Re: [TLS] FYI: new TLS HandshakeType allocation, from draft-ietf-perc-srtp-ekt-diet
Richard Barnes <rlb@ipv.sx> Tue, 03 September 2019 17:59 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8C741200A1 for <tls@ietfa.amsl.com>; Tue, 3 Sep 2019 10:59:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vrr1SBM8xuIy for <tls@ietfa.amsl.com>; Tue, 3 Sep 2019 10:58:58 -0700 (PDT)
Received: from mail-oi1-x242.google.com (mail-oi1-x242.google.com [IPv6:2607:f8b0:4864:20::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C16112006D for <tls@ietf.org>; Tue, 3 Sep 2019 10:58:58 -0700 (PDT)
Received: by mail-oi1-x242.google.com with SMTP id t24so13463084oij.13 for <tls@ietf.org>; Tue, 03 Sep 2019 10:58:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XfWlJu53yn+0hEsyON68r9852+rlLWA992Zo78WM1Ck=; b=QRIYc508oTsjQXVBbnGH+qOk0qQyOu3mKJe1odMVxQHQ0N3xCVhqpewxvH5fS902o4 BWld7Utx++uVGDr8rMPuEn+pV/0o0KzsbZNS2tKP0+pMz+qKKcpETTi6GihuKnpmIRob WoG6tLnRXsA0sG7VYlN5QMMCC8Ud+oQJlEcwbKOUM6IOwudESwGiXxqrvO710Z7Z30l3 rNghT5/3i7GpiPnelw9lHt+5gYlSdyF2X8vHTc1SLBnpby7WzHmdJ5uxGsIKOjEk5noh zzUEuYnH3mizL4sSxhTBVTfPOEhg0qcbO8fwvqVWsXnjfHIzLSOhT+oIOpUJuHVxp0ly X6DQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XfWlJu53yn+0hEsyON68r9852+rlLWA992Zo78WM1Ck=; b=VnmsWLn+oXp8MIi68HFEeqdHlsNxUE6Y1opkkt4dSeREhPp1nOH3KClp5lBpPY/vmp /2c3SDlarAD9o4Pq/y33fM2Lbac/pqa2yG2CaKy0O/fF4nlUhi+/a4G+N/EZ4ZjSWlnS Y6ywP+uWJ3XLFNL4RvP2Z0p3LPGfJ/OZycOCYkvFyq55WHJKgUHqdPKXuwLCOtOFI8W5 h1MjnC1oKLobXkPs5Z29f5jX8AikWjfw5p0axXO4rMLqjxAGzNWSFwUqAjdRohgDKGw7 Uj5c5MLwwk8as9685JSbI/zKTKvJ9Evp1Q5jX0yE1eBKLxo2p13G2/Z7hMvC1ms5EZDE kTrA==
X-Gm-Message-State: APjAAAUp0HLt/71JqKhcFpvw9rmjwf71LWkpaWdiFmJ9IK37s08d+LdK vjKezXUFAIEytNxoSBIU7InBCN93FKw985HSgNZV1A==
X-Google-Smtp-Source: APXvYqwokEygdmFxtWWliupdpgEz3OHJoFk72kMWtK0H59PeE2pogXmLfnq+jecRCR6/+gGVYK6898XrVuE4BpG5t6E=
X-Received: by 2002:aca:1714:: with SMTP id j20mr353427oii.135.1567533537568; Tue, 03 Sep 2019 10:58:57 -0700 (PDT)
MIME-Version: 1.0
References: <20190830222401.GR84368@kduck.mit.edu> <948a07a6-87b1-9f91-d0a6-fa83a7a25e3d@cs.tcd.ie> <20190901235840.GN27269@kduck.mit.edu> <CABcZeBNuTcLSrvrhxmpOPKBxPab1UZPs4t5jc-ie8GzMqmUkLA@mail.gmail.com>
In-Reply-To: <CABcZeBNuTcLSrvrhxmpOPKBxPab1UZPs4t5jc-ie8GzMqmUkLA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 03 Sep 2019 13:58:33 -0400
Message-ID: <CAL02cgQbQNPBxJ68Qos300JAiwubtc6an2+6Ud6Y3H6y_fG4AA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ae402b0591a9d7fd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PnSrfOytX-IplaJst0qBBWY_n28>
Subject: Re: [TLS] FYI: new TLS HandshakeType allocation, from draft-ietf-perc-srtp-ekt-diet
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2019 17:59:02 -0000
Thanks for invoking me by name, EKR :) tl;dr: We considered all available options, and using a new handshake type was the least bad. Watson has correctly summarized the goal here, which is to distribute a key that encrypts another key, which encrypts media. 1. Keys from the DTLS handshake encrypt the EKTKey message, which contains an EKTKey value 2. The EKTKey value is used to encrypt an EKTCiphertext, which contains an SRTP key 3. The SRTP key is used to encrypt SRTP media. Steps (2) and (3) are independent of DTLS, so we can put them aside. The design question the PERC WG faced was how to accomplish (1). As Watson points out, there are several approaches here, each with trade-offs (copy/pasted from an earlier discussion of the options with EKR). """ 1. TLS extension Pro: Simple / natural, since server always sets EKTKey Con: Dependency on DTLS 1.3 2. New DTLS Handshake Message type Pro: Encrypted in all versions of DTLS; already needed in 1.3 Con: Not a natural extension point; new-ish in pre-1.3 3. New DTLS record content type Pro: Encrypted in all versions of DTLS Con: Not a natural extension point 4. DTLS application data Pro: No impact on DTLS or SRTP stacks Con: Have to demux from actual application data 5. EKT message type in SRTP Pro: No impact on DTLS stack; no demux Con: KD has to originate SRTP; MD has to forward """ For the authors (subsequently ratified by the working group), the decision process went roughly as follows: - (1) is not workable because a dependency on DTLS 1.3 is not acceptable - (5) is not a good fit with the PERC architecture (in which the Key Distributor (KD) has no other reason to originate SRTP) - (4) would require updating the demuxing rules in DTLS-SRTP, which are already challenging (see https://tools.ietf.org/html/rfc7983 for example) Between (2) and (3) was a closer choice. What tipped it for us at the time was that, looking at a handful of existing TLS stacks in 2017, it appeared there was pretty good support for new handshake types, but not for new content types. (In the language of GREASE, the joint was rusty. It maybe that this picture looks different now that we're a bit further along with DTLS 1.3 and Ack is now a different content type. It is true that much like Ack, EKTKey does not need to be included in the transcript.) In addition to that, DTLS has no pre-defined mechanism for reliability for anything other than handshake messages, so EKT would have to invent one if we used a new content type. All that said, my personal inclination here is to stick with the new handshake type. Switching to a new content type, and thus adding all the spec text to make it reliable, would be a major change at this stage of the process. And it's not clear that there's sufficient benefit in terms of architectural cleanness to merit it. Finally, to Stephen's question of analysis -- This doesn't affect the DTLS analysis. All that's being done here is that another value is being encrypted with the keys from the DTLS handshake. In that regard, it's like any other application protocol. In the current approach, where we use a different handshake type, it is true that the EKTKey messages are fed into the DTLS transcript hash, which could affect future keys. But this shouldn't allow any undue influence on those future keys, because unless the hash function has a preimage attack, an attacker can't choose a malicious input that leads to a particular value. --Richard On Sun, Sep 1, 2019 at 8:10 PM Eric Rescorla <ekr@rtfm.com> wrote: > > > On Sun, Sep 1, 2019 at 4:59 PM Benjamin Kaduk <kaduk@mit.edu> wrote: > >> On Sat, Aug 31, 2019 at 12:25:02AM +0100, Stephen Farrell wrote: >> > >> > Hiya, >> > >> > On 30/08/2019 23:24, Benjamin Kaduk wrote: >> > > Hi all, >> > > >> > > New values for core types like TLS HandshakeType and ContentType don't >> > > happen very often, so I thought people might be interested to know >> that >> > > draft-ietf-perc-srtp-ekt-diet (currently in IESG evaluation) is >> allocating >> > > a HandshakeType, to carry key information used to encrypt SRTP media >> key >> > > material. >> > > Obviously "it's never too late to change until the RFC is published", >> but I >> > > think there would need to be some pretty serious issues in order to >> change >> > > it at this point, so this is expected to just be an "FYI". >> > >> > I guess I ought read the draft properly, but a scan >> > of the draft doesn't seem to show any references to >> > the kind of analyses that were done for tls1.3. I'm >> > not clear why that's ok. Is there a reason why that >> > is ok? >> >> I don't remember hearing about substsantial formal analysis, though I do >> note that the draft acknowledges that (at best) it has the security >> properties of a shared symmetric group key, given the nature of the setup. >> I think we may need to be in Viktor's "raise the ceiling, not the floor" >> mindspace here. >> >> > It was great that many people worked to do security >> > proofs for tls1.3. It'd be a shame to lose that via >> > extensions that are less well analysed. >> >> My crystal ball went missing, but I kind of expect lots of pitchforks if >> the security ADs tried to insist on formal analysis of any TLS extension, >> especially ones produced from non-security-area groups. >> > > It's of course worth noting that extensions in general are not subject to > any kind of IETF approval, but merely to Specification Required. Only the > Recommended flag requires IETF approval. > > This document is different in that it registers a Handshake Type, and > those are subject to Standards Action, so one might argue that a higher > degree of analysis is required. I'm not sure how practical that would be in > this case. One compromise would perhaps be to demonstrate that this did not > weaken TLS itself? > > I would be interested in Richard Barnes's thoughts. > > -Ekr > > >> -Ben >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- Re: [TLS] FYI: new TLS HandshakeType allocation, … Benjamin Kaduk
- Re: [TLS] FYI: new TLS HandshakeType allocation, … Watson Ladd
- Re: [TLS] FYI: new TLS HandshakeType allocation, … Stephen Farrell
- [TLS] FYI: new TLS HandshakeType allocation, from… Benjamin Kaduk
- Re: [TLS] FYI: new TLS HandshakeType allocation, … Benjamin Kaduk
- Re: [TLS] FYI: new TLS HandshakeType allocation, … Eric Rescorla
- [TLS] =?UTF-8?Q?Re:__FYI:_new_TLS_HandshakeType_a… Martin Thomson
- Re: [TLS] =?UTF-8?Q?Re:__FYI:_new_TLS_HandshakeTy… Benjamin Kaduk
- Re: [TLS] FYI: new TLS HandshakeType allocation, … Richard Barnes
- Re: [TLS] FYI: new TLS HandshakeType allocation, … Stephen Farrell
- Re: [TLS] FYI: new TLS HandshakeType allocation, … Watson Ladd
- Re: [TLS] FYI: new TLS HandshakeType allocation, … Richard Barnes
- Re: [TLS] FYI: new TLS HandshakeType allocation, … Salz, Rich