Re: [TLS] Consensus call for keys used in handshake and data messages
Hubert Kario <hkario@redhat.com> Thu, 16 June 2016 15:26 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E35212D88B for <tls@ietfa.amsl.com>; Thu, 16 Jun 2016 08:26:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.328
X-Spam-Level:
X-Spam-Status: No, score=-8.328 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 75YXg9R7BBnP for <tls@ietfa.amsl.com>; Thu, 16 Jun 2016 08:26:29 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91A1912D7BC for <tls@ietf.org>; Thu, 16 Jun 2016 08:26:29 -0700 (PDT)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 105CDC003555; Thu, 16 Jun 2016 15:26:29 +0000 (UTC)
Received: from pintsize.usersys.redhat.com ([10.34.251.45]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u5GFQRMO007480 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 16 Jun 2016 11:26:28 -0400
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org
Date: Thu, 16 Jun 2016 17:26:14 +0200
Message-ID: <1853340.Xg5UvgGrF6@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.10 (Linux/4.4.12-200.fc22.x86_64; KDE/4.14.17; x86_64; ; )
In-Reply-To: <871t3y1s99.fsf@alice.fifthhorseman.net>
References: <CAOgPGoDRZdJN7DY10tDoEEidVkxeKabCcW_U3vQqaaH6x162gw@mail.gmail.com> <26741B4E-3C0F-4E0C-AB44-F7DFCCEFED53@gmail.com> <871t3y1s99.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart4291365.GTF4zIuSHH"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Thu, 16 Jun 2016 15:26:29 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/S1SAhK_-mgNcoyLlkS7nhPnCSpY>
Subject: Re: [TLS] Consensus call for keys used in handshake and data messages
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2016 15:26:30 -0000
On Wednesday 15 June 2016 09:44:18 Daniel Kahn Gillmor wrote: > On Wed 2016-06-15 04:44:59 -0400, Yoav Nir wrote: > > I disagree that this is a low level crypto decision, or at least > > that this is mainly so. > > > > There is the question of whether using the same key for application > > data and handshake is harmful. That question is mainly low level > > crypto and could be asked of CFRG. > > > > There is the other question of whether exposing the fact that there > > are handshake messages and when they occur is harmful. That is > > security-related, but not at all related to crypto. > > > > Weighing these two potential harms against each other and coming to > > a decision is entirely an engineering issue, and we should not > > offload that to CFRG. > To be clear, we're being asked to trade these things off against each > other here, but there are other options which were ruled out in the > prior framing of the question which don't rule either of them out. > > In particular, if we're willing to pay the cost of a slightly more > complex key schedule (and an increased TLS record size), we could have > "packet header" keys which protect the content-type itself for all > non-cleartext TLS records. If we do that, these keys might as well > also be used to protect the TLS record size itself. This would > result in an opaque data stream (though obviously record size would > still leak in DTLS, and timing and framing is still likely to leak > the record size in the lowest-latency TLS applications). wasn't that rejected because it breaks boxes that do passive monitoring of connections? (and so expect TLS packets on specific ports, killing connection if they don't look like TLS packets) -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
- Re: [TLS] Consensus call for keys used in handsha… Eric Rescorla
- Re: [TLS] Consensus call for keys used in handsha… Will Serumgard
- Re: [TLS] Consensus call for keys used in handsha… Björn Tackmann
- Re: [TLS] Consensus call for keys used in handsha… Subodh Iyengar
- Re: [TLS] Consensus call for keys used in handsha… Ilari Liusvaara
- Re: [TLS] Consensus call for keys used in handsha… Dave Garrett
- Re: [TLS] Consensus call for keys used in handsha… Colm MacCárthaigh
- Re: [TLS] Consensus call for keys used in handsha… Eric Rescorla
- Re: [TLS] Consensus call for keys used in handsha… Daniel Kahn Gillmor
- Re: [TLS] Consensus call for keys used in handsha… Hugo Krawczyk
- Re: [TLS] Consensus call for keys used in handsha… Martin Rex
- Re: [TLS] Consensus call for keys used in handsha… Paterson, Kenny
- Re: [TLS] Consensus call for keys used in handsha… Paterson, Kenny
- Re: [TLS] Consensus call for keys used in handsha… Ilari Liusvaara
- Re: [TLS] Consensus call for keys used in handsha… Daniel Kahn Gillmor
- Re: [TLS] Consensus call for keys used in handsha… Hubert Kario
- Re: [TLS] Consensus call for keys used in handsha… Dave Garrett
- Re: [TLS] Consensus call for keys used in handsha… Daniel Kahn Gillmor
- Re: [TLS] Consensus call for keys used in handsha… Nick Sullivan
- Re: [TLS] Consensus call for keys used in handsha… Dan Harkins
- Re: [TLS] Consensus call for keys used in handsha… Ilari Liusvaara
- Re: [TLS] Consensus call for keys used in handsha… Daniel Kahn Gillmor
- Re: [TLS] Consensus call for keys used in handsha… Yoav Nir
- Re: [TLS] Consensus call for keys used in handsha… Nikos Mavrogiannopoulos
- Re: [TLS] Consensus call for keys used in handsha… Benjamin Dowling
- Re: [TLS] Consensus call for keys used in handsha… Ilari Liusvaara
- Re: [TLS] Consensus call for keys used in handsha… Felix Günther
- Re: [TLS] Consensus call for keys used in handsha… Björn Tackmann
- Re: [TLS] Consensus call for keys used in handsha… Martin Thomson
- Re: [TLS] Consensus call for keys used in handsha… Yoav Nir
- Re: [TLS] Consensus call for keys used in handsha… Watson Ladd
- Re: [TLS] Consensus call for keys used in handsha… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Consensus call for keys used in handsha… Henrik Grubbström
- Re: [TLS] Consensus call for keys used in handsha… Hannes Mehnert
- Re: [TLS] Consensus call for keys used in handsha… Cas Cremers
- Re: [TLS] Consensus call for keys used in handsha… Eric Rescorla
- [TLS] Consensus call for keys used in handshake a… Joseph Salowey
- Re: [TLS] Consensus call for keys used in handsha… Andrei Popov
- Re: [TLS] Consensus call for keys used in handsha… Karthikeyan Bhargavan