IETF Logo Mail Archive

Re: [TLS] Premaster/Master convention

"Gero, Charlie" <cgero@akamai.com> Thu, 31 July 2014 01:18 UTC

Return-Path: <cgero@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C1851A016D for <tls@ietfa.amsl.com>; Wed, 30 Jul 2014 18:18:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9DCvgJkcrq1Y for <tls@ietfa.amsl.com>; Wed, 30 Jul 2014 18:18:56 -0700 (PDT)
Received: from prod-mail-xrelay06.akamai.com (prod-mail-xrelay06.akamai.com [96.6.114.98]) by ietfa.amsl.com (Postfix) with ESMTP id 5282D1A0076 for <tls@ietf.org>; Wed, 30 Jul 2014 18:18:56 -0700 (PDT)
Received: from prod-mail-xrelay06.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id CB7EF1657B0; Thu, 31 Jul 2014 01:18:55 +0000 (GMT)
Received: from prod-mail-relay09.akamai.com (prod-mail-relay09.akamai.com [172.27.22.68]) by prod-mail-xrelay06.akamai.com (Postfix) with ESMTP id C07211657AF; Thu, 31 Jul 2014 01:18:55 +0000 (GMT)
Received: from usma1ex-cashub.kendall.corp.akamai.com (usma1ex-cashub5.kendall.corp.akamai.com [172.27.105.21]) by prod-mail-relay09.akamai.com (Postfix) with ESMTP id 938CD1E043; Thu, 31 Jul 2014 01:18:55 +0000 (GMT)
Received: from USMBX1.msg.corp.akamai.com ([172.27.107.26]) by USMA1EX-CASHUB5.kendall.corp.akamai.com ([172.27.105.21]) with mapi; Wed, 30 Jul 2014 21:18:55 -0400
From: "Gero, Charlie" <cgero@akamai.com>
To: Michael StJohns <msj@nthpermutation.com>
Date: Wed, 30 Jul 2014 21:18:53 -0400
Thread-Topic: [TLS] Premaster/Master convention
Thread-Index: Ac+sXWU5nP7LaK9qQEWoYQO380mTGw==
Message-ID: <BD068080-2854-4EBA-A96E-1030CB7C1CFF@akamai.com>
References: <53D907B0.3000006@nthpermutation.com> <D40A7DE25C5AA54195F82EA553F2446033900BFC0A@USMBX1.msg.corp.akamai.com> <53D91332.9070103@nthpermutation.com> <D40A7DE25C5AA54195F82EA553F2446033900BFC15@USMBX1.msg.corp.akamai.com> <53D95C7D.9060408@nthpermutation.com> <6ECEF2D7-A1AE-4AC4-90C5-62A38075B0BF@akamai.com>
In-Reply-To: <6ECEF2D7-A1AE-4AC4-90C5-62A38075B0BF@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_BD06808028544EBAA96E1030CB7C1CFFakamaicom_"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/eZ5Gj3elZ4ur3NXVMCc5CBZVsFM
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Premaster/Master convention
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jul 2014 01:18:59 -0000

Sorry for the second late response.  Hectic day.  Here's a follow up from the previous.

Missed answering your original questions:
Would your system break if the master secret were no longer 48 octets? No.
Would it break if the PRF were not based on SHA256?  No.
Would it break if the PRF were a CMAC vs an HMAC? No.

In addition, as long as TLS 1.3 keeps static RSA key exchange and renegotiation out as well as only removing PMS to MS in 1.3 and later, we should be ok.  As someone adeptly inferred earlier, this is where things would get hairy for us if any of these constraints are violated.

Again, I'm not sure this has steam behind it or not (only time will tell) but we should be able to work out things given those constraints.

Regards,
Charlie

On Jul 30, 2014, at 8:44 PM, "Gero, Charlie" <cgero@akamai.com<mailto:cgero@akamai.com>> wrote:

Michael,

Respectfully, there are things that we can and can not divulge.  I will continue to monitor this path and will update as necessary if removal of the PMS to MS step looks like it is gaining traction.  I'm not sure it is.  Certainly, Akamai represents a significant amount of SSL traffic on the Internet, so we want to make sure we future proof our designs.  My not telling you of how the internals work should not be construed that we're not trying to guard against this and other possible changes.  It is simply relaying to you a real world fact without divulging what I can not divulge.

Charlie Gero
Senior Principal System Software Engineer
Team Lead Engineering - Akamai Labs
617.444.3940

On Jul 30, 2014, at 4:59 PM, "Michael StJohns" <msj@nthpermutation.com<mailto:msj@nthpermutation.com>> wrote:

On 7/30/2014 12:27 PM, Gero, Charlie wrote:
I can't go into details around it at this time.  Suffice to say, we definitely do rely on the two being split.
Hi Charlie -


If someone said - "we depend on the packet formats to be predictable"
I'd say they'd have a case for reliance and backwards compatibility.
Saying that you did something that will break that is totally and
completely opaque to the on-the-wire protocol spec and expecting the
protocol spec not to change (assuming proper on-the-wire negotiation to
describe said changes) seems to be pushing your luck.

That said, the more details you can share, the better chance we have of
doing something that won't annoy you.  For example, would your system
break if the master secret were no longer 48 octets?  Would it break if
the PRF were not based on SHA256?  Would it break if the PRF were a CMAC
vs an HMAC?

I have no idea where this idea will go.  It may go nowhere, in which
case you're safe - for now.  It may go into the protocol.  I think if I
were at akamai, I'd be looking at why this could be an issue, and how to
remediate it even if it doesn't make it in.  But that's just me.

Mike




-----Original Message-----
From: Michael StJohns [mailto:msj@nthpermutation.com]
Sent: Wednesday, July 30, 2014 11:46 AM
To: Gero, Charlie; tls@ietf.org<mailto:tls@ietf.org>
Subject: Re: [TLS] Premaster/Master convention

On 7/30/2014 11:02 AM, Gero, Charlie wrote:
We have a number of technologies at Akamai that utilize the fact that the PMS is split from the MS and that MS is produced in conjunction with the randoms.  It allows us to do splitting between machines that have keys and those that don't (machines in safe locales and those which are simply terminators).  I don't think we could use the same methods we use today without that sub step.  It would make it very difficult for Akamai to adopt 1.3.
So you send the master secret from the handshaker machine out to several other machines which then do what with it?  Couldn't you send the traffic keys instead?

I'm not sure I understand the constraints you're working under. Could you expand on that?

Thanks - Mike


-----Original Message-----
From: Michael StJohns [mailto:msj@nthpermutation.com]
Sent: Wednesday, July 30, 2014 10:57 AM
To: tls@ietf.org<mailto:tls@ietf.org>
Subject: [TLS] Premaster/Master convention

Given that TLS1.3 only does KeyAgreement, is there still any reason for the premaster -> master_secret derivation step?  We do (KA)->premaster
and then premaster -> master and then master->(session keys).   We could
probably do (KA)->master->(session keys) where the master secret is now the KA shared secret rather than premaster.

1) Is there any security reason for retaining the extra step given there is no longer a KeyTransport mechanism in TLS1.3?
2) Are there other *good* - non-security - reasons for retaining the extra step?

Mike



_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email