IETF Logo Mail Archive

Re: [TLS] Consensus call for keys used in handshake and data messages

Subodh Iyengar <subodh@fb.com> Tue, 14 June 2016 21:37 UTC

Return-Path: <prvs=5973c11378=subodh@fb.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1DE212B046 for <tls@ietfa.amsl.com>; Tue, 14 Jun 2016 14:37:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.721
X-Spam-Level:
X-Spam-Status: No, score=-2.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fb.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 70Yw0QhCpvzz for <tls@ietfa.amsl.com>; Tue, 14 Jun 2016 14:37:19 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E48012D804 for <tls@ietf.org>; Tue, 14 Jun 2016 14:36:35 -0700 (PDT)
Received: from pps.filterd (m0044010.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.0.11/8.16.0.11) with SMTP id u5ELXrNa003430; Tue, 14 Jun 2016 14:36:34 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fb.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=facebook; bh=pT0Hy99RipMtKApr366JbwJraTs6AV4fBGLYqZN6M/Y=; b=HuQSR+Vo7P14kJuVnOEWgBvTIFPKL1b/fXhv9G5bAratMEzKNx4oviGfv2beXH0cDD6w j5Jv4q7UFB/BQ0wEqDEtxdJGk/TZW+XXxo2aVtuGlVorqmSRArJLVhqrxvgot9+OUOX/ 0HQr8C9WcXC+Xd8eyV6LML3U8oz5AD6rTVM=
Received: from mail.thefacebook.com ([199.201.64.23]) by mx0a-00082601.pphosted.com with ESMTP id 23jp4hs3gs-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 14 Jun 2016 14:36:34 -0700
Received: from PRN-MBX01-4.TheFacebook.com ([169.254.3.192]) by PRN-CHUB06.TheFacebook.com ([fe80::f073:2a60:c133:4d69%12]) with mapi id 14.03.0294.000; Tue, 14 Jun 2016 14:36:33 -0700
From: Subodh Iyengar <subodh@fb.com>
To: Björn Tackmann <btackmann@eng.ucsd.edu>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Consensus call for keys used in handshake and data messages
Thread-Index: AdHGLnRIplwqVOTRs0O5vfeZKe8kxgAieCOA//+W02o=
Date: Tue, 14 Jun 2016 21:36:32 +0000
Message-ID: <974CF78E8475CD4CA398B1FCA21C8E9956548B6C@PRN-MBX01-4.TheFacebook.com>
References: <20160614111828.18296913.41202.73993@ll.mit.edu>, <F9768F5A-F286-478C-A430-B56E9748A848@eng.ucsd.edu>
In-Reply-To: <F9768F5A-F286-478C-A430-B56E9748A848@eng.ucsd.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.52.123]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-06-14_09:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bb24zoiKekEWBAWAkv7Ot9r1pow>
Subject: Re: [TLS] Consensus call for keys used in handshake and data messages
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jun 2016 21:37:21 -0000

With option (2) would the keys end up being independent anyway? I think we might need to share the sequence number space between the handshake messages and the application data messages to avoid truncation attacks. I might have missed this, but was there a proposal to deal with sequence numbers for option (2). 

I prefer option (1) since it actually offers some privacy guarantees. 

Subodh
________________________________________
From: TLS [tls-bounces@ietf.org] on behalf of Björn Tackmann [btackmann@eng.ucsd.edu]
Sent: Tuesday, June 14, 2016 1:45 PM
To: tls@ietf.org
Subject: Re: [TLS] Consensus call for keys used in handshake and data   messages

Just to be clear: the "+1" I sent earlier meant "I agree with Karthik" -- so it means solution (2).

> On Jun 14, 2016, at 1:18 PM, Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> wrote:
>
> Key reuse often ends up causing problems. IMHO a more sound approach is (2). IMHO it isn't prohibitively expensive either.
>
> Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
>   Original Message
> From: Björn Tackmann
> Sent: Tuesday, June 14, 2016 05:23
> To: tls@ietf.org
> Subject: Re: [TLS] Consensus call for keys used in handshake and data    messages
>
> +1
>
>
>> On Jun 14, 2016, at 7:08 AM, Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> wrote:
>>
>> I prefer (2)
>>
>>> On 13 Jun 2016, at 22:27, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
>>>
>>> On Mon 2016-06-13 15:00:03 -0400, Joseph Salowey wrote:
>>>> 1. Use the same key for handshake and application traffic (as in the
>>>> current draft-13)
>>>>
>>>> or
>>>>
>>>> 2. Restore a public content type and different keys
>>>
>>> Given this choice, i prefer (1).
>>>
>>> --dkg
>>>
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=CwIGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=51hv3XazVlAM5-C2nNBPsem5FotA1PNxnRQasbSa0sc&s=wAkXyaR6H8OBIwkPYvnVJClJb5pdbQKYE9gf6wApqB4&e=
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=CwIGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=51hv3XazVlAM5-C2nNBPsem5FotA1PNxnRQasbSa0sc&s=wAkXyaR6H8OBIwkPYvnVJClJb5pdbQKYE9gf6wApqB4&e=
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=CwIGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=51hv3XazVlAM5-C2nNBPsem5FotA1PNxnRQasbSa0sc&s=wAkXyaR6H8OBIwkPYvnVJClJb5pdbQKYE9gf6wApqB4&e=
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=CwIGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=51hv3XazVlAM5-C2nNBPsem5FotA1PNxnRQasbSa0sc&s=wAkXyaR6H8OBIwkPYvnVJClJb5pdbQKYE9gf6wApqB4&e=

_______________________________________________
TLS mailing list
TLS@ietf.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=CwIGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=51hv3XazVlAM5-C2nNBPsem5FotA1PNxnRQasbSa0sc&s=wAkXyaR6H8OBIwkPYvnVJClJb5pdbQKYE9gf6wApqB4&e=

v2.23.0 | Report a Bug | By Email