IETF Logo Mail Archive

Re: [TLS] KeyUpdate and unbounded write obligations

Keith Winstein <keithw@cs.stanford.edu> Thu, 01 September 2016 21:11 UTC

Return-Path: <winstein@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9570C12DB0D for <tls@ietfa.amsl.com>; Thu, 1 Sep 2016 14:11:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id StOHnQ8ZEIm5 for <tls@ietfa.amsl.com>; Thu, 1 Sep 2016 14:11:55 -0700 (PDT)
Received: from mail-yw0-x236.google.com (mail-yw0-x236.google.com [IPv6:2607:f8b0:4002:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF72512D729 for <tls@ietf.org>; Thu, 1 Sep 2016 14:11:54 -0700 (PDT)
Received: by mail-yw0-x236.google.com with SMTP id g192so379798ywh.1 for <tls@ietf.org>; Thu, 01 Sep 2016 14:11:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=FvQBR65FL12PDe5ztITbnfdyf/VP0KVjPZziGGnGrCA=; b=ML93X/nl2jyaFco2GKbxJlSJjUT5YgYndEMTnSQ/1N5AXnXxcIEhTb+RBOVK2ALjLl tdhGugeQiUtKWA/pQtNfK9l44uYal0tuLjgwqAl2h/jxAiHDv1TUC5SVLxTLT/ucAC9v axBQiLYG8gUkT5RlRVdkQ+Ue2LKBXQqjnga5X6mqZVQEireYcecR/jUqFyVpcw7vYxZA JqTrGNEivlTh1wAZ88gLhuP955xGQZSd2U8iaepA6o7OB8lTNFRjkSBNaVj6tesBeiKa O55VoQuH01HNmafJjXwQQci4+rsyMDXIqeDbH4VI22TR0rNBftY5cRA5jATut3dn1R7r QYug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=FvQBR65FL12PDe5ztITbnfdyf/VP0KVjPZziGGnGrCA=; b=XqZlW90vjw4XH2u54XGFERjWSuISfY7O8OShOL4plVMatVSPXBy4rJFqhgqyBdNoVx ONwbEuy8owmwRIxdCCy9Vm/YswHHH1w+D6x3IY5Uu1vwyv+Y9bro13liTlxXsIolshrA 0MyvF/r8eA+iUtRRvWbKZvBFkarCWZXxKlKJS+WLJ5HvBUUM6so2cGiUwVXQsDKQ9GC2 iOF90V5Ebai0eYUWBw4xDM9c2tOiczNrL1Et9cKrALP9nko6PT7EN8KHKXokacrgGS9h LGGOInKxAB93GtihS9n5d0KAWb2KjbNYz/EGhsGVA0XMD+CIF8nUXLtsBtPljl/YBUnB NLig==
X-Gm-Message-State: AE9vXwO9I978ItBj4H7mSSfxeLsRAATWbsO04jsj4EhnQPuJ3jAb5n6XbQBoFDl+M1pTTkXmgTl5Uw/oMt+eoA==
X-Received: by 10.13.239.193 with SMTP id y184mr15574899ywe.85.1472764314213; Thu, 01 Sep 2016 14:11:54 -0700 (PDT)
MIME-Version: 1.0
Sender: winstein@gmail.com
Received: by 10.129.79.209 with HTTP; Thu, 1 Sep 2016 14:11:13 -0700 (PDT)
In-Reply-To: <CABcZeBNA_MVO5e-bsnPML4epRjSDVUBf4tewqQ6EY+F1sqooPA@mail.gmail.com>
References: <CAMfhd9UQ3jHLcUObBORi0Z_QQi2n4-fL9_KCwLvcDKTkJN1z5A@mail.gmail.com> <CAMzhQmMaBp0sPca9xb9jVrC=mjtZ8Rq3FnH8R8x6jcOxBO=9nA@mail.gmail.com> <CAMfhd9XxLq-S6c5K-JE50Wgm24JHihN++OawnVgQueMM8BuGuA@mail.gmail.com> <7e9c315a-f0e6-f547-e5e9-a3f48f8d12ff@cs.tcd.ie> <CAMzhQmN8=pw4LGHtZHyRQcVsx4DGwE89GNpHPUSENfbxcTHwRA@mail.gmail.com> <974CF78E8475CD4CA398B1FCA21C8E99565C26C5@PRN-MBX01-4.TheFacebook.com> <CAMzhQmM+msOti4rChS=dwRpo5YGh4VMpnqQvy4x=GG=rKA7kew@mail.gmail.com> <20160825042343.w6bg6kg75tujhexg@LK-Perkele-V2.elisa-laajakaista.fi> <CAMzhQmPFwE7H5gN-Ua1unGyFCpxh8aZuX4-2u55R0hmLD52FKQ@mail.gmail.com> <CABcZeBNjRvvKWctCy0oNYDpqgFoTck2Ai8iYuVeYQg1d5Jyk-g@mail.gmail.com> <20160828184105.yvrnbispbnpomk4s@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBM=3RPpmGygMmrTU8DMNHQo=k0VTweKjCrY53GR3X4p1A@mail.gmail.com> <95C31431-189C-41ED-A2D2-E370A5FB8F7A@vigilsec.com> <CABcZeBNA_MVO5e-bsnPML4epRjSDVUBf4tewqQ6EY+F1sqooPA@mail.gmail.com>
From: Keith Winstein <keithw@cs.stanford.edu>
Date: Thu, 01 Sep 2016 14:11:13 -0700
X-Google-Sender-Auth: d1Wnx-erTwGP_Rj7yZ6Z8-iM_ss
Message-ID: <CAMzhQmMR7y3htEoWE_jMXnBRZ=_1kg43MAj49mjzrUeusQsHqw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/aa4k5Ja0X0x-StAE_GAYERnKLFs>
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] KeyUpdate and unbounded write obligations
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Sep 2016 21:11:57 -0000

I think we have to oppose a change to KeyUpdate that adds P4 (bounded
write obligations) but not P3 (ability to learn that a KeyUpdate was
read by other side). These are orthogonal and easily achievable with a
pretty small tweak. Here are four options that would work for us:

1. No change to message structures. Forbid implementations from
sending an update_not_requested KeyUpdate unless it is triggered by an
update_requested KeyUpdate.

2. Add a uint8 field to KeyUpdate representing the sender's current
receive generation (lower 8 bits).

3. Keep request_update an 8-bit field (same width as it is in the PR),
and define the high bit as representing the update_requested boolean,
and the remaining bits represent the lower 7 bits of the sender's
current receive generation

4. Keep request_update an 8-bit field (same width as it is in the PR),
define the high bit as representing the update_requested boolean, and
the remaining bits represent a 7-bit opaque value that must be echoed
in the response. (If multiple update_requested KeyUpdates arrive, any
of their values can be the one that gets echoed.)

Approach 1 seems like it might be generally acceptable here, even
understanding the concerns of the list. I am happy to draft sample
text if helpful.

-Keith

On Thu, Sep 1, 2016 at 12:55 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> I have created a PR for this at:
> https://github.com/tlswg/tls13-spec/pull/611
>
> As it seems there was rough consensus for this change, I will merge this
> weekend
> absent some violent objections or direction to the contrary from the chairs.
>
> -Ekr
>
>
> On Mon, Aug 29, 2016 at 3:06 PM, Russ Housley <housley@vigilsec.com> wrote:
>>
>> Eric:
>>
>> > Yes, I agree separate ladders would fix this. I don't necessarily object
>> > to this
>> > change, but I'm not sure it's that big a deal either, because you really
>> > only get
>> > into this case when there's a big asymmetry in sending rate, so much
>> > that
>> > one side wants to send multiple updates before the other side has sent
>> > any data at all.
>>
>> I can think of many situations where one side sends a lot more data than
>> the other.
>>
>> > Note: it's also possible to avoid the rollback problem with the existing
>> > single-ladder system: when you send a key update you compute:
>> >
>> > traffic_secret_N+1
>> > read_key_N+1
>> > write_key_N+1
>> >
>> > You then discard traffic_secret N, write_key_N, but key read_key_N, so
>> > if you
>> > are M updates ahead of the other side, you have M read keys outstanding,
>> > but these cannot be used to produce the write keys. However, this
>> > probably
>> > isn't simpler than just running two ladders if we think this is
>> > important.
>>
>> That seems to work.  However, I think that splitting the ladders seems to
>> marry well with the many situations where one side sends a lot more than the
>> other.  So, I suggest that we split the ladders.
>>
>> Russ
>>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.14.0 | Report a Bug | By Email