IETF Logo Mail Archive

Re: [TLS] KeyUpdate and unbounded write obligations

Eric Rescorla <ekr@rtfm.com> Mon, 29 August 2016 17:33 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6811312D7B9 for <tls@ietfa.amsl.com>; Mon, 29 Aug 2016 10:33:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4OTG0TyUDQDs for <tls@ietfa.amsl.com>; Mon, 29 Aug 2016 10:33:34 -0700 (PDT)
Received: from mail-yb0-x22d.google.com (mail-yb0-x22d.google.com [IPv6:2607:f8b0:4002:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE65012D73C for <tls@ietf.org>; Mon, 29 Aug 2016 10:33:33 -0700 (PDT)
Received: by mail-yb0-x22d.google.com with SMTP id e31so50710889ybi.3 for <tls@ietf.org>; Mon, 29 Aug 2016 10:33:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=V71miqtQCD6RD7PpOr1o11l60h+OpOGIt6WUdT4FF8Q=; b=1jNUhlW4ezg0rTvz8IG7ZPbgglRJcgmMFlGcPEFTVcv6DdD0iDvmrwYUT3/B3OQIgJ hVxsmaOhyc/4KG6nNnFivMXxdOTC/717ecjFVGvAMoV71B/z0wcCFftxxqxJwyf8ok4W fLCftZnT4HVR5hogaysDgTq1UnOvkWNpvQeS/dm+xBBEjSlih/i0A1j2Lvwwdpy9YnF4 6l5W/8GE0pFK9fWafiLRbZRAr16ThqXQaEPob9RTr2O+0EO8g55zLYrn4y3hTHPHZVOl Vd9szHFQIVR6ZPkgfVFAXfD38LdUm19N1H52H2qh5IzZsw/pUnFFg3rIGWN3P20Hjdq3 +mbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=V71miqtQCD6RD7PpOr1o11l60h+OpOGIt6WUdT4FF8Q=; b=dX2x7C0rnnwUyhPtaV4cfPgxx+9S4/rw1VPO41gOZWkUS6qaGyskey4MJNGEVYCg/p 4z4s9/lRmyzFVjgqEV/jOZWIuR/hR/n/wijRhMP/oyyer+LJ0YkmQi/A3o9eRNVEPPjH DpNaoI7GOW1U8WrJmiv6w0ZAqQoqzhkMDUzjgV9Nw44mbjw0/DAnge/tJkVY3AqD/ce4 MiI0sBe4Gax9fhS1Uic+pV4WLGe2/meSmD3kUXo2LnwGo0XJS+QgohgUJ49fRC2Sv11L K/Q7zHjxf62GGKRqpIy8KwCIi21sIj1vCZIU5/U+JMzhk8lZ1q3J4L5Fioft12prdxJV xHpw==
X-Gm-Message-State: AE9vXwPoCdVpUhEpGh13lEUMxS1pRxdvq2JEUIbzS65O4jZkQcmQP5d2KTW5e/vqfvm8H9R8bE0oWDqYJQwQFA==
X-Received: by 10.37.64.78 with SMTP id n75mr6190031yba.162.1472492013034; Mon, 29 Aug 2016 10:33:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.48.193 with HTTP; Mon, 29 Aug 2016 10:32:52 -0700 (PDT)
In-Reply-To: <20160829173005.qfmfm2vfdumvolg2@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAMfhd9XxLq-S6c5K-JE50Wgm24JHihN++OawnVgQueMM8BuGuA@mail.gmail.com> <7e9c315a-f0e6-f547-e5e9-a3f48f8d12ff@cs.tcd.ie> <CAMzhQmN8=pw4LGHtZHyRQcVsx4DGwE89GNpHPUSENfbxcTHwRA@mail.gmail.com> <974CF78E8475CD4CA398B1FCA21C8E99565C26C5@PRN-MBX01-4.TheFacebook.com> <CAMzhQmM+msOti4rChS=dwRpo5YGh4VMpnqQvy4x=GG=rKA7kew@mail.gmail.com> <20160825042343.w6bg6kg75tujhexg@LK-Perkele-V2.elisa-laajakaista.fi> <CAMzhQmPFwE7H5gN-Ua1unGyFCpxh8aZuX4-2u55R0hmLD52FKQ@mail.gmail.com> <CABcZeBNjRvvKWctCy0oNYDpqgFoTck2Ai8iYuVeYQg1d5Jyk-g@mail.gmail.com> <20160828184105.yvrnbispbnpomk4s@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBM=3RPpmGygMmrTU8DMNHQo=k0VTweKjCrY53GR3X4p1A@mail.gmail.com> <20160829173005.qfmfm2vfdumvolg2@LK-Perkele-V2.elisa-laajakaista.fi>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 29 Aug 2016 10:32:52 -0700
Message-ID: <CABcZeBNrcMzmYfuJsdWfU713KhXnJZOHE4=OEs+8BsmB9V511g@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="001a11c03ea05f71e8053b3943ca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/mkBkqk-5ay7I0aSRtcjQbEwVlOk>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] KeyUpdate and unbounded write obligations
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Aug 2016 17:33:35 -0000

On Mon, Aug 29, 2016 at 10:30 AM, Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Sun, Aug 28, 2016 at 11:50:27AM -0700, Eric Rescorla wrote:
> > On Sun, Aug 28, 2016 at 11:41 AM, Ilari Liusvaara <
> ilariliusvaara@welho.com>
> > wrote:
> >
> > > On Sun, Aug 28, 2016 at 10:53:14AM -0700, Eric Rescorla wrote:
> > > >
> > > > I'd prefer to keep things as simple as possible here and from that
> > > > perspective, I think any indicator from side A to side B that it
> wants a
> > > > key change over and above the KeyUpdate is extra complexity. I do,
> > > however,
> > > > want to retain the property that one side can ask the other one to
> rekey
> > > > [0]. I believe we can get this by modifying the rule in the spec by
> > > treating
> > > > a run of KeyUpdates as a single generation.
> > > >
> > > > Specifically.
> > > > "Upon receiving a KeyUpdate, the receiver MUST update its receiving
> > > > keys. If the receiver has sent any data records since receiving the
> > > > last KeyUpdate it MUST also increment its min_send_generation counter
> > > > by 1. Otherwise, the min_send_generation MUST remain unchanged. Prior
> > > > to sending a record, if min_send_generation is greater than the
> > > > current sending generation, the sender MUST first send a KeyUpdate."
> > >
> > > Timing- and propagation-wise, it looks workable (also, could be done
> > > with two flags[1], no need for counter).
>
> I tried to implement this, and probably got it wrong somehow:
>
> Test setup consisists of multi-Gbps stream in one direction and fairly
> slow one in another. Very low latencies. Also, TLS stack can't do new
> flights.
>
> 1) The fast stream eventually (~5min) reaches the rekey threshold,
>    triggering a KeyUpdate.
> 2) The other side receives the KeyUpdate. Since last record it sent
>    was not KeyUpdate, it marks KeyUpdate to be sent.
> 3) The slow stream transmits something. Since KeyUpdate is pending,
>    it is sent, along with something else (so last record is not a
>    KeyUpdate.
> 4) The fast sender receives the KeyUpdate. Since last record it
>    sent was not a KeyUpdate (it has sent more data since) it
>    schedules a KeyUpdate to be sent.
> 5) Almost immediately new data arrives, and since KeyUpdate is pending,
>    it is sent, along with something else (so last record is not a
>    KeyUpdate).
> 6) Goto 2.
>
> The result is ping-pong of KeyUpdate's that starts as soon as one side
> sends one (at rate determined by the send rate of the slower peer,
> which still can be pretty high).
>

Did you use the "flags" approach or the generation approach, since it seems
like in the latter approach, at that point it would be in send=2, recv=1 and
it wouldn't update.

-Ekr


>
> -Ilari
>

v2.14.0 | Report a Bug | By Email