Re: [TLS] Should exporter keys be updated with post-handshake authentication and/or KeyUpdate?

Ilari Liusvaara <> Tue, 12 July 2016 21:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2E04E12D97C for <>; Tue, 12 Jul 2016 14:28:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.187
X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nGnr-KOWBRKG for <>; Tue, 12 Jul 2016 14:28:25 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 3091712D9C5 for <>; Tue, 12 Jul 2016 14:27:44 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 13012650F; Wed, 13 Jul 2016 00:27:44 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([IPv6:::ffff:]) by localhost ( [::ffff:]) (amavisd-new, port 10024) with ESMTP id V2n2Wfqbvwtn; Wed, 13 Jul 2016 00:27:43 +0300 (EEST)
Received: from LK-Perkele-V2 ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id AD939289; Wed, 13 Jul 2016 00:27:43 +0300 (EEST)
Date: Wed, 13 Jul 2016 00:27:40 +0300
From: Ilari Liusvaara <>
To: Douglas Stebila <>
Message-ID: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.6.0 (2016-04-01)
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Should exporter keys be updated with post-handshake authentication and/or KeyUpdate?
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 Jul 2016 21:28:27 -0000

On Tue, Jul 12, 2016 at 10:00:35AM -0400, Douglas Stebila wrote:
> > On Jul 11, 2016, at 19:24, Andrei Popov <> wrote:
> > 
> > Back to the question...
> > One challenge with this is that exporters are often used to compare
> > things.  For instance, one side signs an exported value, the other
> > validates the signature by independently exporting the same value.
> > Getting different values for a particular exporter will cause some
> > classes of things to fail in subtle ways.
> Agreed, this does create the possibility that the endpoints will export
> different values at different times due to unsynchronized context
> switches.  

It gets worse: KeyUpdate is explicitly designed to work even when
arbitrarily unsynchronized and run behind app's back (the application
never having to care for it).

> However, we should compare this failure mode (which might cause two
> "partnered" parties to not get the same exporter key) with the failure
> mode if we use the same EKM for the whole session (which might cause
> more parties than we expect to get the same exporter key).  Fail-closed
> versus fail-open.

Also, I wouldn't expect rekeying occur very often at default. 24M
records in bulk transfer is quite a bit of data (would require quite
fast connection to do in a few hours even at full blast). And there
is no recommendation on time-based rekeying (and Chacha can run
as good as forever even on the fastest connections).

So, even if rekey changed EKM, it likely would not save you if
application misused exporters in way vulernable to this.

Worth security consideration? Certainly.

Also, why does post-handshake auth seemingly always use traffic_secret_0,
instead say whatever happens to be the newest in forward (C->S)
direction when the Finished is sent (that would be well-defined key)?