Re: [TLS] FYI: new TLS HandshakeType allocation, from draft-ietf-perc-srtp-ekt-diet

Richard Barnes <rlb@ipv.sx> Tue, 03 September 2019 17:59 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8C741200A1 for <tls@ietfa.amsl.com>; Tue, 3 Sep 2019 10:59:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vrr1SBM8xuIy for <tls@ietfa.amsl.com>; Tue, 3 Sep 2019 10:58:58 -0700 (PDT)
Received: from mail-oi1-x242.google.com (mail-oi1-x242.google.com [IPv6:2607:f8b0:4864:20::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C16112006D for <tls@ietf.org>; Tue, 3 Sep 2019 10:58:58 -0700 (PDT)
Received: by mail-oi1-x242.google.com with SMTP id t24so13463084oij.13 for <tls@ietf.org>; Tue, 03 Sep 2019 10:58:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XfWlJu53yn+0hEsyON68r9852+rlLWA992Zo78WM1Ck=; b=QRIYc508oTsjQXVBbnGH+qOk0qQyOu3mKJe1odMVxQHQ0N3xCVhqpewxvH5fS902o4 BWld7Utx++uVGDr8rMPuEn+pV/0o0KzsbZNS2tKP0+pMz+qKKcpETTi6GihuKnpmIRob WoG6tLnRXsA0sG7VYlN5QMMCC8Ud+oQJlEcwbKOUM6IOwudESwGiXxqrvO710Z7Z30l3 rNghT5/3i7GpiPnelw9lHt+5gYlSdyF2X8vHTc1SLBnpby7WzHmdJ5uxGsIKOjEk5noh zzUEuYnH3mizL4sSxhTBVTfPOEhg0qcbO8fwvqVWsXnjfHIzLSOhT+oIOpUJuHVxp0ly X6DQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XfWlJu53yn+0hEsyON68r9852+rlLWA992Zo78WM1Ck=; b=VnmsWLn+oXp8MIi68HFEeqdHlsNxUE6Y1opkkt4dSeREhPp1nOH3KClp5lBpPY/vmp /2c3SDlarAD9o4Pq/y33fM2Lbac/pqa2yG2CaKy0O/fF4nlUhi+/a4G+N/EZ4ZjSWlnS Y6ywP+uWJ3XLFNL4RvP2Z0p3LPGfJ/OZycOCYkvFyq55WHJKgUHqdPKXuwLCOtOFI8W5 h1MjnC1oKLobXkPs5Z29f5jX8AikWjfw5p0axXO4rMLqjxAGzNWSFwUqAjdRohgDKGw7 Uj5c5MLwwk8as9685JSbI/zKTKvJ9Evp1Q5jX0yE1eBKLxo2p13G2/Z7hMvC1ms5EZDE kTrA==
X-Gm-Message-State: APjAAAUp0HLt/71JqKhcFpvw9rmjwf71LWkpaWdiFmJ9IK37s08d+LdK vjKezXUFAIEytNxoSBIU7InBCN93FKw985HSgNZV1A==
X-Google-Smtp-Source: APXvYqwokEygdmFxtWWliupdpgEz3OHJoFk72kMWtK0H59PeE2pogXmLfnq+jecRCR6/+gGVYK6898XrVuE4BpG5t6E=
X-Received: by 2002:aca:1714:: with SMTP id j20mr353427oii.135.1567533537568; Tue, 03 Sep 2019 10:58:57 -0700 (PDT)
MIME-Version: 1.0
References: <20190830222401.GR84368@kduck.mit.edu> <948a07a6-87b1-9f91-d0a6-fa83a7a25e3d@cs.tcd.ie> <20190901235840.GN27269@kduck.mit.edu> <CABcZeBNuTcLSrvrhxmpOPKBxPab1UZPs4t5jc-ie8GzMqmUkLA@mail.gmail.com>
In-Reply-To: <CABcZeBNuTcLSrvrhxmpOPKBxPab1UZPs4t5jc-ie8GzMqmUkLA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 3 Sep 2019 13:58:33 -0400
Message-ID: <CAL02cgQbQNPBxJ68Qos300JAiwubtc6an2+6Ud6Y3H6y_fG4AA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ae402b0591a9d7fd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PnSrfOytX-IplaJst0qBBWY_n28>
Subject: Re: [TLS] FYI: new TLS HandshakeType allocation, from draft-ietf-perc-srtp-ekt-diet
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2019 17:59:02 -0000

Thanks for invoking me by name, EKR :)

tl;dr: We considered all available options, and using a new handshake type
was the least bad.

Watson has correctly summarized the goal here, which is to distribute a key
that encrypts another key, which encrypts media.

1. Keys from the DTLS handshake encrypt the EKTKey message, which contains
an EKTKey value
2. The EKTKey value is used to encrypt an EKTCiphertext, which contains an
SRTP key
3. The SRTP key is used to encrypt SRTP media.

Steps (2) and (3) are independent of DTLS, so we can put them aside.  The
design question the PERC WG faced was how to accomplish (1).  As Watson
points out, there are several approaches here, each with trade-offs
(copy/pasted from an earlier discussion of the options with EKR).

"""
1. TLS extension
Pro: Simple / natural, since server always sets EKTKey
Con: Dependency on DTLS 1.3

2. New DTLS Handshake Message type
Pro: Encrypted in all versions of DTLS; already needed in 1.3
Con: Not a natural extension point; new-ish in pre-1.3

3. New DTLS record content type
Pro: Encrypted in all versions of DTLS
Con: Not a natural extension point

4. DTLS application data
Pro: No impact on DTLS or SRTP stacks
Con: Have to demux from actual application data

5. EKT message type in SRTP
Pro: No impact on DTLS stack; no demux
Con: KD has to originate SRTP; MD has to forward
"""

For the authors (subsequently ratified by the working group), the decision
process went roughly as follows:

- (1) is not workable because a dependency on DTLS 1.3 is not acceptable
- (5) is not a good fit with the PERC architecture (in which the Key
Distributor (KD) has no other reason to originate SRTP)
- (4) would require updating the demuxing rules in DTLS-SRTP, which are
already challenging (see https://tools.ietf.org/html/rfc7983 for example)

Between (2) and (3) was a closer choice.  What tipped it for us at the time
was that, looking at a handful of existing TLS stacks in 2017, it appeared
there was pretty good support for new handshake types, but not for new
content types.  (In the language of GREASE, the joint was rusty. It maybe
that this picture looks different now that we're a bit further along with
DTLS 1.3 and Ack is now a different content type.  It is true that much
like Ack, EKTKey does not need to be included in the transcript.)  In
addition to that, DTLS has no pre-defined mechanism for reliability for
anything other than handshake messages, so EKT would have to invent one if
we used a new content type.

All that said, my personal inclination here is to stick with the new
handshake type.  Switching to a new content type, and thus adding all the
spec text to make it reliable, would be a major change at this stage of the
process.  And it's not clear that there's sufficient benefit in terms of
architectural cleanness to merit it.

Finally, to Stephen's question of analysis -- This doesn't affect the DTLS
analysis.  All that's being done here is that another value is being
encrypted with the keys from the DTLS handshake.  In that regard, it's like
any other application protocol.  In the current approach, where we use a
different handshake type, it is true that the EKTKey messages are fed into
the DTLS transcript hash, which could affect future keys.  But this
shouldn't allow any undue influence on those future keys, because unless
the hash function has a preimage attack, an attacker can't choose a
malicious input that leads to a particular value.

--Richard

On Sun, Sep 1, 2019 at 8:10 PM Eric Rescorla <ekr@rtfm.com>; wrote:

>
>
> On Sun, Sep 1, 2019 at 4:59 PM Benjamin Kaduk <kaduk@mit.edu>; wrote:
>
>> On Sat, Aug 31, 2019 at 12:25:02AM +0100, Stephen Farrell wrote:
>> >
>> > Hiya,
>> >
>> > On 30/08/2019 23:24, Benjamin Kaduk wrote:
>> > > Hi all,
>> > >
>> > > New values for core types like TLS HandshakeType and ContentType don't
>> > > happen very often, so I thought people might be interested to know
>> that
>> > > draft-ietf-perc-srtp-ekt-diet (currently in IESG evaluation) is
>> allocating
>> > > a HandshakeType, to carry key information used to encrypt SRTP media
>> key
>> > > material.
>> > > Obviously "it's never too late to change until the RFC is published",
>> but I
>> > > think there would need to be some pretty serious issues in order to
>> change
>> > > it at this point, so this is expected to just be an "FYI".
>> >
>> > I guess I ought read the draft properly, but a scan
>> > of the draft doesn't seem to show any references to
>> > the kind of analyses that were done for tls1.3. I'm
>> > not clear why that's ok. Is there a reason why that
>> > is ok?
>>
>> I don't remember hearing about substsantial formal analysis, though I do
>> note that the draft acknowledges that (at best) it has the security
>> properties of a shared symmetric group key, given the nature of the setup.
>> I think we may need to be in Viktor's "raise the ceiling, not the floor"
>> mindspace here.
>>
>> > It was great that many people worked to do security
>> > proofs for tls1.3. It'd be a shame to lose that via
>> > extensions that are less well analysed.
>>
>> My crystal ball went missing, but I kind of expect lots of pitchforks if
>> the security ADs tried to insist on formal analysis of any TLS extension,
>> especially ones produced from non-security-area groups.
>>
>
> It's of course worth noting that extensions in general are not subject to
> any kind of IETF approval, but merely to Specification Required.  Only the
> Recommended flag requires IETF approval.
>
> This document is different in that it registers a Handshake Type, and
> those are subject to Standards Action, so one might argue that a higher
> degree of analysis is required. I'm not sure how practical that would be in
> this case. One compromise would perhaps be to demonstrate that this did not
> weaken TLS itself?
>
> I would be interested in Richard Barnes's thoughts.
>
> -Ekr
>
>
>> -Ben
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>