[TLS] Fwd: Key Hierarchy TLS 1.3 RFC8446(bis)
Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> Thu, 29 May 2025 18:44 UTC
Return-Path: <muhammad_usama.sardar@tu-dresden.de>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 0825C2E6CC94; Thu, 29 May 2025 11:44:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=tu-dresden.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oqIzdXFNTJTa; Thu, 29 May 2025 11:44:42 -0700 (PDT)
Received: from mailout3.zih.tu-dresden.de (mailout3.zih.tu-dresden.de [141.30.67.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 7B6582E6CC7E; Thu, 29 May 2025 11:44:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tu-dresden.de; s=dkim2022; h=Content-Type:In-Reply-To:From:CC:To:References :Subject:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=doDG4RXeHkoNI5IQF6cWsr/YQl+noRt6x3v6dgvtGl0=; b=OIV3ZKYbaIYiKrec5yL7W2EXNT fYz1+5OrkydCbZ8KZgzEDiWjHUUgFITPzcLgVamFqszWjS5M2S7789g+3yJTqA1hDOraPzgAdE+kK KMb22rrOf1BFegJl5WJ/Yenf8g9ayHXWRSQRlciUyzFzjReunXkmfTqC0eJ8VQpD6KtzWqVV32mjK OMUGudSpdD50JTogtvGaxLJgG54s/NATd3KaPxkGT5mIxbyFKToQgTT7ZC2b4NYSGWxwu1525IQki ADOoF6a2qBg0A6p1p5kXKQ7jXpBPoOi9HLlxLQvxO4lPPS6oBxIGlwSfLch8/ghNsb5agAZRD+NrV gvNKs41Q==;
Received: from msx-t422.msx.ad.zih.tu-dresden.de ([172.26.35.139] helo=msx.tu-dresden.de) by mailout3.zih.tu-dresden.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <muhammad_usama.sardar@tu-dresden.de>) id 1uKiF7-004eXK-9A; Thu, 29 May 2025 20:44:41 +0200
Received: from [10.12.5.228] (81.201.156.93) by msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.10; Thu, 29 May 2025 20:44:36 +0200
Message-ID: <adca4e7d-d7f6-4149-8627-2eb483465f54@tu-dresden.de>
Date: Thu, 29 May 2025 20:44:35 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
References: <661b1a6b-b14c-476b-b5b8-df4eef42f0da@tu-dresden.de>
To: UFMRG IRTF <ufmrg@irtf.org>, cfrg@ietf.org
From: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
In-Reply-To: <661b1a6b-b14c-476b-b5b8-df4eef42f0da@tu-dresden.de>
X-Forwarded-Message-Id: <661b1a6b-b14c-476b-b5b8-df4eef42f0da@tu-dresden.de>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms010505070004070603020402"
X-ClientProxiedBy: MSX-L414.msx.ad.zih.tu-dresden.de (172.26.34.134) To msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139)
X-TUD-Virus-Scanned: mailout3.zih.tu-dresden.de
Message-ID-Hash: KZ6T25UQSLFJF7WLVA3QBIXJXY4LXIN5
X-Message-ID-Hash: KZ6T25UQSLFJF7WLVA3QBIXJXY4LXIN5
X-MailFrom: muhammad_usama.sardar@tu-dresden.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "TLS@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Fwd: Key Hierarchy TLS 1.3 RFC8446(bis)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XtBa0z6XjJD7QIMM430hajcWwPY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Hi UFMRG and CFRG, We presented some issues about the implementation of TLS 1.3 key schedule in formal models in the past meetings (e.g., 119 [1] and 120 [2]). We have found some additional issues (see forwarded email below) in the key schedule for which we did not receive satisfactory answers at TLS WG (follow-up discussion [3] and [4]). I was wondering if someone has any insights/opinions on the following issues on TLS 1.3 key schedule to share with us. Thanks, Usama [1] https://datatracker.ietf.org/meeting/119/materials/slides-119-cfrg-formal-analysis-of-ra-tls-00 [2] https://datatracker.ietf.org/meeting/120/materials/slides-120-ufmrg-towards-formal-analysis-of-attested-tls-01.pdf [3] https://mailarchive.ietf.org/arch/msg/tls/Ho98JDz06Tuz_bQZPMNdgIs3Q5A/ [4] https://mailarchive.ietf.org/arch/msg/tls/qTkiEMP3E5bmfJhmfUaCTE2HuhA/ -------- Forwarded Message -------- Subject: Re: [TLS] Key Hierarchy TLS 1.3 RFC8446(bis) Date: Wed, 21 May 2025 21:04:41 +0200 From: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> To: tls@ietf.org CC: Hugo Krawczyk <hugo@ee.technion.ac.il> Following up on an old thread with some additional issues/questions/observations: (Almost all of it applies to RFC8446 too, but I am using bis as a reference.) *Issue 1: Ambiguity of "Session Keys"* /TL;DR/: Please define "session keys" /precisely/. */ /* /Details:* */ Appendix F.1 of RFC8446bis-12 states: > A set of "session keys" (the various secrets derived from the main secret) from which can be derived a set of working keys. Figure in section 7.1 shows that there are 4 secrets derived from main secret: 1. client_application_traffic_secret_0 2. server_application_traffic_secret_0 3. exporter_secret 4. resumption_secret From the above statement, I am assuming that the set of all these four secrets is what constitutes "session keys". But then the literature sharply contradicts this. For example, Dowling et al. [1] label 4 other keys in addition to these as "session keys" (see Figure 2 in [1]): * client_early_traffic_secret * early_exporter_master_secret * client_write_key for Record type = Handshake * server_write_key for Record type = Handshake The first two in this list are derived from Early Secret while the last two are derived from Handshake Secret, immediately contradicting the description of "session keys" in Appendix F.1 quoted above. So it would be helpful to explicitly state which keys exactly are included in "session keys". --- *Issue 2:* *"Binder Finished Key"* /TL;DR/: Please confirm if this is correct and if so, mention it explicitly in RFC8446bis.*/ /* /Details:/ Dowling et al. [1] also mention "Binder Finished Key" derived from Binder Key (Figure 2 and Table 1 in [1]). In my read of RFC8446bis-12 (particularly section 4.4 and 4.4.4), I could not figure out where this is coming from. The only mention of binders in these sections is: > The PSK binders also perform key confirmation, in a similar fashion. Perhaps the intention here was not to say key confirmation alone, but also handshake integrity via Finished message? Specifically, Table 2 never mentions binder key, as one of the base keys for the derivation. ---* * *Issue 3: Empty string vs. zero-filled string* *in key schedule:* /TL;DR/: These two have been colluded in ProVerif implementation [2].*//*Are there any already known real-world security implications of doing so?*/ /* /Details:/ ProVerif implementation [2] of key schedule has colluded empty string "" with a zero-filled string "0". I think other than the two "0" in HKDF-Extract for Early Secret and Master Secret, all others should be empty strings instead and hence should be represented by some other constant other than "zero" in ProVerif. I will create an issue on this in the reftls repo. In my understanding, "0" is intended for the case of /no prior key/ for HKDF-Extract and "" is intended for the case of /no additional context/ for HKDF-Expand-Label. Does someone know any security implications that could originate from -- for example -- using "0" instead of "" in HKDF-Expand-Label? I think depending on HMAC construction used, this might lead to security concerns, generating unexpected keys and breaking the key agreement at the very least. --- *Issue 4: Full key derivation schedule: * /TL;DR/: Please add /full/ key derivation schedule in specifications in RFC8446bis.*/ /* /Details:/ The text in section 7.1 says > This produces a full key derivation schedule shown in the diagram below. The figure, however, by no means is anything close to a /full/ key schedule. It shows only the first stage of keys. Seems like it would be very beneficial if at least the Appendix of RFC8446bis includes a /full /key derivation schedule. Right now, the key schedule is scattered around in sections 7.1, 7.3, 7.5, 4.4 and 4.4.4. I, Arto, Hannes and Thomas tried to consolidate this in our earlier work (Figure 2 in [3]), and match each symbol to the TLS specifications (Tables 2-5). But we missed issue 3 at least (and perhaps more). I would be happy if someone could have a look at the key schedule (section IV in [3]) to help us thoroughly validate the formal model. This would be very helpful for the formal analysis of drafts (e.g., attested TLS) which propose changes in the key schedule. Thanks, Usama [1] https://eprint.iacr.org/2020/1044.pdf [2] https://github.com/Inria-Prosecco/reftls/blob/master/pv/tls-lib-draft20.pvl [3] https://ieeexplore.ieee.org/document/10752524
- [TLS] Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- Re: [TLS] Key Hierarchy TLS 1.3 RFC8446(bis) Hugo Krawczyk
- Re: [TLS] Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Fwd: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Eric Rescorla
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Eric Rescorla
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Eric Rescorla
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Eric Rescorla
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar