Re: [TLS] Key Hierarchy TLS 1.3 RFC8446(bis)
Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> Fri, 22 December 2023 10:12 UTC
Return-Path: <muhammad_usama.sardar@tu-dresden.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D2D6C14F69D for <tls@ietfa.amsl.com>; Fri, 22 Dec 2023 02:12:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tu-dresden.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bOy_z8NNFib4 for <tls@ietfa.amsl.com>; Fri, 22 Dec 2023 02:11:55 -0800 (PST)
Received: from mailout4.zih.tu-dresden.de (mailout4.zih.tu-dresden.de [141.30.67.75]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A3C6C14F5F4 for <tls@ietf.org>; Fri, 22 Dec 2023 02:11:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tu-dresden.de; s=dkim2022; h=In-Reply-To:References:CC:To:Subject:From: MIME-Version:Date:Message-ID:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=KFsCgtmApdrCfeEz/zAHq+A9LWtgbtcj9iLjJR5wJYU=; b=LxbU7rasGHO+cauveh6Zm+GDrF tIMUrO9Gql2iADQIDFqHPwbVkOoHMTrOEl61cQO2LkFm4C+WQZ1p8MHJ6+CurjyVkl2pn6vTsyhX0 smj3sgQoQR0J5a6q0kARQZY0ivEcpLeEVDitQLFj9jJ5waFVk/jnBEB+Zrj9Kqx7iBDatQfgtOrew rb84DxTVZKjdSjlFchT80ePb9FwJq80nmBldTnMD9aVihVxGgx9OJOu0DTMuFhmWmKsoMJOXYgn3R UFogAJlTsXDbUvX7QOl2XYNyUPqZSi75i4uiCqyPaNf3FMYzL0oBvwdhdaSaNuGiQz/Fhk75WOsPS JuFiaFyA==;
Received: from [172.26.35.114] (helo=msx.tu-dresden.de) by mailout4.zih.tu-dresden.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <muhammad_usama.sardar@tu-dresden.de>) id 1rGcVS-003f8f-Jo; Fri, 22 Dec 2023 11:11:51 +0100
Received: from [10.70.3.25] (194.95.143.137) by MSX-T314.msx.ad.zih.tu-dresden.de (172.26.35.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Fri, 22 Dec 2023 11:11:45 +0100
Content-Type: multipart/alternative; boundary="------------27MdR92wclgQp0qomDv3zhJo"
Message-ID: <f16029e7-33ea-449d-9a6d-936b649d30d5@tu-dresden.de>
Date: Fri, 22 Dec 2023 11:11:45 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
From: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
CC: tls@ietf.org
References: <90bdd3cd-a5d0-4a82-b28c-2965536a7154@tu-dresden.de> <CADi0yUP27w+gcLvfWjn=+EqxfiWebFiyaNa1aUomVai8AUAU5w@mail.gmail.com>
Content-Language: en-US
In-Reply-To: <CADi0yUP27w+gcLvfWjn=+EqxfiWebFiyaNa1aUomVai8AUAU5w@mail.gmail.com>
X-ClientProxiedBy: MSX-L316.msx.ad.zih.tu-dresden.de (172.26.34.116) To MSX-T314.msx.ad.zih.tu-dresden.de (172.26.35.114)
X-TUD-Virus-Scanned: mailout4.zih.tu-dresden.de
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ZGmyHwTYh2iPwPrirj_rkSTYhDo>
Subject: Re: [TLS] Key Hierarchy TLS 1.3 RFC8446(bis)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Dec 2023 10:12:00 -0000
Hi Hugo,
Following the related sources [1-4], it appears to be - as Eric called
it - a theoretical and futuristic concern. In my understanding, the main
concern was that with the key hierarchy of draft 18:
* the Handshake Secret could collide with binder_key if the attacker
is somehow able to match (EC)DHE secret with the label to the
corresponding Derive-Secret.
* the Handshake Secret could collide with client_early_traffic_secret
if the attacker is somehow able to match (EC)DHE secret with the
label to the corresponding Derive-Secret.
The reasoning for 2nd Derive-Secret is even more far-fetched. If in the
future the IKM input to HKDF-Extract (zero) changes, then similar
collision may happen between Master Secret and
client_handshake_traffic_secret or server_handshake_traffic_secret. So
my question more precisely is:
* Is there any /practical/ security implication for missing the
additional Derive-Secrets? Has this ever been /practically/
exploited? Has anyone else explored this?
Now about the Inria paper that you have mentioned, I am not much
knowledgeable about computational analysis. I understand that it helped
them remove the assumption (that DH group elements do not match the
corresponding labels) in their proof in CryptoVerif but the
corresponding formal analysis in ProVerif in the same paper does not
support this view, i.e., all properties remain the same regardless of
the additional Derive-Secret.
Moreover, the implementation of key hierarchy in draft 20 in ProVerif by
the authors is incorrect [5-6]. For instance, due to a strange reason
and beyond our understanding, the draft 20 implementation does not use
the Derive-Secret for Master Secret [5]. Do you have any
thoughts/opinion on this? The same implementation is being used by other
extensions as a baseline, including Lurk [7].
Usama
[1] https://github.com/tlswg/tls13-spec/pull/875
[2] https://mailarchive.ietf.org/arch/msg/tls/cS4vdMvENOGdpall7uos9iwZ5OA/
[3] https://datatracker.ietf.org/meeting/98/materials/slides-98-tls-tls13-00
[4]
https://www.youtube.com/watch?v=oSwXkhVd2ts&list=PLC86T-6ZTP5jo6kIuqdyeYYhsKv9sUwG1&ab_channel=IETF-InternetEngineeringTaskForce
[5] https://github.com/Inria-Prosecco/reftls/issues/6
[6] https://github.com/Inria-Prosecco/reftls/issues/7
[7] https://github.com/lurk-t/proverif
On 17.12.23 21:05, Hugo Krawczyk wrote:
> See full thread here
> https://mailarchive.ietf.org/arch/msg/tls/cS4vdMvENOGdpall7uos9iwZ5OA/
>
> See also how this helped analysis here (search for reference [73]
> https://inria.hal.science/hal-01528752v3/file/RR-9040.pdf
>
> On Sat, Dec 16, 2023 at 1:16 PM Muhammad Usama Sardar
> <muhammad_usama.sardar@tu-dresden.de> wrote:
>
> Hi all,
>
> In the key schedule (section 7.1) of RFC8446(bis), what is the
> rationale for using /*Derive-Secret(., "derived", "")*/in the
> derivations of Handshake and Master Secrets? Since this change was
> made in draft 19, I expect there should be some reasoning of why
> this was added. Specifically, what are the security implications
> if this step is missed, i.e.,
>
> * if Early Secret is directly used as the Salt argument for
> HKDF-Extract of Handshake Secret;
> * and similarly if Handshake Secret is directly used as the Salt
> argument for HKDF-Extract of Master Secret.
>
> Regards,
>
> Usama
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
- [TLS] Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- Re: [TLS] Key Hierarchy TLS 1.3 RFC8446(bis) Hugo Krawczyk
- Re: [TLS] Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar