXIJPo7ZDQAsLXiBS6aihCpi7EiJBVGE63ubi74B3e8R9 GTb5VDY2RafK1vlIZqWlO0WXlRERZ4iXeFXXs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=I+47GWVpYSx1JBA9cq9ixtfpx8vLmjhh/D8PsMDhrro=; b=asuPCy0kGwAklmVnvT6GQTq8fB+dWKl2haNI9utKKl4GR0hgdxVMQ6tvSw2tJXo2Ie utxJEdTZo/NebEJvn33n560LEdIACIqZ71nLlEQNILWP7kH1Rj9oa9P5tEODRDu5IAXC P4nwjpYPW63Ic2aFD9xcbaA7gi/tD9p1LUVUdQIGcuusaCv2hj+o7tuS9yZB0Ra06OKR dVd2N/OZtLYPRVkUUdMtT5dWfQQy1V67Awirk9cb/NOgAgE2NobqT7BtFS2n64BFRXoS rbJ7rwMiQ7mBBbDKhqFfb/SJ9Wz0dftpU4F8IUxcieS8ZMf3EWg2urQRzgHO2e6iLhn6 iVgw==
X-Gm-Message-State: AE9vXwO6sEpYS8uI0QwFUUGLUsilCCKH2RNj/iWHoBcOuyRdHPybW2jLKBpatx1XQWJY3F/uRvZvMcNjyz1jGkKy
X-Received: by 10.36.116.131 with SMTP id o125mr24745486itc.7.1472765756662; Thu, 01 Sep 2016 14:35:56 -0700 (PDT)
MIME-Version: 1.0
References: <CAMzhQmM+msOti4rChS=dwRpo5YGh4VMpnqQvy4x=GG=rKA7kew@mail.gmail.com> <20160825042343.w6bg6kg75tujhexg@LK-Perkele-V2.elisa-laajakaista.fi> <CAMzhQmPFwE7H5gN-Ua1unGyFCpxh8aZuX4-2u55R0hmLD52FKQ@mail.gmail.com> <CABcZeBNjRvvKWctCy0oNYDpqgFoTck2Ai8iYuVeYQg1d5Jyk-g@mail.gmail.com> <20160828184105.yvrnbispbnpomk4s@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBM=3RPpmGygMmrTU8DMNHQo=k0VTweKjCrY53GR3X4p1A@mail.gmail.com> <95C31431-189C-41ED-A2D2-E370A5FB8F7A@vigilsec.com> <CABcZeBNA_MVO5e-bsnPML4epRjSDVUBf4tewqQ6EY+F1sqooPA@mail.gmail.com> <20160901210952.hj34o2ycel2ssd65@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBPNrNziYoE7T9UcjxUYZr4RN3COm=hazikAsmVF6A11_A@mail.gmail.com> <20160901212923.wixkxurtmyxmnsi2@LK-Perkele-V2.elisa-laajakaista.fi>
In-Reply-To: <20160901212923.wixkxurtmyxmnsi2@LK-Perkele-V2.elisa-laajakaista.fi>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 01 Sep 2016 21:35:46 +0000
Message-ID: <CAF8qwaDR+qQyGKVFaHc=GHR=MaBshcqhk5Sh0qPMOhpvxXef0Q@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>, Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="001a114abf70c3c79b053b78ffa2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NjHAGXT_RmDewob1o89Kh8M-hV0>
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] KeyUpdate and unbounded write obligations
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Sep 2016 21:35:59 -0000

On Thu, Sep 1, 2016 at 5:29 PM Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Thu, Sep 01, 2016 at 02:20:02PM -0700, Eric Rescorla wrote:
> > On Thu, Sep 1, 2016 at 2:09 PM, Ilari Liusvaara <
> ilariliusvaara@welho.com>
> > wrote:
> >
> > > I tried to implement this, and discovered an issue:
> > >
> > > The client handshake traffic secret is needed for deriving client
> > > Finished, and client application traffic secret is only needed after
> > > that point. However, the derivation of client application traffic
> > > secret uses handshake hash post Server Finished.
> > >
> > > So you either need to buffer the handshake hash value, or have two
> > > overlapping client traffic secrets.
> > >
> > > Changing the client application traffic secret context to extend
> > > up to Client Finished would solve the issue.
> > >
> >
> > Hmm.... having the keys in one direction cover the client's certificate
> and
> > certverify
> > and the keys in the other direction not seems pretty sketchy.
> >
> > As I understand this, it's just an aesthetic issue, right?
>
> I don't think this is just aesthetic issue:
>
> - If you derive the traffic secret at the moment the right hash is
>   available, you need to stash the traffic secret for later (one
>   can't overwrite the existing one, since you will need that for
>   ClientFinished).
> - If you derive the traffic secret just before use, you need to
>   have saved the hash value used for derivation, since the
>   ClientFinished (and possibly Certificate(Verify)) has altered it.
>

I do rather like never splitting the DeriveTrafficKey() and UseTrafficKey()
operations. We have to hold on to an extra copy of traffic_secret_0 today
in the single-ladder version for very similar reasons. That only one set of
keys covesr the client certificate is certainly kind of weird. Although I
assume we can just analyze as if it didn't since we were clearly okay with
not including it before.

David

v2.14.0 | Report a Bug | By Email