Re: [TLS] Do we really need two 0-RTT keys?
Eric Rescorla <ekr@rtfm.com> Fri, 18 December 2015 23:02 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3EC81A0013 for <tls@ietfa.amsl.com>; Fri, 18 Dec 2015 15:02:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gArhFTyo6SuS for <tls@ietfa.amsl.com>; Fri, 18 Dec 2015 15:02:49 -0800 (PST)
Received: from mail-yk0-x22f.google.com (mail-yk0-x22f.google.com [IPv6:2607:f8b0:4002:c07::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EFFC1A000B for <tls@ietf.org>; Fri, 18 Dec 2015 15:02:49 -0800 (PST)
Received: by mail-yk0-x22f.google.com with SMTP id x184so75949727yka.3 for <tls@ietf.org>; Fri, 18 Dec 2015 15:02:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=9ZLmu9zqhgXicbRiiY1Xg81qCv7tvpK1XFumCknT5Vw=; b=lwIvKO6+tRSkP6ryNX1KGYSl++kadwEI1RNDPzBqGwBg1pEUGhGcM/gNKwl+mu1Cg1 WNB8jiSXOKEJBiU3a1jHUFPDZp9Lm3rixsGYfWbbxcdF/92X2RmRCZNP3bYcu8TXoSdJ Naz2jE+RMJEuFkZ7CcVHR+8jallclzKXWu1Y4tDsW6EjZ/gGyAmYTJef2i03SY6Zt0+X cb06eLkqZr93+pnOglbO4M4+qlHhPYozr4ARmI8C5pXcOnZikcsF0Dg+/qtFdx3CxMnK UuixYoYNeEk5FPPWMNHWSICbp+1chFbGhc8aIxQjn7NXII2Fw3MGHXxEKY/mLWIjrvfN scyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=9ZLmu9zqhgXicbRiiY1Xg81qCv7tvpK1XFumCknT5Vw=; b=Dsdx8ZXeb44d0MRmuIb62ol9dKCSx4jBaE3PjubgpcGt8tjV08tIzUwIpzrA19KKFK gScQ0NKYL2bcYWUsQeYLj+BwvAynz0ZsTue6nGPYmiAcaNdxC5YCvV8IO3P1LegZ5hou J9RA15I/o3pifsL/IO+sl37PgQmPwqO4DTF2MNkK6Oj6tEc/cWWeGqSgaNGVdjdVAYhI bngRmAY4i7X97qZe5peK77uTAooxBz2gmpqa+RIv/Wwz1rSOOqyiBrMu0W9ey7ZQXXhE EVmYzsYav/v0ePxH7Hse5XTpCFAf3LqkJr9rSd3bYAGEKq7G77IJYe07vJBKU7h0dW4q i6Tw==
X-Gm-Message-State: ALoCoQmcW9SXaRccELkiujOPPihFRlRaF9X4VtlGLw+dEXrvN2e2YZv10iK4xUvZCTrwt48A0YDpYGGTl8MGHCStHcHuNK5Dcw==
X-Received: by 10.129.73.133 with SMTP id w127mr5872338ywa.223.1450479768709; Fri, 18 Dec 2015 15:02:48 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.249.197 with HTTP; Fri, 18 Dec 2015 15:02:09 -0800 (PST)
In-Reply-To: <DM2PR0301MB065560395A8F3BD86855348DA8E10@DM2PR0301MB0655.namprd03.prod.outlook.com>
References: <DM2PR0301MB065560395A8F3BD86855348DA8E10@DM2PR0301MB0655.namprd03.prod.outlook.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 18 Dec 2015 15:02:09 -0800
Message-ID: <CABcZeBNQM5nUjBZL1QPtB789ODmuZ5iF59kNtfAWp5x+yP4NNg@mail.gmail.com>
To: Christian Huitema <huitema@microsoft.com>
Content-Type: multipart/alternative; boundary="001a114dcf6a5e5b9c05273423af"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/hASt3hEBLXkjpyDmfUZEYGK_xHw>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Do we really need two 0-RTT keys?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2015 23:02:51 -0000
On Fri, Dec 18, 2015 at 2:45 PM, Christian Huitema <huitema@microsoft.com> wrote: > The ladder diagram describing the 0-RTT exchange is simple enough, as seen > in this extract: > > Client Server > > ClientHello > + KeyShare > + EarlyDataIndication > ^ (Certificate*) > 0-RTT | (CertificateVerify*) > Data | (Finished) > v (Application Data*) > (end_of_early_data) --------> > > The text indicates that client auth and application data messages are > protected by "keys derived from the static secret." But then, hidden in > section 7.2 is an interesting twist -- too different keys are supposed to > be derived from the static secret, one for 0-RTT handshake, another for > 0-RTT Application. If I understand correctly, the Certificate, > CertificateVerify and Client Finished message would be protected with the > "0-RTT Handshake" key, and the Application data and end-of-early data > message would be protected with the "0-RTT Application" key. > Yes, that's correct. > I assume that there is a good reason for this extra complexity, even if it > eludes me. The motivation for this was that a number of people working on analysis complained that using the same key to encrypt handshake traffic and application traffic (as is done in TLS 1.2 with Finished and application messages) made analysis harder. I'm not equipped to take a position on this, but that's what I have been told. We already do that for the 1-RTT keys and we're doing the same thing here. > But I worry a bit about what that would do when we start working on DTLS > 1.3. UDP messages can arrive out of order. Yes, there is a message number, > but the record layer is not necessarily well positioned to interpret it -- > the certificate and verify message are optional, so when a record layer > receives packet #3 before packet #2, it does not know whether this is a > CertificateVerify message (handshake key) or an application message > (application key). > Note: the Certificate message isn't optional in the sense that the server doesn't know if it's coming. Whether it's sent is conditioned on the configuration (in WIP-11) an on the client's EarlyDataInfication (in WIP-10). But your general point is right in that you can have loss and reordering. So, for instance, say that the client sends messages with seq nums as follows: ClientHello: 0 (in clear) Finished: 1 (with Handshake Key) AppData: 2 (with app key) Now, 1 and 2 are lost, and the client retransmits: Finished: 3 (with Handshake Key) AppData: 4 (with app key) If #3 is now lost, the server may not know if #4 is handshake or application data since (for instance) the client might have fragmented the Finished over two records. Now, I think there are several ways to deal with this. First, the server can just continue to attempt to process records with the handshake key until the handshake is completed, in which case it will drop #4 and then get the retransmit of the Finished (#5, presumably). Second, DTLS has an epoch # used to indicate which generation key you are using. We should come down on some deterministic use of that in which case things will be obvious. Yes, there are solutions, yes, it can be managed, but are we sure that this > particular bit of complexity is worth it? > Karthik? Others? :) > And if it worth it, can we add a description of the key switching logic in > section 6.2.2? That seems like a good plan... Ekr > -- Christian Huitema > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Do we really need two 0-RTT keys? Christian Huitema
- Re: [TLS] Do we really need two 0-RTT keys? Eric Rescorla
- Re: [TLS] Do we really need two 0-RTT keys? Christian Huitema