Re: [TLS] Premaster/Master convention

Michael StJohns <msj@nthpermutation.com> Wed, 30 July 2014 20:58 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 516911A0450 for <tls@ietfa.amsl.com>; Wed, 30 Jul 2014 13:58:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 57YuMv1DlUr8 for <tls@ietfa.amsl.com>; Wed, 30 Jul 2014 13:58:49 -0700 (PDT)
Received: from mail-ig0-f178.google.com (mail-ig0-f178.google.com [209.85.213.178]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E61DD1A041D for <tls@ietf.org>; Wed, 30 Jul 2014 13:58:48 -0700 (PDT)
Received: by mail-ig0-f178.google.com with SMTP id uq10so3661491igb.17 for <tls@ietf.org>; Wed, 30 Jul 2014 13:58:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=tPIE53c8XS/dWKD0TNFZwJbmmLdKQUKoc19NU03JjmY=; b=MZzafd3b6jnaWkiH1ZPvaDkBmvaH3Qy2B81Y8hVYK6mSVKBoyET4ZCns4n7TihzP6u FqhKprDo7myH39hCWZPSBV6wyM04dDj/gx4evQ+WgMDhscc/Ys7Ld3Q5+IZRgdFWSpfh CMJlv31qNLhq/sfoosTD3Img1WFS1G9sTr7uPTyMk8iH0Lp3CpaUXw161XuusMDySGgj v2SOjgt1R7JcKy8O09JY8s2ur4rT6BhWvyEOKWBTjFFOaZzCWkDdctNyFeARpjBPZIT9 bFfY0SPJ+2doPYNlfQHEPQNcbS4yuafqvmxkJY24uH3uD1RrZPhFpNJJ8Qlljl/Dhf7X zjQg==
X-Gm-Message-State: ALoCoQmlowNxkBBbiLLFy2zdhZPj0oMUrat02E0dnCEfdQWTjOO6496IFI64SJnDwWouf2tir/2E
X-Received: by 10.42.70.200 with SMTP id g8mr9143358icj.92.1406753927177; Wed, 30 Jul 2014 13:58:47 -0700 (PDT)
Received: from [172.27.7.54] (75-104-68-185.mobility.exede.net. [75.104.68.185]) by mx.google.com with ESMTPSA id l6sm17433861igv.4.2014.07.30.13.58.43 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 30 Jul 2014 13:58:46 -0700 (PDT)
Message-ID: <53D95C7D.9060408@nthpermutation.com>
Date: Wed, 30 Jul 2014 16:58:37 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "Gero, Charlie" <cgero@akamai.com>, "tls@ietf.org" <tls@ietf.org>
References: <53D907B0.3000006@nthpermutation.com> <D40A7DE25C5AA54195F82EA553F2446033900BFC0A@USMBX1.msg.corp.akamai.com> <53D91332.9070103@nthpermutation.com> <D40A7DE25C5AA54195F82EA553F2446033900BFC15@USMBX1.msg.corp.akamai.com>
In-Reply-To: <D40A7DE25C5AA54195F82EA553F2446033900BFC15@USMBX1.msg.corp.akamai.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/hiNe59MdW5rjO3RCiIA_NzfqBGg
Subject: Re: [TLS] Premaster/Master convention
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 20:58:52 -0000

On 7/30/2014 12:27 PM, Gero, Charlie wrote:
> I can't go into details around it at this time.  Suffice to say, we definitely do rely on the two being split.
Hi Charlie -


If someone said - "we depend on the packet formats to be predictable" 
I'd say they'd have a case for reliance and backwards compatibility.  
Saying that you did something that will break that is totally and 
completely opaque to the on-the-wire protocol spec and expecting the 
protocol spec not to change (assuming proper on-the-wire negotiation to 
describe said changes) seems to be pushing your luck.

That said, the more details you can share, the better chance we have of 
doing something that won't annoy you.  For example, would your system 
break if the master secret were no longer 48 octets?  Would it break if 
the PRF were not based on SHA256?  Would it break if the PRF were a CMAC 
vs an HMAC?

I have no idea where this idea will go.  It may go nowhere, in which 
case you're safe - for now.  It may go into the protocol.  I think if I 
were at akamai, I'd be looking at why this could be an issue, and how to 
remediate it even if it doesn't make it in.  But that's just me.

Mike



>
> -----Original Message-----
> From: Michael StJohns [mailto:msj@nthpermutation.com]
> Sent: Wednesday, July 30, 2014 11:46 AM
> To: Gero, Charlie; tls@ietf.org
> Subject: Re: [TLS] Premaster/Master convention
>
> On 7/30/2014 11:02 AM, Gero, Charlie wrote:
>> We have a number of technologies at Akamai that utilize the fact that the PMS is split from the MS and that MS is produced in conjunction with the randoms.  It allows us to do splitting between machines that have keys and those that don't (machines in safe locales and those which are simply terminators).  I don't think we could use the same methods we use today without that sub step.  It would make it very difficult for Akamai to adopt 1.3.
> So you send the master secret from the handshaker machine out to several other machines which then do what with it?  Couldn't you send the traffic keys instead?
>
> I'm not sure I understand the constraints you're working under. Could you expand on that?
>
> Thanks - Mike
>
>
>> -----Original Message-----
>> From: Michael StJohns [mailto:msj@nthpermutation.com]
>> Sent: Wednesday, July 30, 2014 10:57 AM
>> To: tls@ietf.org
>> Subject: [TLS] Premaster/Master convention
>>
>> Given that TLS1.3 only does KeyAgreement, is there still any reason for the premaster -> master_secret derivation step?  We do (KA)->premaster
>> and then premaster -> master and then master->(session keys).   We could
>> probably do (KA)->master->(session keys) where the master secret is now the KA shared secret rather than premaster.
>>
>> 1) Is there any security reason for retaining the extra step given there is no longer a KeyTransport mechanism in TLS1.3?
>> 2) Are there other *good* - non-security - reasons for retaining the extra step?
>>
>> Mike
>>
>>
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>>
>
>