Re: [TLS] Should exporter keys be updated with post-handshake authentication and/or KeyUpdate?
Eric Rescorla <ekr@rtfm.com> Tue, 12 July 2016 21:42 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A86EC12D9CC for <tls@ietfa.amsl.com>; Tue, 12 Jul 2016 14:42:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JELhc3GrB4dk for <tls@ietfa.amsl.com>; Tue, 12 Jul 2016 14:42:56 -0700 (PDT)
Received: from mail-yw0-x22d.google.com (mail-yw0-x22d.google.com [IPv6:2607:f8b0:4002:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D15512D1A2 for <tls@ietf.org>; Tue, 12 Jul 2016 14:42:55 -0700 (PDT)
Received: by mail-yw0-x22d.google.com with SMTP id l125so26282869ywb.2 for <tls@ietf.org>; Tue, 12 Jul 2016 14:42:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=5aaGJsLKNqURs9FeL6MhwyRauEdcAdIRjThh5PGd988=; b=bXvkFr7hNhNq16sFvMR3SEYdIFP+9/czPzjLa+0tJ6XOfYawioJUeiZiba8Ns8mDOR Krv7V3nY1ys5i9BaEabm1i2lcRmWDEBIqWIqvM7Uuq8+Za1vGl/maX6L2ew8vZLSZZEO 0GhLnIZfIktOvognZw4FiD6gbEvfZWGM4kqMzSkNaeq/0pfWMK5HOJW7NyfUwr/3k6uR W4BppvJkfNQY/puW5K2P7SgUuKY1DcBCyrXsWsrfoKM/OJ7Qj7V30oqBSVWCYpD0ZzKz ITWA12MDMCgMPIbeBXS8Y320YYECwVMa+usnwtPioLE4fvcbffThjxfP2WYPjXIDjJe+ 3Z4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=5aaGJsLKNqURs9FeL6MhwyRauEdcAdIRjThh5PGd988=; b=G44ez6iS5rSSWDxv4V6ffUdNzxCr4v2rAanMVOuwGbcyoLRaRCAYQ+WSczduZ9Zrw9 uWIfzUglCVNO3O3xcCKcQ5kz/DJMFyhUtK6duvKN2KzP7/7jCozztAcqda4TucQzHnrV kNBdYyAwDuSceSCNyJKlWBkKjNg8NiaEHjsWoo1IzAOTeC/KEx3p0rNvzPw97SQnerVU xo4xUfEYpXXsAYsXsZyNj3IRXUEstuCStYNmozDeNiAuti/wQD0+Lp5WYvgT8RJ0MxjW OLqwUe/fgMitzu9ClHXV8YyeMsb3F+PQS1bTJ64SDHKUstU2IHg5xs03sk8y5mDL9YIR u8Dw==
X-Gm-Message-State: ALyK8tIegvOT1akllLv/hEE/yqAYTPQBx5ix4DWbnVGODkM1p/G37/cp43uaAqWyooWy2UexXpEIc62nslU8Tw==
X-Received: by 10.13.201.134 with SMTP id l128mr3644647ywd.93.1468359774565; Tue, 12 Jul 2016 14:42:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.152.13 with HTTP; Tue, 12 Jul 2016 14:42:15 -0700 (PDT)
In-Reply-To: <20160712212740.GC32363@LK-Perkele-V2.elisa-laajakaista.fi>
References: <C6FAB38B-FF5A-43D3-A0DB-554FAF23ED92@gmail.com> <CY1PR03MB21554CF98C27A89230DDD5F18C3F0@CY1PR03MB2155.namprd03.prod.outlook.com> <3F568B47-BE31-4EBB-AA95-C3045911956B@gmail.com> <20160712212740.GC32363@LK-Perkele-V2.elisa-laajakaista.fi>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 12 Jul 2016 14:42:15 -0700
Message-ID: <CABcZeBN0c2x-1Wzgr3uHtBHzq75Ny7kvStDvZjh8_9S=dE8vSg@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="001a114e630ec44fba05377726af"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/fb8w4xQHGIk_2ExTN3VgbZp96e0>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Should exporter keys be updated with post-handshake authentication and/or KeyUpdate?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2016 21:42:59 -0000
On Tue, Jul 12, 2016 at 2:27 PM, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Tue, Jul 12, 2016 at 10:00:35AM -0400, Douglas Stebila wrote: > > > On Jul 11, 2016, at 19:24, Andrei Popov <Andrei.Popov@microsoft.com> > wrote: > > > > > > Back to the question... > > > One challenge with this is that exporters are often used to compare > > > things. For instance, one side signs an exported value, the other > > > validates the signature by independently exporting the same value. > > > Getting different values for a particular exporter will cause some > > > classes of things to fail in subtle ways. > > > > Agreed, this does create the possibility that the endpoints will export > > different values at different times due to unsynchronized context > > switches. > > It gets worse: KeyUpdate is explicitly designed to work even when > arbitrarily unsynchronized and run behind app's back (the application > never having to care for it). > > > > However, we should compare this failure mode (which might cause two > > "partnered" parties to not get the same exporter key) with the failure > > mode if we use the same EKM for the whole session (which might cause > > more parties than we expect to get the same exporter key). Fail-closed > > versus fail-open. > > Also, I wouldn't expect rekeying occur very often at default. 24M > records in bulk transfer is quite a bit of data (would require quite > fast connection to do in a few hours even at full blast). And there > is no recommendation on time-based rekeying (and Chacha can run > as good as forever even on the fastest connections). > > So, even if rekey changed EKM, it likely would not save you if > application misused exporters in way vulernable to this. > > > Worth security consideration? Certainly. > > > > Also, why does post-handshake auth seemingly always use traffic_secret_0, > instead say whatever happens to be the newest in forward (C->S) > direction when the Finished is sent (that would be well-defined key)? > Thinko. Filed an issue for this. https://github.com/tlswg/tls13-spec/issues/545 -Ekr > > > -Ilari > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- Re: [TLS] Should exporter keys be updated with po… Eric Rescorla
- Re: [TLS] Should exporter keys be updated with po… Ilari Liusvaara
- Re: [TLS] Should exporter keys be updated with po… Andrei Popov
- Re: [TLS] Should exporter keys be updated with po… Eric Rescorla
- Re: [TLS] Should exporter keys be updated with po… Bill Cox
- Re: [TLS] Should exporter keys be updated with po… Douglas Stebila
- Re: [TLS] Should exporter keys be updated with po… Eric Rescorla
- Re: [TLS] Should exporter keys be updated with po… Hugo Krawczyk
- Re: [TLS] Should exporter keys be updated with po… Martin Thomson
- Re: [TLS] Should exporter keys be updated with po… Andrei Popov
- [TLS] Should exporter keys be updated with post-h… Douglas Stebila