Re: [TLS] Key Schedule (PRs #453, #454).
Eric Rescorla <ekr@rtfm.com> Fri, 20 May 2016 17:41 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4348C12DA9D for <tls@ietfa.amsl.com>; Fri, 20 May 2016 10:41:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R0ivTU5EQ8R8 for <tls@ietfa.amsl.com>; Fri, 20 May 2016 10:41:48 -0700 (PDT)
Received: from mail-yw0-x231.google.com (mail-yw0-x231.google.com [IPv6:2607:f8b0:4002:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 925F112D614 for <tls@ietf.org>; Fri, 20 May 2016 10:41:48 -0700 (PDT)
Received: by mail-yw0-x231.google.com with SMTP id j74so116173847ywg.1 for <tls@ietf.org>; Fri, 20 May 2016 10:41:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=nQopiEW33ImTqMfP/9DgYMGysDGzWFx1KNDn7XNEjFU=; b=YlQA8PKpt+fxEuCdIkbYnNEasXQ1KnuBdO3aHKl32HfjKwdx6p8DdNt8oGf7Nlgp2X eLZR8cq/2VdP0jGnD+pC8PZ2PK5IQkp6sQRpnEd+7L7RytKnM/BnicqpXX6lywJvjGaa /PwCbOax2uMzZHxtu8WR6G0a8l8H3lx/aTyMOoPLXlk0N+TkyJrmAmVR4YGJJnudexaF e0PIE6u6KUKTL3GSHabcwIRGuLwZRUiwgVPrNJ7piUt7DH0HSbKB9NwitCyjCa5Q2dKP mC07K97MKxWH6rAmIWu6EOqlQNQjNkSo5RMdred7fVhW9Ol0bnTqXF61ZEb87tjr8FYN 2MxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=nQopiEW33ImTqMfP/9DgYMGysDGzWFx1KNDn7XNEjFU=; b=L70Lh5cHHQPQ97rknM8m1YxcfZjI9VSWQbXELV4Cy8ttvmJ4JfwbXjn+dSqLUZxQMV AZL3bNwf3KPbxvwHTossqq0B+lCBjV1M/SJ6ZtVFBb9Mion+KySdRcXmOCxdTgLUHFTp 83/IVcdVpwcUipNOlA2eHECuoahJ0z+hg8I/VwoX5zeT9+fJQJdop5TxIbAES2JzzlO6 UmBv/w9ltYQrvDtToNeedr/Q+UlLXld6bTAWklu11cbDAhdntxlzIVIDfhM1Sg4xQTM6 Im6nI3uFrcbXKn6WtO4HNDScbSsSNYgnowB6h+rj7MHWbZ05R+otjWzPVj02L0jijWbL ZFdQ==
X-Gm-Message-State: AOPr4FUlBhB1l5V6zypdyErHMN2wY3TruClxKwjRvrCXqY40i0H27L1gEmzALiARe67u3VckJlMraiUXCbvl5Q==
X-Received: by 10.129.46.141 with SMTP id u135mr2472967ywu.180.1463766107750; Fri, 20 May 2016 10:41:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.132.12 with HTTP; Fri, 20 May 2016 10:41:08 -0700 (PDT)
In-Reply-To: <CABcZeBN+T1uAc8Eye3Q7M7W96XJoG8+=Ng+uZNzzf-XeJWY_7Q@mail.gmail.com>
References: <CABcZeBN+T1uAc8Eye3Q7M7W96XJoG8+=Ng+uZNzzf-XeJWY_7Q@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 20 May 2016 10:41:08 -0700
Message-ID: <CABcZeBN9DzB42yeQeXWA1ZHEpQPkatCQgvG2M6tFmbmy06tjjQ@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a114089e2e342d80533499ac6"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/msMUj__wbxdBPhaxE3G96Zx6mSo>
Subject: Re: [TLS] Key Schedule (PRs #453, #454).
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 May 2016 17:41:51 -0000
Merged. On Thu, May 19, 2016 at 10:41 AM, Eric Rescorla <ekr@rtfm.com> wrote: > PR: https://github.com/tlswg/tls13-spec/pull/454 > > I have uploaded a PR [technically two PRs, but one builds on the > other, so easier to just read the composition] which resolves two out > of the three significant remaining crypto issues (the remaining one is > the long-running discussion of post-handshake keys). The following > message lays out the changes, which are: > > - Adopt a more linear key schedule > - Add a context identifier for resumption > > > KEY SCHEDULE > We had a lot of comments that the existing key schedule was too hard > to understand and implement and could be simplified under the > assumption that keys were available in a specific order (PSK then DH > ZZ). I've been working together with Karthik, Hugo, Antoine, and > others to produce something cleaner. (Note: I believe they consider > this acceptable, but that doesn't mean they wouldn't have designed > every piece exactly as I have.) > > > The overall key schedule looks like this: > > 0 > | > v > PSK -> HKDF-Extract > | > v > Early Secret --> Derive-Secret(., "early traffic secret", > | ClientHello) > | = early_traffic_secret > v > (EC)DHE -> HKDF-Extract > | > v > Handshake > Secret -----> Derive-Secret(., "handshake traffic secret", > | ClientHello + ServerHello) > | = handshake_traffic_secret > v > 0 -> HKDF-Extract > | > v > Master Secret > | > +---------> Derive-Secret(., "application traffic secret", > | ClientHello...Server > Finished) > | = traffic_secret_0 > | > +---------> Derive-Secret(., "exporter master secret", > | ClientHello...Client Finished) > | = exporter_secret > | > +---------> Derive-Secret(., "resumption master secret", > ClientHello...Client Finished) > = resumption_secret > > Derive-Secret(Secret, Label, Messages) = > HKDF-Expand-Label(Secret, Label, > Hash(Messages) + resumption_context, L)) > > > Derive-Secret is just a wrapper around HKDF-Expand-Label, for reasons > indicated below. If a key is missing you just use 0s. > > The general pattern here is that the secrets shown down the left side > of the diagram are just raw entropy without context, whereas the > secrets down the right side include handshake context and therefore > can be used to derive working keys without additional context. All > the working keys (both encryption keys and finished keys) are > generated using HKDF-Expand-Label off of the traffic secrets. > > This design is motivated by the following principles: > > - Separate out adding entropy from adding context. > - Incorporate the transcript once and then derive from there. > - Have a narrow, consistent interface for generating the leaf keys > so they can just start with a base key. > - Derive from keys as soon as practical so that you can destroy them > (thus the final call to Add-Secret, which isolates the > Finished keys from the MS). > > An additional nice point about this design is that it easily > accomodates additional keys. For instance, if we had some post-quantum > key exchange method, we could easily add its key in the final > Add-Secret or add an extra Add-Secret stage before HS. Similarly, if > we had a long-term DH key as in OPTLSv1, it could replace the 0 in the > final Add-Secret. > > One thing I want to call out explicitly is that we are using > HKDF-Expand-Label with the output of HKDF-Expand-Label. This is > cryptographically fine, but means that you need an implementation of > the individual HKDF Expand/Extract primitives. As far as I can tell, > this isn't a hardship for anyone, but please speak up if it is. The > advantage of this is that you remove unnecessary crypto operations. > > > CONTEXT IDENTIFIER > PR: https://github.com/tlswg/tls13-spec/pull/454 > > Hugo and Karthik both independently suggested that it would be nice to > have some identity/context bound into the PSK handshake. The second PR > accomodates that by deriving two values from the RMS: > > resumption_psk = HKDF-Expand-Label(resumption_secret, > "resumption psk", "", L) > > resumption_context = HKDF-Expand-Label(resumption_secret, > "resumption context", "", L) > > The resumption_psk is then used as the PSK for resumption and the > resumption_context is added to the hash of the handshake messages > whenever you use them, currently just by appending to the hash, as in: > > Hash(handshake messages) +resumption_context > > This is used *both* to derive the keys and for the input to > the CertificateVerify/Finished. For convenience, I've > > > Note: the reason for separately deriving RMS and then computing the > context and PSK from RMS is to allow the server to just store RMS in > the ticket. If we used MS the server would need to store MS in the > ticket and then compromise of the ticket key would threaten the > original handshake. > > One nit question, would it be better to hash twice, as in: > > Hash(Hash(handshake messages) + resumption_context) > > I can't see a reason to, but maybe I've missed something. > > Comments welcome. In the interest of not having too many outstanding > changes, I'll probably merge this tomorrow unless someone strongly > objects or we find something really egregious (which is always possible > because there's a lot of text here). > > Best, > -Ekr > > > > > > > > > > > > > > > > > > > > > >
- [TLS] Key Schedule (PRs #453, #454). Eric Rescorla
- Re: [TLS] Key Schedule (PRs #453, #454). Ilari Liusvaara
- Re: [TLS] Key Schedule (PRs #453, #454). Eric Rescorla
- Re: [TLS] Key Schedule (PRs #453, #454). Ilari Liusvaara
- Re: [TLS] Key Schedule (PRs #453, #454). Eric Rescorla
- Re: [TLS] Key Schedule (PRs #453, #454). Ilari Liusvaara
- Re: [TLS] Key Schedule (PRs #453, #454). Eric Rescorla
- Re: [TLS] Key Schedule (PRs #453, #454). Martin Thomson
- Re: [TLS] Key Schedule (PRs #453, #454). Eric Rescorla