IETF Logo Mail Archive

Re: [TLS] Should exporter keys be updated with post-handshake authentication and/or KeyUpdate?

Hugo Krawczyk <hugo@ee.technion.ac.il> Tue, 12 July 2016 02:56 UTC

Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6293A12D675 for <tls@ietfa.amsl.com>; Mon, 11 Jul 2016 19:56:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IKK8Qhc-eeHo for <tls@ietfa.amsl.com>; Mon, 11 Jul 2016 19:56:53 -0700 (PDT)
Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46C9812D595 for <tls@ietf.org>; Mon, 11 Jul 2016 19:56:53 -0700 (PDT)
Received: by mail-yw0-x234.google.com with SMTP id w127so2595148ywf.3 for <tls@ietf.org>; Mon, 11 Jul 2016 19:56:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=CYuIIKPxnVneP3tfvtB6aF4BdODFGEEwZlPq7nGfAfQ=; b=hlqefGyv1GTywlEiKMdsqveNdLihH7v/Q+bdendYV98raDQ1wCUlzONbmCW9vsA5C3 0X9b3TyXWQhU5fx4BIQWOppDXjyblSFl0cc5fobNm2jI2a0XDN+4QN90rPLI9SygvnC+ 6FIhI6hp9KQzn4oBQOTrkBw+K9MPJoxhRWCptUHn6Kpqt0Xg9jxJj639XuMPKFBx5imH +cZ5uA5aDna0KV4hYEefeNRLlHT+jHAPsxLcB4uSXkyQhILNQzwCYPAY9DV6SjZ/tkSG fAoETT6PFpbrNyL7I5UCeWUqMqltZLa4iqw5l+QFbkAxxatLcM4OefQkIgX8Mhi5Gq/K +sXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=CYuIIKPxnVneP3tfvtB6aF4BdODFGEEwZlPq7nGfAfQ=; b=eX/bUJ9R9BCv/rdTzScOWO7lhBGeUUAwZxWmcreLkiLLvMJpMGOigNWq6eekwQbEey Hn58OTU8q7wbbFiRCLU/kTFeKW0GkdHscSjTxlAm4J631XKDJJFT5k6OKblr+0zKEZ/I 9nJeaXfqNWOcveH+EPCPzJwbP5vvM7doMyKEsYmpKCmi6Q2Xm7rF/JjtFz8Jp+RhX9S4 8HEeebxX+sdwQfzwLIEYlHzgPxgscp8o3b8nADlREnQHoGx8AH5cnFmf5GPqxRK6LN6A wj0C5nSK8yCvu4ptep7z9yQoKwDBJ5/aLqhADaYoIsmJKlgnK7mtQgkxI49O/kAmmMso bAaQ==
X-Gm-Message-State: ALyK8tIBRQhjPRh3qklRDpmm1+Y3yiVpAC9Kx7VndoggUeRxzsH8kLvD4fGJSBiYTXMAlGQwCSs3uxDa5enLmw==
X-Received: by 10.129.19.212 with SMTP id 203mr15793333ywt.104.1468292212405; Mon, 11 Jul 2016 19:56:52 -0700 (PDT)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.37.64.3 with HTTP; Mon, 11 Jul 2016 19:56:22 -0700 (PDT)
In-Reply-To: <CABkgnnXjoQnAmsUBnU1MjF5cotFCRYF9VHUayv3K9xD+dN1QUQ@mail.gmail.com>
References: <C6FAB38B-FF5A-43D3-A0DB-554FAF23ED92@gmail.com> <CABkgnnXjoQnAmsUBnU1MjF5cotFCRYF9VHUayv3K9xD+dN1QUQ@mail.gmail.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Mon, 11 Jul 2016 22:56:22 -0400
X-Google-Sender-Auth: l2mj6jx3UG6AzetwLSWyj2knFuQ
Message-ID: <CADi0yUMbjJHn3Bb+p52QBwSVptp-eDJRZs8-Yxa6dOLFMhCqzw@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="001a11429246bf3e690537676b1e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hrb_8LidD1Zbc0vYB-NVssmHNhk>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Should exporter keys be updated with post-handshake authentication and/or KeyUpdate?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2016 02:56:56 -0000

On Mon, Jul 11, 2016 at 9:13 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> Not taking any position on the question, which I think is a fine thing
> to ask, but...
>
> I'd just like to point out that the example is flawed in the sense
> that the system permits both users to share state.  When Alice logs
> out, that needs to include any state that might have been accumulated
> to Alice.  This necessarily includes any sessions, including that TLS
> connection.
>
> If we imagine that this is a browser, then you also need to flush
> caches and remove cookies before the system is usable by another user.
> There might be operating system level things as well.  Machines in
> internet cafes often create temporary accounts, or even rebuild the
> entire machine between users for this reason.
>
> Back to the question...
> One challenge with this is that exporters are often used to compare
> things.  For instance, one side signs an exported value, the other
> validates the signature by independently exporting the same value.
> Getting different values for a particular exporter will cause some
> classes of things to fail in subtle ways.
>

​This is unrelated
 to the issue
​s​
raised by Douglas
, but  if the exporter *key* is intended for use as a unique session
identifier

​(or ​a sort of "channel binding") then calling it a "key" is misleading.
For example, while a key of 128 bits is perfectly fine (e.g. for AES-128),
such length is insufficient as a channel binding string (where resistance
to birthday attacks seems necessary). I do not see a note on this in the
TLS document or RFC 5705.

Hugo


>
> On 12 July 2016 at 05:39, Douglas Stebila <dstebila@gmail.com> wrote:
> > Some of the discussions I've had with people about post-handshake client
> authentication have raised the question of whether application traffic
> secrets should be updated automatically upon post-handshake client
> authentication: the thinking being that every change in context should be
> accompanied by a change in keying material.  I used to think that was a
> good idea for TLS 1.3, although it was recently argued to me that if we
> view the application traffic secrets as being "internal" to the TLS
> protocol, then the change in client authentication status doesn't change
> the confidential or integrity properties of the record layer, it just
> serves as a "marker" to the application that certain portions of the
> application data were associated with certain authentication contexts.  I
> was convinced that this can be safely accomplished without a change in
> application traffic secret key material.
> >
> > But I'm not sure that the same applies to *exporter* keys.  Should
> exported keying material change as the authentication context changes?
> >
> > Consider a long-lived TLS connection, where different users come and
> go.  For example, a web browser on a public terminal may have established a
> long-lived TLS connection to a particular website, and send subsequent
> requests to the same website over the same TLS connection.  Now imagine two
> users use the terminal one after another:
> >
> > 1: initial handshake on a public terminal
> > 2: [time passes]
> > 3: Alice starts browsing
> > 4: Alice does post-handshake client authentication
> > 5: Alice purchases something
> > 6: Alice hits "logout" at the application layer
> > 7: [time passes]
> > 8: Bob starts using the terminal
> > 9: Bob does post-handshake client authentication
> > 10: Bob purchases something
> > 11: Bob hits "logout" at the application layer
> >
> > TLS 1.3 will tell the application about events 4 and 9.  Events 6 and 11
> happen at the application layer rather than the TLS layer (since I don't
> think TLS 1.3 has a client-de-authentication option).  But putting this all
> together, the application will learn all the correct authentication
> contexts: 1-3 is anonymous, 4-5 is Alice, 6-8 is anonymous, 9-10 is Bob,
> 11-onwards is anonymous.
> >
> > Now imagine that we use keying material exporters in on lines 5 and 10:
> >
> > 1: initial handshake on a public terminal
> > 2: [time passes]
> > 3: Alice starts browsing
> > 4: Alice does post-handshake client authentication
> > *5: Alice presses the "export keying material" button
> > 6: Alice hits "logout" at the application layer
> > 7: [time passes]
> > 8: Bob starts using the terminal
> > 9: Bob does post-handshake client authentication
> > *10: Bob presses the "export keying material" button
> > 11: Bob hits "logout" at the application layer
> >
> > Since the exporter master secret is not updated when client
> authentication changes, Alice and Bob will export the same keying material
> at steps 5 and 10.  If the intended goal of this exported key is for Alice
> to obtain confidentiality in some other use, this will not be achieved,
> since Bob will obtain the same exported key.
> >
> > Now, a proviso is that RFC 5705 allows for the application to mix a
> "context value" into the export, which could mitigate this, but that is
> optional.
> >
> > So it seems to me like in at least some scenarios, exported keying
> material should be associated with authentication context.  It is less
> clear to me if the same holds true for KeyUpdates.
> >
> > Douglas
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email