Re: [TLS] judging consensus on keys used in handshake and data messages

Douglas Stebila <> Thu, 07 July 2016 19:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 901C112D5C7 for <>; Thu, 7 Jul 2016 12:47:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ypDdimLIlqLi for <>; Thu, 7 Jul 2016 12:47:41 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B672012D523 for <>; Thu, 7 Jul 2016 12:47:40 -0700 (PDT)
Received: by with SMTP id f126so223022628wma.1 for <>; Thu, 07 Jul 2016 12:47:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=dOboAVTm80uSOBoCyrlcLGUxQDosn5j4sc3CVbLQEYE=; b=gQXZGXLP7HutlQuDklmU+1ba9hMKVbpIT3DXbedJ5mgUtfYg+rvPwBuxwR2XGDuvzx u8dx2DMcQKhrMz+Y06/NTtN3d+sKv+XxKRXzVruKirarCgsZnLrSYZHc+QbJXwGLxCOm ThsZPdg2mLmb0FQtDnKou2dbzjXhADefp1KQZoTTqqBQdqpmtbGdsRjSt9pZwkiIoJ7x 8wmpZCw3Ni6Z4PBI13BCx6TwW1dN6LAf1OLFpmesUoTF+e/wUho/4oRFgqEJLy2g8aKY OQia1aeW+PrmVoiU0Hnm5DvdD6IXK9QbuFBf1D4nYrEe5aHr2m1FwVpw0QxILWLL+KfC rOhg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=dOboAVTm80uSOBoCyrlcLGUxQDosn5j4sc3CVbLQEYE=; b=URFr4WffYQkQqXFuVvcYHqRB8kFTQg/KQjXpCLApr5XDyox7aGXnwKYyuCO1hIpINn ULnxnH11rPVDIapMnQtgKHOBVmX5MfIG0ecjP9W8yPe0teBDQPFksrNpY2ux919JS/SN Z8tpOJsOWVljfLYZcmeWp4Kp1Pjjw7LkNKD1e4LrSVhB5qixHiWn7QL6yA0haW2AhOzl +kCrURnntzWjaOnPojii2klJZXMbTtIUMy6LVeUWir2zvbFnSutqoQjwo4GJCQk+ycyh Ajpu6+YAtp48Gfa5Mo5gBwFMPE+0JjkuEVCS9bOkvicztdBs8fNP6oZr/L+75vKtKR0a iMPQ==
X-Gm-Message-State: ALyK8tI7RSa5lgSoMJghHPST7tDCnmvS7IMzluxSvBjnYbtC2VEFmj86hJbG/kiGL+4RIg==
X-Received: by with SMTP id pd1mr1795451wjb.16.1467920859243; Thu, 07 Jul 2016 12:47:39 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id a4sm4439396wjq.40.2016. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 07 Jul 2016 12:47:38 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Douglas Stebila <>
In-Reply-To: <>
Date: Thu, 07 Jul 2016 21:47:37 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <>
To: Hugo Krawczyk <>
X-Mailer: Apple Mail (2.3124)
Archived-At: <>
Cc: Karthikeyan Bhargavan <>, "" <>
Subject: Re: [TLS] judging consensus on keys used in handshake and data messages
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 07 Jul 2016 19:47:43 -0000

With Hugo's analysis of the secure channel-like security afforded even when the application key is used to encrypt non-application data, and as Cédric pointed out to me the application key will be used to encrypt non-application data like certain alert messages; so I think option 1 is a reasonable choice, and option 3 would not recover the composability property we hoped it might.


> On Jul 7, 2016, at 12:44 PM, Hugo Krawczyk <> wrote:
> I do not have an objection to option 1 if re-phrased as 
> Option 1 - use the same key for protecting both *post*-handshake and applications messages.. 
> I believe this is what was intended by that option anyway. Let me clarify.
> I understand the question as relating *only* to post-handshake messages and not
> to the main handshake (three initial flights). For the latter we have key
> separation in the sense that none of these main-handshake messages is encrypted
> under the application key but rather under dedicated handshake keys. This should
> not be changed as it provides key indistinguishability to the application key, a
> desirable design and analysis (=proof) modularity property.
> On the other hand, for post-handshake messages, and particularly for encrypting
> post-handshake client authentication messages, preserving key
> indistinguishability is not relevant since at the time of post-handshake
> client authentication, the application key has already lost its indistinguishability
> by the mere fact that the key was used to encrypt application data. Key
> indistinguishability is the main reason to insist in key separation and this
> principle does not apply here anymore hence removing the objection to 1.
> I'd note that the best one could hope for in the post-handshake setting is that
> as a result of post-handshake client authentication the application key becomes
> a secure mutually-authenticated key for providing "secure channels" security.
> As pointed out by others in previous posts I have an analysis showing that this
> delayed mutual authentication guarantee is achieved even if one uses the
> application key to encrypt the post-handshake messages. I have circulated a
> preliminary version of the  paper among cryptographers working on TLS 1.3 
> and  I will post a public copy next week so this can be scrutinized further.
> Hugo
> On Thu, Jul 7, 2016 at 1:10 AM, Karthikeyan Bhargavan <> wrote:
> If we are left with 1 or 3, the miTLS team would prefer 1.
> On the cryptographic side, Hugo has a recent (draft) paper that seems to provide
> some more justification for (1), at least for client authentication. 
> I know this is a bit off-topic, but the miTLS team would also like to get rid of 0-RTT ClientFinished 
> if that is the only message left in the 0-RTT encrypted handshake flight. That should remove
> another Handshake/Data key separation from the protocol, leaving only 3 keys: 0-RTT data,
> 1-RTT handshake, and 1-RTT data. 
> Best,
> -Karthik
>> On 07 Jul 2016, at 02:49, David Benjamin <> wrote:
>> On Wed, Jul 6, 2016 at 5:39 PM Eric Rescorla <> wrote:
>> On Wed, Jul 6, 2016 at 5:24 PM, Dave Garrett <> wrote:
>> On Wednesday, July 06, 2016 06:19:29 pm David Benjamin wrote:
>> > I'm also curious which post-handshake messages are the problem. If we were
>> > to rename "post-handshake handshake messages" to "post-handshake bonus
>> > messages" with a distinct bonus_message record type, where would there
>> > still be an issue? (Alerts and application data share keys and this seems
>> > to have been fine.)
>> Recasting all the post-handshake handshake messages as not something named "handshake" does make a degree of sense, on its own. (bikeshedding: I'd name it something more descriptive like "secondary negotiation" messages or something, though.) Even if this doesn't directly help with the issue at hand here, does forking these into a new ContentType sound like a useful move, in general?
>> I'm not sure what this would accomplish.
>> Me neither. To clarify, I mention this not as a suggestion, but to motivate asking about the type of message. If the only reason the proofs want them in the handshake bucket rather than the application data bucket is that they say "handshake" in them then, sure, let's do an inconsequential re-spelling and move on from this problem.
>> But presumably something about the messages motivate this key separation issue and I'd like to know what they are.
>> David
>> _______________________________________________
>> TLS mailing list
> _______________________________________________
> TLS mailing list
> _______________________________________________
> TLS mailing list