IETF Logo Mail Archive

Re: [TLS] IV Generation was: Clarifications and questions: TLS1.3 - Static RSA and AEAD

Michael StJohns <msj@nthpermutation.com> Tue, 27 May 2014 21:15 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 169B91A026B for <tls@ietfa.amsl.com>; Tue, 27 May 2014 14:15:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IFAvvDrPpktR for <tls@ietfa.amsl.com>; Tue, 27 May 2014 14:15:20 -0700 (PDT)
Received: from mail-pb0-f52.google.com (mail-pb0-f52.google.com [209.85.160.52]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2C9E1A06B4 for <tls@ietf.org>; Tue, 27 May 2014 14:15:20 -0700 (PDT)
Received: by mail-pb0-f52.google.com with SMTP id rr13so9973468pbb.11 for <tls@ietf.org>; Tue, 27 May 2014 14:15:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=Rs8EJ7l42GjmqfvG6e8YOHmvEx7hfnVyfHLmiWH6rWc=; b=Q3PkVVCO+c4jmfqWA0RJjSf6gAspQyaUVRJFBgnwSvBTtHMMlcXypm5D44yk8IT9Um eKajfl+9kj61UN41Klk7fQ+BqAkWCxUvmJ9hmXFy7ZErrvJl/1bDEEs8kIwxN4ZtVLLj evpPPAKyMI3Hnzn8QVwGwwrvK/EH8HCYA4EKgd8Q8CN0H9vYqmnRDRedvzd4xb6a27uc PMc+2wfFyQBIcABZcilHIsqsoUZOxwoKXl0gevrCSnhCgBmf1eXkCcNGBhf32ZIgCQde BFiSELWm4qFEKzlMJ/8v6n5RhclVBLfDj34m9lmW3EAIAeUl0BMr4Ale1Ryp7fx1+ziL vBuA==
X-Gm-Message-State: ALoCoQle/kRMyR+De7IrFsktfLIeN9Cr47KuScP9wzlwSbAbL1l/gr7Sm6WGKMgn4TxiIekgNPm1
X-Received: by 10.66.230.193 with SMTP id ta1mr40814318pac.29.1401225317457; Tue, 27 May 2014 14:15:17 -0700 (PDT)
Received: from [192.168.1.102] (c-68-34-113-195.hsd1.md.comcast.net. [68.34.113.195]) by mx.google.com with ESMTPSA id jq6sm24831102pbb.76.2014.05.27.14.15.16 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 27 May 2014 14:15:16 -0700 (PDT)
Message-ID: <5385006C.8080801@nthpermutation.com>
Date: Tue, 27 May 2014 17:15:24 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: mrex@sap.com
References: <20140527204632.95AA31AD1D@ld9781.wdf.sap.corp>
In-Reply-To: <20140527204632.95AA31AD1D@ld9781.wdf.sap.corp>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/iVsMVk9fLBmgt7LvXzjIDubCrhI
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] IV Generation was: Clarifications and questions: TLS1.3 - Static RSA and AEAD
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 May 2014 21:15:22 -0000

On 5/27/2014 4:46 PM, Martin Rex wrote:
> Michael StJohns wrote:
>> 2) ----------------------------------
>>
>> As a specific comment on how the master secret is used:
>>
>> The general rule is that the same key shouldn't be used for multiple
>> things.  In this case the master secret is used (ignoring for a moment
>> that the functions are all iterations of the PRF):
>>
>>    * with a Key Derivation Function to derive key material
>>    * with a MAC function to sign the finished messages
>>    * with a keyed pseudo random number generator to derive the IV's.
>>
>> By my count that's two too many.  The fact that the KDF and PRNG steps
>> are part of the same process is even more problematic.
>>
>> There's literature on this - but an easy reference is section 5.2 of
>> NIST's SP800-57 part 1 rev 3 -
>> http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-57-Part%203-Rev.1:
>>
>>> 5.2 Key Usage
>>> In general, a single key should be used for only one purpose (e.g.,
>>> encryption, authentication, key wrapping, random number generation,
>>> or digital signatures). There are several reasons for this:
>
> I believe you're misinterpreting the concept of the TLS master secret.
>
> The TLS master secret is *NOT* a key.  It is more like the entropy pool
> (internal state) of a DBRG (Deterministic Random Bit Generators).



Um.... taken one way you could call any key an entropy pool.  I think 
you're misinterpreting the characteristics of a key.

So, no.

Stealing from the definition of "Cryptographic Key" in SP800-57 part 1 
rev 3:

> A parameter used in conjunction with a cryptographic algorithm that
> determines its operation in such a way that an entity with knowledge of
> the key can reproduce or reverse the operation, while an entity without
> knowledge of the key cannot.

Continuing, the master secret *is* used explicitly as a MAC key 
(finished message) and as a master key for a KDF (key expansion).

Seriously though - no.   Basically if you share it, it's no longer an 
entropy pool, but a key.  And as I've suggested several times before, 
its unclear that the function that generates the IVs needs to to be 
keyed, or do anything except expand the entropy available from 
client_random and server_random to an appropriate length and with a 
particular set of mix-in's.

Mike


>
>
> -Martin

v2.23.0 | Report a Bug | By Email