Re: [TLS] Application layer interactions and API guidance

Eric Rescorla <ekr@rtfm.com> Wed, 12 October 2016 19:57 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8621112958D for <tls@ietfa.amsl.com>; Wed, 12 Oct 2016 12:57:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FvLIMBt4e3Uj for <tls@ietfa.amsl.com>; Wed, 12 Oct 2016 12:57:43 -0700 (PDT)
Received: from mail-yb0-x22b.google.com (mail-yb0-x22b.google.com [IPv6:2607:f8b0:4002:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A30CA1294D0 for <tls@ietf.org>; Wed, 12 Oct 2016 12:57:43 -0700 (PDT)
Received: by mail-yb0-x22b.google.com with SMTP id 191so23314422ybv.3 for <tls@ietf.org>; Wed, 12 Oct 2016 12:57:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Dhq0HJK41Ap9WKgZLdWtUI1GfZyTA/tR4aa7ejqzrKQ=; b=pY+Y91bMLzbZOwY7CgUGBA5nyfAWDF8NkjckJJTp7vHQZSWlDJIP2tZPZbCbylrcDq +GDoJJjeOe+AynIgqinBH1u6LAni+eWxp9R3TzDcMT7Tl/X2ZXJuDZK7PY9UCleIN+v+ JRo4WrSCFvB9scGhzNcKVjlCmUQQ04C13YekUhQIPZWO2AcILTfS/QcMFIxyzBAlNmvN jOYayncipCLMkuFKeLt8K1jwyc3yAVOX8O7JgUK43Oo2129bb0caiboNzVTR4UZRQM/G evoNnekIGHyInrpsIrJmBbZkyMSLX3d0qNnk45wtlr8c2YX+i23PRXaT5QF2i9oIvo33 UiNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Dhq0HJK41Ap9WKgZLdWtUI1GfZyTA/tR4aa7ejqzrKQ=; b=cDtZR6XNXog70mYgOScmdSi217eNICO68LptXjb7zAMIg5ewmlPgatO7VzQda/y+xD cwOjIi9GXXMIjYkOBu7BA+5s45HI8S/dmz9XRdSsGIpBIprcnWF1CNvimYJdSPT/qwCY ajRQ3BQcLbEvSb/wL8KzcCZf1LQD4qvX2IZeWR+REn5ioT5i0ELI4g6sy4fpH8lktCrg 0yoY7tI5+J8yEDHB4F4whPC+sxYGvK83+nmNXl61Uji24drLe1NDTXa6/mUhAZLWsslw iOM1CmpXcf9ZrIsL+Ur/Lla6LujYLtJYCp2dpHcZbmE2pieMjGgt6PIHs1pFv/k/0c7l KpPw==
X-Gm-Message-State: AA6/9Rm6nt56rnSaPD6Pz0XF9UYrj6/1tftjh9a+29xy09UAfMJqMBWfAMn9nfWzeRiRwILCwDMG6r+Q21Wehg==
X-Received: by 10.37.65.142 with SMTP id o136mr2481365yba.65.1476302262906; Wed, 12 Oct 2016 12:57:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.75.212 with HTTP; Wed, 12 Oct 2016 12:57:02 -0700 (PDT)
In-Reply-To: <CAJU8_nWZpxBGL2Uw9p-ZV=P0VTd+9Dabr2NxA=MKSyq+cYYz=g@mail.gmail.com>
References: <CACdeXiK1Wdnd2UaUdPJ6sL-LSW8oQbWyetUJ+3bUQEZY45ax5w@mail.gmail.com> <CAF8qwaDQqceewkg5XoN+8iiHtNO=J9YHH_aRS5+k_4fKTJvfeA@mail.gmail.com> <CACsn0ckz72rhSCQTYRvmWB6n_tdvB5E-V7ssV6qjGO6=qsXY+w@mail.gmail.com> <CAJU8_nWttdcOX=wHOqouZEpFyP3Tok0xTDCzvMrBunkSW9kO+w@mail.gmail.com> <CABkgnnV6YY_GEFKe2C+k67RcJjoPBJoWx1Crat_TMkvB8E-r_Q@mail.gmail.com> <CAJU8_nWtf1sgZ5jQs6zyjU5CotXq42WiYRFpMVU0qbvyy-pGFA@mail.gmail.com> <20161012081145.GA16436@LK-Perkele-V2.elisa-laajakaista.fi> <CAJU8_nWRRyCERorZeMwqXUHsEk2PNWjfD+m1jg0tA=ULV0e2Kg@mail.gmail.com> <20161012170237.GB21085@LK-Perkele-V2.elisa-laajakaista.fi> <CAJU8_nULQnCwcFFo6o-ZH9yc2QVYZ5yTC2Y-SikRs5pJqG7Vaw@mail.gmail.com> <20161012180337.GA21390@LK-Perkele-V2.elisa-laajakaista.fi> <CAJU8_nWZpxBGL2Uw9p-ZV=P0VTd+9Dabr2NxA=MKSyq+cYYz=g@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 12 Oct 2016 12:57:02 -0700
Message-ID: <CABcZeBM7Q33ud9xV+tCXY1RDMQOVqFh0VUxc5NQaHSADYB4Mog@mail.gmail.com>
To: Kyle Rose <krose@krose.org>
Content-Type: multipart/alternative; boundary="001a11c019aaf67d0a053eb06736"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ZouFqMTgCPqlYmHgTfR5QO1YpiY>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Application layer interactions and API guidance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2016 19:57:45 -0000

On Wed, Oct 12, 2016 at 12:55 PM, Kyle Rose <krose@krose.org> wrote:

> On Wed, Oct 12, 2016 at 2:03 PM, Ilari Liusvaara <ilariliusvaara@welho.com
> > wrote:
>
>> > There's my confusion. I misinterpreted both the Zero-RTT diagram and the
>> > table of handshake contexts under "Authentication Messages",
>> specifically
>> > "ClientHello ... later of EncryptedExtensions/CertificateRequest". I'm
>> > guessing I should be looking at the 0-RTT row only? I.e., if 0-RTT is
>> > accepted, is the second Finished message from the client ("{Finished}")
>> the
>> > same message encrypted differently (using the handshake traffic secret)?
>>
>> No, there is no difference in ClientFinished in case of 0-RTT accept or
>> reject (other than the contents of the CH and EE hashed in).
>>
>
> Still confused. :-)
>
> In the message flow for 0-RTT, there are two Finished messages sent from
> client to server. One is sent right after CH, and is protected by the
> client_early_traffic_secret: (Finished). The other is sent after the server
> sends its Finished, and this is protected by the handshake_traffic_secret:
> {Finished}.
>
> In the table under "Authentication Messages", there are four rows, one for
> each Mode: 0-RTT, 1-RTT (Server), 1-RTT (Client), and Post-Handshake.
>
> Which handshake context is used for the (Finished) message and which is
> used for the {Finished} message?
>
> The thing that protects the 0-RTT data from substitution is the record
>> protection MACs that are made using key derived from the PSK secret. So
>> if the PSK secret is unknown, the key for 0-RTT can't be derived, and
>> as consequence, 0-RTT data can't be altered (there's end-of-data marker
>> too, preventing truncation).
>>
>
> Altered is one thing, and I agree that is prevented; I'm talking about
> substitution.
>
>
>> And basically, ServerFinished MAC covers everything up to that point,
>> and ClientFinished MAC covers the entiere handshake (0-RTT data not
>> included).
>>
>
> So client Finished doesn't protect 0-RTT data, but...
>
>
>> You can't swap out 0-RTT data (without PSK keys). One can only create
>> new connection attempts (that fail!) with the same 0-RTT data (and the
>> same ClientHello) before or after the real connection (if any, it
>> could be supressed, in which case you would get only failed handshakes
>> with 0-RTT data).
>>
>
> This is exactly what I'm trying to understand. What specifically prevents
> this swapping? I.e., what ties the 0-RTT data sent on a particular
> connection to the rest of that connection, such that replacing that 0-RTT
> data with 0-RTT data from a previous successful connection will cause a
> failure?
>

The 0-RTT traffic key incorporates the ClientHello.Random which is tied
into the full handshake.

-Ekr


>
> Kyle
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>