Re: [TLS] [tls13-spec] resetting the sequence number to zero for each record key. (#379)
Cedric Fournet <fournet@microsoft.com> Fri, 18 December 2015 15:48 UTC
Return-Path: <fournet@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04E011B36B2 for <tls@ietfa.amsl.com>; Fri, 18 Dec 2015 07:48:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5ZdJw_57ixfm for <tls@ietfa.amsl.com>; Fri, 18 Dec 2015 07:48:01 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0135.outbound.protection.outlook.com [65.55.169.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 645D31B36B1 for <tls@ietf.org>; Fri, 18 Dec 2015 07:48:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=kiJuZzBFUvJEGYGhDyFyEhfDg5B0sPfQcw777B/9v9Q=; b=JkqQWbdlxWzyxkg0s7nh89ugcYeA/61jKfG8JzDfgsbOQTZakc45KTu+By/PZp3Fr4xsywFxX3hnIFwI11fy9NhJfzUDsnold1kCsXSoOlXdzet1Q77yMIoqnJScUuTPzZWNCrsHu6da9hoGrEhJOz3NPl6ol5fkc3IvZnZs3lI=
Received: from DM2PR03CA0047.namprd03.prod.outlook.com (10.141.96.46) by BLUPR03MB519.namprd03.prod.outlook.com (10.141.80.144) with Microsoft SMTP Server (TLS) id 15.1.355.16; Fri, 18 Dec 2015 15:47:57 +0000
Received: from BY2FFO11FD018.protection.gbl (2a01:111:f400:7c0c::142) by DM2PR03CA0047.outlook.office365.com (2a01:111:e400:2428::46) with Microsoft SMTP Server (TLS) id 15.1.361.13 via Frontend Transport; Fri, 18 Dec 2015 15:47:57 +0000
Authentication-Results: spf=pass (sender IP is 206.191.249.68) smtp.mailfrom=microsoft.com; gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=pass action=none header.from=microsoft.com;
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 206.191.249.68 as permitted sender) receiver=protection.outlook.com; client-ip=206.191.249.68; helo=064-smtp-out.microsoft.com;
Received: from 064-smtp-out.microsoft.com (206.191.249.68) by BY2FFO11FD018.mail.protection.outlook.com (10.1.14.106) with Microsoft SMTP Server (TLS) id 15.1.355.15 via Frontend Transport; Fri, 18 Dec 2015 15:47:56 +0000
Received: from AM3PR30MB049.064d.mgd.msft.net (141.251.48.82) by AM3PR30MB051.064d.mgd.msft.net (141.251.48.84) with Microsoft SMTP Server (TLS) id 15.1.365.9; Fri, 18 Dec 2015 15:47:53 +0000
Received: from AM3PR30MB049.064d.mgd.msft.net ([141.251.48.82]) by AM3PR30MB049.064d.mgd.msft.net ([141.251.48.82]) with mapi id 15.01.0337.009; Fri, 18 Dec 2015 15:47:53 +0000
From: Cedric Fournet <fournet@microsoft.com>
To: Martin Thomson <martin.thomson@gmail.com>
Thread-Topic: [TLS] [tls13-spec] resetting the sequence number to zero for each record key. (#379)
Thread-Index: AQHROSQrWxcUcSg40EiXRu2VKguhkp7QgGUw
Date: Fri, 18 Dec 2015 15:47:53 +0000
Message-ID: <7327a9142c2c41f39028d8882be8ae45@AM3PR30MB049.064d.mgd.msft.net>
References: <5e85e3b1a1914ea8bbd5d985c321c119@AM3PR30MB049.064d.mgd.msft.net> <CABkgnnW4xWKZZKh-3-Qqat6zVKTveLW1ZGP47bHZioJ2j-eLYg@mail.gmail.com>
In-Reply-To: <CABkgnnW4xWKZZKh-3-Qqat6zVKTveLW1ZGP47bHZioJ2j-eLYg@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [141.251.48.69]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11FD018; 1:w9S/nVBuYrsGjWEbrytigxM5zFKF120THfYC8yzHRUD0mfqrKkOU1hCcV33NHThMCD1+03ttbo0Tb5Ykb4BEPiRdD+DrZ781imAA1qHfppmVJicXt17yJVbi32+VyJ6mK0y11rNQlZsHym6MJO8vPe7E6KmmAF8t9FXOrGQ/mI5kRWJ37Obj3zxpd41sL4DI4XLJ0EojDW3Z21gvU5Ov5ZxG6EEKcf/WK5hYPpv90JHwOQskQzNldFCaSbxSrtD7ZD2vfj6BYwL+vPv9afFDQa0BgWONe7Z46LFkDWyht6cDQP1wWV1DCmsw/QkwI1Ibc34/rAFygWSBz7EG4faISg==
X-Forefront-Antispam-Report: CIP:206.191.249.68; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(2980300002)(438002)(24454002)(199003)(13464003)(52314003)(189002)(106466001)(2950100001)(54356999)(6806005)(92566002)(97736004)(106116001)(69596002)(102836003)(19580395003)(110136002)(108616004)(50466002)(5004730100002)(11100500001)(5001960100002)(189998001)(2900100001)(19580405001)(5008740100001)(24736003)(23676002)(586003)(1096002)(66066001)(5003600100002)(81156007)(26826002)(3846002)(86362001)(47776003)(6116002)(50986999)(76176999)(33646002)(10290500002)(1220700001)(16796002)(10400500002)(86612001)(87936001)(10090500001)(5005710100001)(86146001); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR03MB519; H:064-smtp-out.microsoft.com; FPR:; SPF:Pass; PTR:ErrorRetry; A:1; MX:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BLUPR03MB519; 2:/8KltD2oATQCvaGHM5MKz7mzBOZItGkmu4omfJAMT0LIpB2l6lJrs5b/XKcrtj3w+WjqGYZ/i67Y1p+IX8shi5k23gWqNotSP5uBa28t2meFBVUedQsEfysdmzC8bL5ZQLShN/QFl2bQ+sLbv8JZSA==; 3:7lMp7tzuoEFumfLvG6mPIckkjrJJ/b+xpdJk+HfB6DRCcGFxrsSGvNtW0WYwRMN1SEiVdP2QTy6Bmt9WcVlaVvMT5mDfzmZpWTYZbkXr06af7li0YG508PTSfUWnAZ0qEl+4+Hnyy9EG8JMUbrcHOrYm2z0IDK5bUOtWJFD14iyuWAhYuuLlSVcNKtrT/P6n8biJQfnpIqgvpE68c7B7I3+sv/hp6Mk5Yyz/9HJf3LdTXTXsiRt4HVYGZxd1Jn/puv2gBQdARNm1N3G/Hj97jg==; 25:Xe2N5FeC6u+Lax9njKWMHgPF8ffaUmDdlLwSHXgryeWphhV6hQ5BMz6iQ5i3b2aXRTxEK39oTjb70K2z9PgEpgGX2MYqWBechssA+b1ZIY6KGoHQ3X8PISC9FNzCJ4COS/jLvgsSPNEIdMCCE8dipxHK+gtx3crrbIm2p5msxzLGQThITnainLKxsHHIUrekbKBgQmaAwrukyCtSq2mXYf3MnDqXGpkgOeQ+kcZYWoCrOrMfXP3lKCZl9M2mJ0TWu14OYLJWyKQKLie0rNytTxbAyTchAcBHhFeSAMhFeIw=
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(8251501001); SRVR:BLUPR03MB519;
X-O365EOP-Header: O365_EOP: Allow for Unauthenticated Relay
X-Microsoft-Exchange-Diagnostics: 1; BLUPR03MB519; 20:DqtxsUB0v0+drc4nHweo3vkWhPNbl+CYpBQ+FroisviGOJ9PTlPJK9ym88hHoMLprQfbIYoYYa1tq+Fdhjqyt+axuQjtpOZFBhw6/Ea+YN9y3yElL3qhU5LVfQW4MCARyA3kC2t8EmZ8imLzldwWO1icCwpOznkO4/Z+WwEoRd5Eli7+0IBvRjf47FTQi69ZU/bbEKQnp8FPVbA2DOkBD2UArEsYU6bnjMpwe/Gf1a/v65lNacJcTnps9TnCe44lgaItsWzmTw/rnZFPW0iIv7ADIPBoK55KECMrd8hOFU9XFY5wgols4DzqwekbSRXEOM2s6hENwJEI4pz2vsua6hL+KuNqNQhCS9NJT+0i3PDHK10Y1hiXqtll0MZffckT0LMHx6D9wIhVLwWB9E03O5B3NB1Pqrdb1GC4+tzZbCYtcT9DciCy73/V2TtrsI2EurXZSk4m5pIysphiTNkavTIc5eyCuwAwv0ecjrhSDEGicpfoPCZxsmU9hdYBuxgD9qq9ZkhfwlZg2b+PvYoBfhBoDi8XjFduDvA537ofOBEf7f0Nlk+VAEgSCNKLYDsn4BOcb8JPCvOENFxAcjhF/YCczcPV6kIvqcNsxhCHRDo=
X-Microsoft-Antispam-PRVS: <BLUPR03MB5197181066B97376BCE2822B0E10@BLUPR03MB519.namprd03.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(5005006)(520078)(8121501046)(10201501046)(3002001)(61426038)(61427038); SRVR:BLUPR03MB519; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB519;
X-Microsoft-Exchange-Diagnostics: 1; BLUPR03MB519; 4:bIF/HgY6w9ufMfQhAHCbwBNYRwVCWiQgsPw1hBf5Dw7sCPD2/itCDIX08IUZSbkUL+aoaMSGPexmtkY4OpMlYhA/o4s10xsEF/cG97VXIWFvpHB7OfSX0ZekMzltFoS7e75DaW7y7r2Q9BGeEpNuv+CYeSLXiwKCcbr4CwliCE7EXb7NzDVOQ3fI+vCB15RqpXvdXFMJzU0qn/cIhunE5Zw7bG9SpgWxb8XfrO3bSKgqWTcg7qPo50llgwSRXNjBe0KdgFUv+yEgj/SkHtnCxJgkvVfEQX2Xu+VCHg61KgTaTowgV4+jYiQGvVoR9l44X6DQDBXRxWSkSj0c6wB4ZuuTjit8jCADEaFgoTlP1WMqL3HMls5MUrBEVRbLXFy5rTZZ+mJvk3JoqQpyxc/wPoNCVVsdwc/75parJeVimZnXdEFUMbaUR27vxC3qyZt3
X-Forefront-PRVS: 07943272E1
X-Microsoft-Exchange-Diagnostics: 1;BLUPR03MB519;23:prrXxLDCj2cMGgmR3OvyCleZtCdAAvneZZJ3FNx35mroH2loa1qvUa+zdJZaUcWzcshHdFRwqpgRJ9ytgjaQZeM0epl8iU40sOoKoxqmunYZYKWCzYukJEbUNHNvXI1zMggYUaS8gZajh5wfqp1wg6hP+aD573gPtzLHXOcSDvhx7EK+k+La5E5sy/bJAsLMLLIOb9Dp5voptAFiBKRLrwqRsfYKEEZwImJTSyMZ0UbHilqUg+HROm5PygFu3MZ+6UJKEQisLC4r2SfcOdgVvcrlHnxwN06R5GNze3u7TM3gs/X7Ul77wiSVA8EGfkZwKl4B4UYjzut37dy09+wTwi3s75/Tw/Gi7G8d8Tm7m/X3udzU0ab7nfMfkQiN4sdnINdS+MEYhfrz7dBSBV5R4qkmehTjaWtePLiwq82c4/y3tg3myuZO9zvHtKiKuR6We27voz0mLoD7wSJXsMUkPj/VStVrj1nij5FtMxW10A3QPw3MxEtNKs9xFLp37lkGOSFAQIicL5fkIrNtG58MK4Xl+4V5RSjrJlcmgwm6am9/A7Ja0aXgklFZ6Nvie8cdGXOiuAE6gQcU1CwDnACzOlkV4yhegiiqZ5F2e4z5TfO8Mt4xG0dVV0lWe9rUjS8uWVSV4/PSQI/4B0Sd0+cjGUTmw0R5O6oq93NM72dCpr+YLSYzBF7J4OP4v+DU+Bi6uiQtxYbVPQdYU48BVieaUgVv04Kn+tgsR9kyJD1Neo0Iv4sTSdfqBgEWBoVuwYris4x4qIKinpAGP+Jfd8POyjMhAg3Yf2ctnh/Q0ID3ZDe/eai3h1gZS2AZUCXB93JOytxRdL1paHoVzl5keh6vfe08B7eAf+4dEO9d7r792MI5GTvcAX/2u+bjoO+D0xPd9x5Tkync0sXxL8mHxwcYU95e8avZiSN7+F62kovYA5C8slAsi9qILtAAHeqbCb2RYFy7MkiY2gIJ6ttziSRy+3cW4GhOCXMKfeV6cy3/o2iIraZykkrzN/rt04kkuKHdeyjA0UOygyjc83sBpXujrCcu5TxybNTOnZUFXsjPLvg4a78QTv9wtfBdqGQc4DY7+n6xXLIsnt7o2MvL5+HJvfyWpL2hu/hU7qYr0H5h4GqFNXfFDrIgDWQfCj/DbO9WiSzkdvaz0TkeVz4oognpZR1NuyIsiKzkak/SoEzoIUnLERdKWjRwwhUy3JD98LKNosemEsRC5/k+dFwnBYwDoRPRSN2fSBjfvCk/7Wn4rVMtCqPcgXdyMd9wNeE5Nb5vPF7PYpGSaJcaDIbNEkkLcfE0ulFMMF0Up+HPGCcSEDCxX6FYuF+2+J8wty6PjtB1LzIFw/2tlYAH64XQNSRd/g==
X-Microsoft-Exchange-Diagnostics: 1; BLUPR03MB519; 5:iOOHSPhkMbl+lXYPW7KJb9G8JBru2NThVB51tKrkAzFm9cbev2J+CHfGy+tGwkfoWZbGod6NCSRBqbAyneDQmHJV4nh39hjhnXRj2zUBBFC/bO/WUZqnPvy5fq+QxScy5v4EUY33v9K8fJ499CZfdQ==; 24:nURgL6nkRNgI1ZVusFJqslVxqYsbVBsmipmm21Q3LSbiZL9sOU3DM92ZorJxGOUvJHEgNRmtjdfvXPoxp+LOdyneoecmwJCeHxQY63eFal8=
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Dec 2015 15:47:56.3088 (UTC)
X-MS-Exchange-CrossTenant-Id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47; Ip=[206.191.249.68]; Helo=[064-smtp-out.microsoft.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB519
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Ul8ZFlMEtjA0smqmTa4gY7rEdzI>
Cc: Antoine Delignat-Lavaud <antdl@microsoft.com>, Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] [tls13-spec] resetting the sequence number to zero for each record key. (#379)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2015 15:48:05 -0000
The surprise is that breaking one key also yields the ability to truncate traffic protected with another key. We agree that we don't have any particularly scary way to exploit it against the current draft, but we'd much prefer handshake encryption not to depend on 0RTT, and application data protection not to depend on handshake encryption. With our proposed change, the main point to keep in mind is that, by design, the TLS 1.3 record layer does not prevent suffix truncations. Instead, TLS prevents prefix truncations at the protocol layer, by sending an unambiguous final message with each record key: end_of_early_data; finished; and close_notify. -----Original Message----- From: Martin Thomson [mailto:martin.thomson@gmail.com] Sent: 17 December 2015 23:39 To: Cedric Fournet <fournet@microsoft.com> Cc: tls@ietf.org; Antoine Delignat-Lavaud <antdl@microsoft.com>; Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Subject: Re: [TLS] [tls13-spec] resetting the sequence number to zero for each record key. (#379) So the actual impact here is that an attacker who has compromised a key can introduce a gap. Aren't there other options available to such an attacker? Scarier options? On 18 December 2015 at 07:01, Cedric Fournet <fournet@microsoft.com> wrote: > > We propose to revert this change (that is, to reset the sequence > number each time a new key is installed, as in TLS 1.2). If the > chaining is still required for some other reason, one could instead > include the old sequence number in the new key derivation (or the new > key's additional data, but we believe this is no longer an option). Even with my question above, this seems reasonable to me. I'll note that chaining in the way you describe would require that the rekey message (the last message of the previous epoch) would need to be retransmitted in DTLS. That seems more brittle, but we probably want to retransmit anyway, since that would let use remove the explicit epoch from DTLS packets.
- Re: [TLS] [tls13-spec] resetting the sequence num… Cedric Fournet
- Re: [TLS] [tls13-spec] resetting the sequence num… Martin Thomson
- Re: [TLS] [tls13-spec] resetting the sequence num… Cedric Fournet
- Re: [TLS] [tls13-spec] resetting the sequence num… Eric Rescorla