Re: [TLS] Key separation and privacy
Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Sat, 02 April 2016 20:05 UTC
Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81C1312D593 for <tls@ietfa.amsl.com>; Sat, 2 Apr 2016 13:05:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 21Rq4zM452mM for <tls@ietfa.amsl.com>; Sat, 2 Apr 2016 13:05:07 -0700 (PDT)
Received: from mail-lf0-x22d.google.com (mail-lf0-x22d.google.com [IPv6:2a00:1450:4010:c07::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D05012D592 for <tls@ietf.org>; Sat, 2 Apr 2016 13:05:06 -0700 (PDT)
Received: by mail-lf0-x22d.google.com with SMTP id g184so42002785lfb.3 for <tls@ietf.org>; Sat, 02 Apr 2016 13:05:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=DK8vcy8WL4R6CmH04+Lr27Bs4ki4ciByV+4ZZpk5U4Q=; b=dc9klq3QXPpMbY0VeFJCokPrRRbKzPb5ll5kqJpEYdCK2mNM6kIdjVpS68wc7t3qSP UzkjjXJg73QF1UgMfJQPLkQI7u2KtHAkpz0fwBjmOj51L8vCB3e+rOoqIi17py9A/ZEG UyTO2ac0sbcjNQpqnqyIrVwxeerrLXcGfqZ545tT7UyVTRwdWPR/3GyAGm3gQvakkNMc ie2KIgbuE/lOc1EdxfrsCuFpJ06JH9Pz+MrbEE/jtGzn04QnoEiIJglwT08g66Tzk45L VbXb5Ba+1gA69/ctfRAuxxsXfEGIsbFI1kk6SXHVXOfGKxvBPDBVpUdQ6+d1wHbySBYU ZR2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=DK8vcy8WL4R6CmH04+Lr27Bs4ki4ciByV+4ZZpk5U4Q=; b=jQ4y4qWVcxQYFOF6K8VzTqXNUoZwFRkVQroCrZT7nni2x/rTMO1OAoCRzRW452HyEK EAaHPrbFEvurjCMPdQEl6c85tk5XD4RY6x6lPiZ105SFpmaXKWwF8uBFFphssobzoHCf 5rlBlNJI57ruhuYVbO6M3RcEeZK5i/uLZo1YEN8DQXgaIQEHO4Wfj02K+oaa2KE7NRTG lZTY6EqlIalDZKBUgi+C2PAjvy7iC86MoepDhtWlO7wSvWD4fX+khF63EqVqQbrKZ8sc zyJBVUbCM342kbIACg54Zp+lIg29WolJr8s9I5yJSscFr1k3qY5utf+IbudCKQ6uPBRV yz2Q==
X-Gm-Message-State: AD7BkJI2a2CCsK0wMYNaQpJpPT2qHK7UymFFQxCBxahAxQvxDPTez8i0aREIU3wL7Vh6nw==
X-Received: by 10.194.191.199 with SMTP id ha7mr11142437wjc.128.1459627504591; Sat, 02 Apr 2016 13:05:04 -0700 (PDT)
Received: from [192.168.1.40] (AClermont-Ferrand-653-1-122-31.w86-207.abo.wanadoo.fr. [86.207.37.31]) by smtp.gmail.com with ESMTPSA id d1sm4166688wmh.18.2016.04.02.13.05.03 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 02 Apr 2016 13:05:03 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
In-Reply-To: <EB5548D7-9493-4545-A17F-04D47D865EF5@eng.ucsd.edu>
Date: Sat, 02 Apr 2016 22:05:01 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <DFBB2689-C1FD-4A66-A3FF-F062ACD2BA13@gmail.com>
References: <EB5548D7-9493-4545-A17F-04D47D865EF5@eng.ucsd.edu>
To: Björn Tackmann <btackmann@eng.ucsd.edu>
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/UZbucxh3gr5GdCZOOZO-BAzH7AE>
Cc: tls@ietf.org
Subject: Re: [TLS] Key separation and privacy
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Apr 2016 20:05:17 -0000
These are good questions. More generally, when do we care about distinguishing handshake data from application data? I just posted another email about using plaintext end_of_early_data alerts to avoid trial decryption, and similar questions come into play there. Best, Karthik > On 29 Mar 2016, at 22:50, Björn Tackmann <btackmann@eng.ucsd.edu> wrote: > > Dear TLS Working Group, > > this message relates mostly to (real-world) privacy, so I'd be particularly grateful for comments from people concerned with that. > > The TRON workshop [1] re-initiated a discussion about the handling of keys among cryptography researchers involved with TLS. Although there is no unanimous opinion on this matter, I think it is fair to say that the majority of cryptographers support the principle of key separation, that is, using each cryptographic key derived within the protocol (only) for its specific purpose. (This simplifies the analysis significantly, but it also helps to avoid unintended interactions between different protocol parts and to keep things nice and modular.) We are particularly concerned with the traffic keys used for handshake and for application data. > > The current TLS 1.3 draft is somewhat inconsistent here. While the ordinary handshake messages are encrypted under a handshake traffic key HTK, "late" handshake messages (NewSessionTicket and post-handshake client authentication) are intermixed with application data messages and encrypted under the application traffic key ATK. Encrypting late handshake messages with HTK instead of ATK would cause the problem that the receiver must know which key to use for decrypting a received message; the somewhat most straightforward way would be to make the messages clearly distinguishable, another way would be to do trial decryption for each incoming message with ATK and, in case of failure, decrypt with HTK. This key HTK could be the very same key as the one used for encrypting the messages during the initial handshake. > > The plain "record type" field has been retired when the new padding mechanism was introduced, with the idea of better protecting privacy. So the main question here is: how important is it to make handshake and application data messages indistinguishable? And is it realistic? > - The late handshake messages are "new ticket," "late client auth," and "key update." I guess the most sensitive of them is "late client auth?" Is it important that this be hidden within application data? Are "new ticket" and "key update" also considered privacy-sensitive? > - Beyond the plain record type, the message may also be identifiable by other traffic characteristics such as length or timing. While the length can be hidden using padding, this requires co-operation with the application layer, because TLS can hardly know what the characteristic traffic pattern of the particular application is. Is this, realistically, ever going to happen in a way that will significantly cover the characteristic pattern of the handshake messages? > > In a nutshell, three possibilities for this are: > (a) Do not separate keys, i.e., set HTK = ATK. This makes cryptographic analysis harder and renders the protocol less modular, but it may have privacy advantages. > (b) Separate keys, set HTK != ATK, and resurrect the “record type” field to the extent that it allows to differentiate HTK-encrypted packets from ATK-encrypted packets. This seems the cryptographically cleanest way but may come with worse privacy guarantees. > (c) Separate keys, set HTK != ATK, leave “record type” field disabled, and trial-decrypt. This is messier than both of the above, but seems a possible compromise between modularity and privacy. > > What do you think? > > Thanks & best, > Björn > > > [1] http://www.internetsociety.org/events/ndss-symposium-2016/tls-13-ready-or-not-tron-workshop-programme > > -- > Björn Tackmann > Postdoctoral Research Scholar > Computer Science & Engineering, UC San Diego > > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] Key separation and privacy Björn Tackmann
- Re: [TLS] Key separation and privacy Karthikeyan Bhargavan