Re: [TLS] Traffic secrets: What's in handshake transcripts?
Eric Rescorla <ekr@rtfm.com> Mon, 11 May 2020 12:30 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FACB3A0A55 for <tls@ietfa.amsl.com>; Mon, 11 May 2020 05:30:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 49_Bg_Rdi42G for <tls@ietfa.amsl.com>; Mon, 11 May 2020 05:30:10 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F225D3A0A47 for <tls@ietf.org>; Mon, 11 May 2020 05:30:09 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id f11so9275822ljp.1 for <tls@ietf.org>; Mon, 11 May 2020 05:30:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IEh6JM3hLt+WVoKiL45g6QutiZ9Vbd+h9An3A3SAQNk=; b=j6ok83pissSO4IRJbV9b92uaFipZaDg4k/bcOMwUL4JXxpSULOFMVtqrBpW1nEmrza +WQLVbX3VTc7dd2VybvsD4D4sFa3StiWXWA9t8tYifjyQnh2dD9lsnaB4GdPUhB+ivPz 1qd6zM8Pgc8leEXth1+2OXFW/cdfIodkL/B8U1gRXDjKU3C9Neb34lHa0Zds5d6RwUTY Sxlyx8yA1WYHem4t+ouihdAk54zGpYh6i0ct0W82406hOacnt8xOcUz8MzwZ+7VrMyjo n/C5D0n/PXmbdaaU8vqOYIEcvzJMZc4KXHxMLFeU9DEmfa0YESC6X5cYHJ999HYYlhI1 ukLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IEh6JM3hLt+WVoKiL45g6QutiZ9Vbd+h9An3A3SAQNk=; b=WttvsvCW9IVajLg8BTxr99GMmegQTWYdzq6Sdoxjf4nzanaEzrGr64OF7tzLmo+qv4 WhiBQbrwq+WfuPThN8eWNIHgr0b/eIQCNGglJlf/am9iULKuAeFqYcUW4dnCylqjsYfh 9hQApuIDPaLsVQoPiA3VLYsm9Y3+p0rf82AvRGXyIbPzrQIFewJziObPjlSbqsILDbO8 QTILCTagKqfjVka62eUKcclM1lKXjbvjz5/e4NiKVBGLn4x7MTeyjYY/xiAeBMU88vK3 i0u/fHgHkc61qRr/PHrt0tzcjIiu+q7G880JJID6a86s6/XnOXwI9XT+Gi5KKQZ3xBDK GvAw==
X-Gm-Message-State: AOAM530fSzIWq58+yZLRksQPMei9lfP8snE8w78cimdeC4ngTzjfogKF qbdoMhC/KAMbU9EUhLQo+z2e0GBFviYOMpuBR3Pyw0w8Ds2dZw==
X-Google-Smtp-Source: ABdhPJzSU17wn71APVlnIUuYOEBJ+Gt17yetrEBMHe+3/PSLpW25W8+rj+wPnGJU/+DT3Sm8x0nw3gFR3ueKIkCktB8=
X-Received: by 2002:a2e:9dcd:: with SMTP id x13mr9695164ljj.120.1589200207964; Mon, 11 May 2020 05:30:07 -0700 (PDT)
MIME-Version: 1.0
References: <CA+_8xu3=U3iTs3CHTc6Qi5e+PLFeTm+fKbP=sn2Mza55TjyiOA@mail.gmail.com>
In-Reply-To: <CA+_8xu3=U3iTs3CHTc6Qi5e+PLFeTm+fKbP=sn2Mza55TjyiOA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 11 May 2020 05:29:31 -0700
Message-ID: <CABcZeBOp5LW6eFSdYqOwtLtrZ3TMwU48mydry-UYd+bUtPO0tg@mail.gmail.com>
To: research@bensmyth.com
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000df7d3c05a55e81ac"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Si0tqUmfVqEAQFucNNyZbrY4k0U>
Subject: Re: [TLS] Traffic secrets: What's in handshake transcripts?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2020 12:30:14 -0000
On Wed, May 6, 2020 at 1:09 AM Ben Smyth <research@bensmyth.com> wrote: > As far as I can tell, secret [sender]_handshake_traffic_secret is computed > over transcript CH || SH or CH || HRR || CH || SH. (A server can compute > their secret once they've computed SH, whereas a client must wait until > they've received SH before computing their secret.) > Correct. The figure here is intended to clarify this https://tools.ietf.org/rfcmarkup?doc=8446#section-7.1, though see https://tools.ietf.org/rfcmarkup?doc=8446#section-4.4.1 for how to handle HRR. Secret server_application_traffic_0 is computed over an extended transcript > which additionally includes EE, (optionally) CR, (optionally) CT & CV, and > FIN, and secret client_application_traffic_0 further extends that > transcript to include (optionally) EndOfEarlyData, (optionally) CT, > (optionally) CV, and FIN. Is that right? > No. These are computed over the same transcript, which goes up to SFIN. We have discussed extending the client transcript as you suggest, but so far have not done so (this would need an extension). -Ekr > > Best regards, > > Ben > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >