Re: [TLS] PR#837: Forward and backward secrecy
"Guballa Jens (ETAS-PSC/ECS)" <Jens.Guballa@etas.com> Thu, 29 December 2016 09:53 UTC
Return-Path: <Jens.Guballa@etas.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 766A51295AE for <tls@ietfa.amsl.com>; Thu, 29 Dec 2016 01:53:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rN9-P1b5w-aE for <tls@ietfa.amsl.com>; Thu, 29 Dec 2016 01:53:52 -0800 (PST)
Received: from smtp6-v.fe.bosch.de (smtp6-v.fe.bosch.de [IPv6:2a03:cc00:ff0:100::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8551D129426 for <tls@ietf.org>; Thu, 29 Dec 2016 01:53:51 -0800 (PST)
Received: from vsmta12.fe.internet.bosch.com (unknown [10.4.98.52]) by imta23.fe.bosch.de (Postfix) with ESMTP id 460D21580169 for <tls@ietf.org>; Thu, 29 Dec 2016 10:53:48 +0100 (CET)
Received: from FE-MBX1028.de.bosch.com (vsgw24.fe.internet.bosch.com [10.4.98.24]) by vsmta12.fe.internet.bosch.com (Postfix) with ESMTP id 25BAA1B8041B for <tls@ietf.org>; Thu, 29 Dec 2016 10:53:48 +0100 (CET)
Received: from SI-MBX1028.de.bosch.com (10.3.230.42) by FE-MBX1028.de.bosch.com (10.3.230.86) with Microsoft SMTP Server (TLS) id 15.0.1236.3; Thu, 29 Dec 2016 10:53:47 +0100
Received: from SI-MBX1028.de.bosch.com ([fe80::c1ec:d83c:fc40:7182]) by SI-MBX1028.de.bosch.com ([fe80::c1ec:d83c:fc40:7182%20]) with mapi id 15.00.1236.000; Thu, 29 Dec 2016 10:53:47 +0100
From: "Guballa Jens (ETAS-PSC/ECS)" <Jens.Guballa@etas.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] PR#837: Forward and backward secrecy
Thread-Index: AdJhCeoibfvJgyGQRVaNYfkZRapNKAAKX5GAAB61O2A=
Date: Thu, 29 Dec 2016 09:53:47 +0000
Message-ID: <7552d0dd141f423591e50398d29e41ae@SI-MBX1028.de.bosch.com>
References: <b1aff9520e244f19b3c7c42797e73ef1@SI-MBX1028.de.bosch.com> <20161228185417.GV13486@mournblade.imrryr.org>
In-Reply-To: <20161228185417.GV13486@mournblade.imrryr.org>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.51.202.94]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_004C_01D261C1.D3D7E6D0"
MIME-Version: 1.0
X-TM-AS-MML: disable
X-TM-AS-Product-Ver: IMSS-7.1.0.1679-8.0.0.1202-22788.006
X-TMASE-MatchedRID: X+5mRT+D0xsol39hmeEcd/p1plqEbuqxQY6asswqRNstxWNuz6R5rJPG lAhwdrelLNiBsAzWU1gOFzppsEIdiLE2JkUZcFMKbMGKOuLn5FXUVtZ/Qi4vt6+WgCcaviqGLb7 cluQHYe3Ewh+FBAsuQbEEZIBH5eb/npTuOg/W2Y4D2WXLXdz+AZfRrj+dnBcslNU3cWIuTKjsVk d/wLkXBrWhcxSN1KkV6pbNFWS8cDt1L4O6ei8PH6m4PbloS2C3+KgiyLtJrSCyd65qZFFPkzpbf dTAcNXmrdZLelE6wFtcLc3sLtjOt1jtFRRrj2eO5tHwb6x0QAhuRXh7bFKB7glOr4P1gkO9VOGc leSFW91y2O4yqxgUjRJb/sfHPbRBvuvB6gAgryg=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bLhN4Ju8_K1GhedGF8VdMvIHjOg>
Subject: Re: [TLS] PR#837: Forward and backward secrecy
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Dec 2016 09:53:54 -0000
>
> > My understanding:
> > A compromised long term key does not compromise captured future traffic
> => forward secrecy (provided by (EC)DHE)
>
> This is not correct. Forward-secrecy is the below, not the above.
[JG] I did not say clearly what I meant. :-)
For my statement I set the presence implicitly to the end of the handshake,
sorry for the confusion.
Anyway, in principle I am in line with the definition of "Forward secret"
in section E.1, but still I have two comments:
1.
"Forward secret
If the long-term keying material (in this case the signature keys in
certificate-based authentication modes or the external/resumption PSK in PSK
with (EC)DHE modes) are compromised after the handshake is complete, this
does not compromise the security of the session key (See [DOW92]).[...]"
- I think that "session key" is a synonym for "master secret".
- My understanding: The master secret is a short-term secret, I think an
implementation can delete it after the working keys have been derived,
right?
If these assumptions are correct, then I prefer something like
"..., this does not compromise the security of the master secret (see
[DOW92]) and
the derived working keys."
2.
If the term "backward secrecy" will remain in the draft, then I propose to
either add a definition or refer to a definition of this term outside of
the draft.
>
> > A compromised long term key does not compromise captured traffic from
> the past => backward secrecy (provided by HKDF-hash)
>
> --
> Viktor.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
- [TLS] PR#837: Forward and backward secrecy Guballa Jens (ETAS-PSC/ECS)
- Re: [TLS] PR#837: Forward and backward secrecy Viktor Dukhovni
- Re: [TLS] PR#837: Forward and backward secrecy Guballa Jens (ETAS-PSC/ECS)