IETF Logo Mail Archive

Re: [TLS] judging consensus on keys used in handshake and data messages

Watson Ladd <watsonbladd@gmail.com> Fri, 08 July 2016 15:28 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92BB912D1DE for <tls@ietfa.amsl.com>; Fri, 8 Jul 2016 08:28:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jFDqpcRzMGyp for <tls@ietfa.amsl.com>; Fri, 8 Jul 2016 08:28:32 -0700 (PDT)
Received: from mail-vk0-x242.google.com (mail-vk0-x242.google.com [IPv6:2607:f8b0:400c:c05::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44DCB12D776 for <tls@ietf.org>; Fri, 8 Jul 2016 08:28:32 -0700 (PDT)
Received: by mail-vk0-x242.google.com with SMTP id a5so9227483vkc.2 for <tls@ietf.org>; Fri, 08 Jul 2016 08:28:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=q6OyjEhmr2Y1x1xrmtiJu/hD9XvWh32owdidjqKD6bQ=; b=cuZLo5tJeIkC7itTNt8ARjUsFyfQ/A+dAZ3OB1+ztrjdGyb4WCq3D6dxTVnyjbb9YO 5qZGVMPiRLmkf8DN9UrsCO/1M8AsTrrM3v4hL9LpUtzzXnDm5Ixmm6/DZokdkyn5iWiy C1D4+/WQv184ihHiuvqSfkZBCganfC6Hj55hYbOwVFZiqIFbiwBSNsyCO7U/tbNI3+g3 qcA+DmnNxcvCEncXTqx1UEReSv+cbIMQt+TD+4wiPGxqQk16tr7pMHWXX8dz7cEgOfFA ytGi/RYSw/66tV6KqOyFzPFoCP5XI1QA7skYidY1SWlkhpmaj+H1AYu7wOTERM7BPfju clPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=q6OyjEhmr2Y1x1xrmtiJu/hD9XvWh32owdidjqKD6bQ=; b=IFldC+Z01gIWPxANuN//Gvr82+0n1D3BZNvQMhajxPsZPiUnqJfRuLguCpAWyONMjw G8dG+JX5EUGJcKIC1sJdsTCN0bnB39EGmBfZqkKW3C1rFSu2g5Hpx2UW36Yyb1wbSk/L g6cPxFSst18GCcp5OurBYbg2zIFtANhkXEEtY1Tn9gdyJvfZPUyRhRMM6C0zq6yuWRLy HnJWqI6Gb7UXo3Ux2kbD1qkpd2V8E0h225Mov/b1Gwhg81enmfwfSSpKicXmMyxIKOV5 KgtLNkCi5sx1arZ2BnO1ct/MeuFD16cZ/6CxeHggIELn/NilMI5caqhiKanCGdhUUxmJ iNoQ==
X-Gm-Message-State: ALyK8tLwi3TLIJakgcmwiSE5LmFaPI7FdQSAMczb1nh6fXv9JHphSQ8s/1H176zgM9PVXGGN5KvzEu5XCzAgAg==
MIME-Version: 1.0
X-Received: by 10.31.108.216 with SMTP id j85mr2896087vki.68.1467991711060; Fri, 08 Jul 2016 08:28:31 -0700 (PDT)
Received: by 10.159.39.194 with HTTP; Fri, 8 Jul 2016 08:28:30 -0700 (PDT)
Received: by 10.159.39.194 with HTTP; Fri, 8 Jul 2016 08:28:30 -0700 (PDT)
In-Reply-To: <CAOgPGoAOx7P5+DV7X0gd6JySr50CCXDmZLFNF+Ez0+EUiQvoeA@mail.gmail.com>
References: <CAOgPGoA2RmAUMR=4bOOwepSSdrJ2tUGD1B+hieQzZaRVnwXo=A@mail.gmail.com> <A2C29D69-FF97-4C16-941B-87C0022C6362@gmail.com> <CAF8qwaC+iXoJ_Z9xuB4UqR4-7EmXUmr2pRRcBDxtDP-eZ8LzAg@mail.gmail.com> <201607062024.46745.davemgarrett@gmail.com> <CABcZeBO_Nh_u+++wOqH68j3mNfkM3A+W+4ZR7-J0ciV0-4q1KA@mail.gmail.com> <CAF8qwaArt-kmRf3EBdo4j7Q-xFEe25LZLperxzqtKqV-2sbJ1Q@mail.gmail.com> <4809BB22-BF00-4824-93BD-2C66497CC557@gmail.com> <CADi0yUPXXwdRNJfrP_HiL9-F-8fuqstTpBukWgtEMkpSnQnysg@mail.gmail.com> <CAOgPGoAOx7P5+DV7X0gd6JySr50CCXDmZLFNF+Ez0+EUiQvoeA@mail.gmail.com>
Date: Fri, 08 Jul 2016 08:28:30 -0700
Message-ID: <CACsn0cmXFGTkgnV=_8HHjZ0A=2DJyY-oDGMrb=LWPEZuhWNh0A@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Joseph Salowey <joe@salowey.net>
Content-Type: multipart/alternative; boundary="001a11478f34789987053721745c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ZlTCbjAH8XTZOsE6lSI4TM7CAj8>
Cc: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] judging consensus on keys used in handshake and data messages
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2016 15:28:35 -0000

On Jul 8, 2016 6:50 AM, "Joseph Salowey" <joe@salowey.net> wrote:
>
> We would like to have all comments in on this by Friday, July 7, 2016.
>
> Also, to clarify, Hugo's interpretation is correct:
>
> Option 1 - use the same key for protecting both *post*-handshake and
applications messages.

I don't object to this if 2 is of the table. The only reason this option is
reasonable is that we've carefully attempted to ensure keys are separated.
I'll submit a PR to add text warning of extensions that don't do this.
(Some exist IIRC).

>
>
>
>
> On Thu, Jul 7, 2016 at 2:44 AM, Hugo Krawczyk <hugo@ee.technion.ac.il>
wrote:
>>
>> I do not have an objection to option 1 if re-phrased as
>> Option 1 - use the same key for protecting both *post*-handshake and
applications messages..
>>
>> I believe this is what was intended by that option anyway. Let me
clarify.
>>
>> I understand the question as relating *only* to post-handshake messages
and not
>> to the main handshake (three initial flights). For the latter we have key
>> separation in the sense that none of these main-handshake messages is
encrypted
>> under the application key but rather under dedicated handshake keys.
This should
>> not be changed as it provides key indistinguishability to the
application key, a
>> desirable design and analysis (=proof) modularity property.
>>
>> On the other hand, for post-handshake messages, and particularly for
encrypting
>> post-handshake client authentication messages, preserving key
>> indistinguishability is not relevant since at the time of post-handshake
>> client authentication, the application key has already lost its
indistinguishability
>> by the mere fact that the key was used to encrypt application data. Key
>> indistinguishability is the main reason to insist in key separation and
this
>> principle does not apply here anymore hence removing the objection to 1.
>>
>> I'd note that the best one could hope for in the post-handshake setting
is that
>> as a result of post-handshake client authentication the application key
becomes
>> a secure mutually-authenticated key for providing "secure channels"
security.
>> As pointed out by others in previous posts I have an analysis showing
that this
>> delayed mutual authentication guarantee is achieved even if one uses the
>> application key to encrypt the post-handshake messages. I have
circulated a
>> preliminary version of the  paper among cryptographers working on TLS
1.3
>> and  I will post a public copy next week so this can be scrutinized
further.
>>
>> Hugo
>>
>>
>> On Thu, Jul 7, 2016 at 1:10 AM, Karthikeyan Bhargavan <
karthik.bhargavan@gmail.com> wrote:
>>>
>>> If we are left with 1 or 3, the miTLS team would prefer 1.
>>>
>>> On the cryptographic side, Hugo has a recent (draft) paper that seems
to provide
>>> some more justification for (1), at least for client authentication.
>>>
>>> I know this is a bit off-topic, but the miTLS team would also like to
get rid of 0-RTT ClientFinished
>>> if that is the only message left in the 0-RTT encrypted handshake
flight. That should remove
>>> another Handshake/Data key separation from the protocol, leaving only 3
keys: 0-RTT data,
>>> 1-RTT handshake, and 1-RTT data.
>>>
>>> Best,
>>> -Karthik
>>>
>>>
>>>> On 07 Jul 2016, at 02:49, David Benjamin <davidben@chromium.org> wrote:
>>>>
>>>> On Wed, Jul 6, 2016 at 5:39 PM Eric Rescorla <ekr@rtfm.com> wrote:
>>>>>
>>>>> On Wed, Jul 6, 2016 at 5:24 PM, Dave Garrett <davemgarrett@gmail.com>
wrote:
>>>>>>
>>>>>> On Wednesday, July 06, 2016 06:19:29 pm David Benjamin wrote:
>>>>>> > I'm also curious which post-handshake messages are the problem. If
we were
>>>>>> > to rename "post-handshake handshake messages" to "post-handshake
bonus
>>>>>> > messages" with a distinct bonus_message record type, where would
there
>>>>>> > still be an issue? (Alerts and application data share keys and
this seems
>>>>>> > to have been fine.)
>>>>>>
>>>>>> Recasting all the post-handshake handshake messages as not something
named "handshake" does make a degree of sense, on its own. (bikeshedding:
I'd name it something more descriptive like "secondary negotiation"
messages or something, though.) Even if this doesn't directly help with the
issue at hand here, does forking these into a new ContentType sound like a
useful move, in general?
>>>>>
>>>>>
>>>>> I'm not sure what this would accomplish.
>>>>
>>>>
>>>> Me neither. To clarify, I mention this not as a suggestion, but to
motivate asking about the type of message. If the only reason the proofs
want them in the handshake bucket rather than the application data bucket
is that they say "handshake" in them then, sure, let's do an
inconsequential re-spelling and move on from this problem.
>>>>
>>>> But presumably something about the messages motivate this key
separation issue and I'd like to know what they are.
>>>>
>>>> David
>>>> _______________________________________________
>>>> TLS mailing list
>>>> TLS@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/tls
>>>
>>>
>>>
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>>>
>>
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email