IETF Logo Mail Archive

Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)

Joseph Salowey <joe@salowey.net> Mon, 11 January 2021 06:07 UTC

Return-Path: <joe@salowey.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 773EF3A1623 for <tls@ietfa.amsl.com>; Sun, 10 Jan 2021 22:07:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0o9QudipQvFJ for <tls@ietfa.amsl.com>; Sun, 10 Jan 2021 22:07:42 -0800 (PST)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1D213A1621 for <tls@ietf.org>; Sun, 10 Jan 2021 22:07:41 -0800 (PST)
Received: by mail-lf1-x131.google.com with SMTP id o13so36171235lfr.3 for <tls@ietf.org>; Sun, 10 Jan 2021 22:07:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Q1tbKBVSA2FH5jEznNIUqC0OIb7tb4BbkfEZ8Ys3LjE=; b=NpoNWqGJ2PpGjLUF5EfCx7pAGydLPRskqjWS4SkRl6zZy+bUoyExjRYaMzaB4zYoPS StVnSQjYFDIrXEc+JcrsjyAiBhE0ABfhAmuXQ+pI3LOV4i4t9h0/Bs6gvHjYqg3/iWH0 z9wg0xmj7QN5cVFx2cFM9xL/+ROcRRx63XoCpea6vDngQ2haLImBSF62IOmGf6gPSaRb DpSMnTkv4J1bkbREnj4kBl3zGUBHPVbJLeJQn6FYfL5vzfg8JgDS1lCV41oQJTtZI8Uy KZEvgPteOx2q3uyLUUygyZCRD+rkQuVhJAB+jkHZmd72N98TRrgbEuWjkqUPul30BYvr r/Ww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Q1tbKBVSA2FH5jEznNIUqC0OIb7tb4BbkfEZ8Ys3LjE=; b=WAAT3Mu4NU6DjYfj4AM98eCDux8MoB36C+GdlUKThn9OSo/l7yIgJap9UismXf8cRb JmghApKPsirhhK+nFq0+j2WrPSzSFu2+8W1hTmtYH8euCp0XWdLEmJquxUzZth+uXSN7 FGk0f6rGqezEKmfcSBqnP6Zhtuuq/7p7hVLcIF/neBVdxcTvBDx7C6nSVr2CcSreZlg4 Af8KYBUIGlBAfpqOZkS9rJfRvi9dixbhjaChkwpPnr4JmarZjt6aLE+bQSTpqJzJORLM ijCUqWF1pzPjfCitO+ICrGXRr78NLaydWseUvy5n7NiRsc5P1UWxQGszP3i/gCWtx5Mv zVdg==
X-Gm-Message-State: AOAM531Hawe2B/SH5RHrPUajtSGhA1UgTVpfM212G+3LUqSRPBeo18hR 7UzRLC6yWZOwt+VEa7QC5vy+hl2kWZaZZ9ghcfZRtg==
X-Google-Smtp-Source: ABdhPJxs4DLYHBFQuis8WYa/YUQVqeEYW6B9NZMpv4R5269cmk3oGVYRHUkRMMz8Ba75i3LrDdgsdEO/SAW4i69i88s=
X-Received: by 2002:a19:4907:: with SMTP id w7mr6255347lfa.198.1610345259663; Sun, 10 Jan 2021 22:07:39 -0800 (PST)
MIME-Version: 1.0
References: <160815821055.25925.15897627611548078426@ietfa.amsl.com> <20201216223842.GR64351@kduck.mit.edu> <0f2b05db-5c98-43d4-aae3-cf620814bacc@www.fastmail.com> <A4BBA31B-8754-4D8C-B0F1-D1C6C859F6AE@deployingradius.com> <CAOgPGoBvBzhA0q4gFqpFSm2HkAs6NoyLc6RVZYLtTYsNd02i8A@mail.gmail.com> <e669002f-caff-1e6e-e28b-d09157eb0c07@ericsson.com> <6241F0B6-C722-449E-AC3A-183DE330E7B5@deployingradius.com> <9ddd1593-3131-f5cc-d0db-74bf3db697bf@ericsson.com> <3CB58153-8CCA-4B1E-B530-BA67A6035310@deployingradius.com> <CAOgPGoA3U+XpZMY7J+KGovNx6MtAdEzRaGW33xVJdQNWSi4LVg@mail.gmail.com> <770e6a49-52fc-4e8b-91af-48f85e581fbb@www.fastmail.com>
In-Reply-To: <770e6a49-52fc-4e8b-91af-48f85e581fbb@www.fastmail.com>
From: Joseph Salowey <joe@salowey.net>
Date: Sun, 10 Jan 2021 22:07:27 -0800
Message-ID: <CAOgPGoBGOMXH-kMhQSujWxnACdmBL845u0ouE0fUYc4rWtUrZg@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: "<tls@ietf.org>" <tls@ietf.org>, EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002b133305b899b961"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/izy9XyuN4ZJcXM7-5FRB4cMELBI>
Subject: Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jan 2021 06:07:45 -0000

On Thu, Jan 7, 2021 at 2:42 PM Martin Thomson <mt@lowentropy.net> wrote:

> Hi Joe,
>
> Thanks for doing this, I think that this is a distinct improvement (and I
> will take your word for the difficulties involved with further splits).
>
> One point that I made poorly perhaps, and was dismissed, might be worth
> restating:
>
> MSK = TLS-Exporter("EXPORTER_EAP_TLS_MSK", Type-Code, 64)
>
>
[Joe] I think you propose something like this instead (eliminating context):

MSK = TLS-Exporter("EXPORTER_EAP_TLS_MSK-" + ASCII-Type-Code, 64)

Where + is concatenation and ASCII-Type-Code is "13"

the IANA section would explicitly list: EXPORTER_EAP_TLS_MSK-13


> The inclusion of a type code as context is, I believe, a misuse of the
> field.  As this is a fixed value, the value is being used for domain
> separation.  However, that is the function of the exporter label input.
> The label exists to establish that this is EAP-TLS and the key is (in this
> case) MSK.  If you need different derivations for different type codes, I
> strongly suggest that this be included in the label.
>
> The Context input exists to pull in variables from the context that
> endpoints might need to agree on.  It is not for domain separation.  For
> example, if you thought it necessary to authenticate the Identity values
> that client and server exchange, you might add those to this field.  (As an
> aside, you might want to consider that as their value could be used to
> determine what parameters to feed into the TLS handshake.)
>
> If, however, you have an adjacent usage of EAP that wants its own MSK,
> then that is domain separation.  The right thing to do would be to create
> new labels for that usage.
>
> This might be a fine point in light of the fact that these all just get
> fed into HKDF, but I think that it is important to respect the purpose for
> which these inputs were designed.
>
>
[Joe] I see your point that we should eliminate the context and include the
type code in the label as it will always be the same for EAP-TLS (which
also goes to the point that has been made by several people that this value
may be redundant since we would expect another EAP type to use a different
label).  In the past, people have used TLS in all sorts of innovative and
unique ways in different EAP methods all loosely based on EAP-TLS.  I don't
see this usage as too far outside the intended use of the context field
(the value should match on both sides) and I think including the type value
in the context value would help avoid some potential implementation
problems if the key derivation is reused for another method.




Cheers,
> Martin
>
> On Wed, Jan 6, 2021, at 17:24, Joseph Salowey wrote:
> >
> >
> > On Tue, Jan 5, 2021 at 8:31 AM Alan DeKok <aland@deployingradius.com>
> wrote:
> > > On Jan 5, 2021, at 11:13 AM, Mohit Sethi M <mohit.m.sethi@ericsson.com>
> wrote:
> > > >
> > > > Hi Alan,
> > > >
> > > > Cleaning up the email. The current draft says the exporter should be
> called once as:
> > > >
> > > >>    Key_Material = TLS-Exporter("EXPORTER_EAP_TLS_Key_Material",
> > > >>                                Type-Code, 128)
> > > >>
> > > > and then split the 128 into MSK (64) and EMSK (64). As said, from
> initial glance, it seems the exporter is called twice (once in
> eap_tls_get_emsk and once in eap_tls_getKey). Both the calls are with
> exactly the same context, context length, and labels. In getKey, the EMSK
> parts are cleared with
> > > >> os_memset(eapKeyData + EAP_TLS_KEY_LEN, 0, EAP_EMSK_LEN);
> > > > while in get_emsk, they are read with
> > > >
> > > >
> > > >>              os_memcpy(emsk, eapKeyData + EAP_TLS_KEY_LEN,
> > > >>
> > > >>
> > > >> EAP_EMSK_LEN);
> > > > Maybe we can live with this. But if exporter is called twice, we
> should use different labels as suggested by Martin?
> > >
> > >   Yes.
> > >
> > >   Perhaps as Joe suggested: EXPORTER_EAP_TLS_MSK and
> EXPORTER_EAP_TLS_EMSK, which seem simple enough.
> > >
> > [Joe] I created a pull request
> > (https://github.com/emu-wg/draft-ietf-emu-eap-tls13/pull/17)  with the
> > proposed labels.  Is this change going to cause significant problems
> > for implementation?
> >
> > >   Alan DeKok.
> > >
> > > _______________________________________________
> > > TLS mailing list
> > > TLS@ietf.org
> > > https://www.ietf.org/mailman/listinfo/tls
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
> >
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email