Re: [TLS] KeyUpdate and unbounded write obligations
Ilari Liusvaara <ilariliusvaara@welho.com> Sun, 28 August 2016 18:41 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F229A12B032 for <tls@ietfa.amsl.com>; Sun, 28 Aug 2016 11:41:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.548] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I34VWCe_fud2 for <tls@ietfa.amsl.com>; Sun, 28 Aug 2016 11:41:19 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) by ietfa.amsl.com (Postfix) with ESMTP id F41D0127078 for <tls@ietf.org>; Sun, 28 Aug 2016 11:41:18 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id D8C5BFF4C; Sun, 28 Aug 2016 21:41:16 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id Xo0ujq-lkaLw; Sun, 28 Aug 2016 21:41:16 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-177-32.bb.dnainternet.fi [87.100.177.32]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 7C9FE2313; Sun, 28 Aug 2016 21:41:16 +0300 (EEST)
Date: Sun, 28 Aug 2016 21:41:06 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20160828184105.yvrnbispbnpomk4s@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAMfhd9UQ3jHLcUObBORi0Z_QQi2n4-fL9_KCwLvcDKTkJN1z5A@mail.gmail.com> <CAMzhQmMaBp0sPca9xb9jVrC=mjtZ8Rq3FnH8R8x6jcOxBO=9nA@mail.gmail.com> <CAMfhd9XxLq-S6c5K-JE50Wgm24JHihN++OawnVgQueMM8BuGuA@mail.gmail.com> <7e9c315a-f0e6-f547-e5e9-a3f48f8d12ff@cs.tcd.ie> <CAMzhQmN8=pw4LGHtZHyRQcVsx4DGwE89GNpHPUSENfbxcTHwRA@mail.gmail.com> <974CF78E8475CD4CA398B1FCA21C8E99565C26C5@PRN-MBX01-4.TheFacebook.com> <CAMzhQmM+msOti4rChS=dwRpo5YGh4VMpnqQvy4x=GG=rKA7kew@mail.gmail.com> <20160825042343.w6bg6kg75tujhexg@LK-Perkele-V2.elisa-laajakaista.fi> <CAMzhQmPFwE7H5gN-Ua1unGyFCpxh8aZuX4-2u55R0hmLD52FKQ@mail.gmail.com> <CABcZeBNjRvvKWctCy0oNYDpqgFoTck2Ai8iYuVeYQg1d5Jyk-g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBNjRvvKWctCy0oNYDpqgFoTck2Ai8iYuVeYQg1d5Jyk-g@mail.gmail.com>
User-Agent: Mutt/1.6.2-neo (2016-08-21)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/mw9gdiJhG9uHT8E94PgBuHPeKv4>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] KeyUpdate and unbounded write obligations
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Aug 2016 18:41:21 -0000
On Sun, Aug 28, 2016 at 10:53:14AM -0700, Eric Rescorla wrote: > > I'd prefer to keep things as simple as possible here and from that > perspective, I think any indicator from side A to side B that it wants a > key change over and above the KeyUpdate is extra complexity. I do, however, > want to retain the property that one side can ask the other one to rekey > [0]. I believe we can get this by modifying the rule in the spec by treating > a run of KeyUpdates as a single generation. > > Specifically. > "Upon receiving a KeyUpdate, the receiver MUST update its receiving > keys. If the receiver has sent any data records since receiving the > last KeyUpdate it MUST also increment its min_send_generation counter > by 1. Otherwise, the min_send_generation MUST remain unchanged. Prior > to sending a record, if min_send_generation is greater than the > current sending generation, the sender MUST first send a KeyUpdate." Timing- and propagation-wise, it looks workable (also, could be done with two flags[1], no need for counter). Yes, this causes lots more desync between sides, but existing mechanism needed to cope with that already. However, one problem: Because both sides take their keys from one ladder, if one side is behind the other, one can extract past keys of other side from the one that is behind (running separate ladders in both directions[2][3] would fix this). [1] Specifically: - last_tx_key_update: Was the last record I sent a KeyUpdate? - next_tx_key_update: Will the next record I send be a KeyUpdate? [2] Any current implementation likely already has per-direction traffic secrets (at least mine certainly does). [3] Allowing multiple steps at once would open things up for DoS attacks. -Ilari
- Re: [TLS] KeyUpdate and unbounded write obligatio… Keith Winstein
- Re: [TLS] KeyUpdate and unbounded write obligatio… Keith Winstein
- Re: [TLS] KeyUpdate and unbounded write obligatio… Stephen Farrell
- Re: [TLS] KeyUpdate and unbounded write obligatio… Adam Langley
- Re: [TLS] KeyUpdate and unbounded write obligatio… Keith Winstein
- Re: [TLS] KeyUpdate and unbounded write obligatio… Adam Langley
- Re: [TLS] KeyUpdate and unbounded write obligatio… Keith Winstein
- Re: [TLS] KeyUpdate and unbounded write obligatio… Adam Langley
- Re: [TLS] KeyUpdate and unbounded write obligatio… Keith Winstein
- Re: [TLS] KeyUpdate and unbounded write obligatio… Jim Schaad
- Re: [TLS] KeyUpdate and unbounded write obligatio… Adam Langley
- Re: [TLS] KeyUpdate and unbounded write obligatio… Benjamin Kaduk
- Re: [TLS] KeyUpdate and unbounded write obligatio… David Benjamin
- Re: [TLS] KeyUpdate and unbounded write obligatio… Keith Winstein
- Re: [TLS] KeyUpdate and unbounded write obligatio… David Benjamin
- Re: [TLS] KeyUpdate and unbounded write obligatio… Benjamin Kaduk
- Re: [TLS] KeyUpdate and unbounded write obligatio… Ilari Liusvaara
- Re: [TLS] KeyUpdate and unbounded write obligatio… Keith Winstein
- [TLS] KeyUpdate and unbounded write obligations David Benjamin
- Re: [TLS] KeyUpdate and unbounded write obligatio… Subodh Iyengar
- Re: [TLS] KeyUpdate and unbounded write obligatio… Judson Wilson
- Re: [TLS] KeyUpdate and unbounded write obligatio… Keith Winstein
- Re: [TLS] KeyUpdate and unbounded write obligatio… Ilari Liusvaara
- Re: [TLS] KeyUpdate and unbounded write obligatio… Keith Winstein
- Re: [TLS] KeyUpdate and unbounded write obligatio… Eric Rescorla
- Re: [TLS] KeyUpdate and unbounded write obligatio… Ilari Liusvaara
- Re: [TLS] KeyUpdate and unbounded write obligatio… Eric Rescorla
- Re: [TLS] KeyUpdate and unbounded write obligatio… Ilari Liusvaara
- Re: [TLS] KeyUpdate and unbounded write obligatio… Eric Rescorla
- Re: [TLS] KeyUpdate and unbounded write obligatio… Adam Langley
- Re: [TLS] KeyUpdate and unbounded write obligatio… Eric Rescorla
- Re: [TLS] KeyUpdate and unbounded write obligatio… Russ Housley
- Re: [TLS] KeyUpdate and unbounded write obligatio… Eric Rescorla
- Re: [TLS] KeyUpdate and unbounded write obligatio… Ilari Liusvaara
- Re: [TLS] KeyUpdate and unbounded write obligatio… Keith Winstein
- Re: [TLS] KeyUpdate and unbounded write obligatio… Eric Rescorla
- Re: [TLS] KeyUpdate and unbounded write obligatio… Ilari Liusvaara
- Re: [TLS] KeyUpdate and unbounded write obligatio… Eric Rescorla
- Re: [TLS] KeyUpdate and unbounded write obligatio… David Benjamin
- Re: [TLS] KeyUpdate and unbounded write obligatio… Ilari Liusvaara
- Re: [TLS] KeyUpdate and unbounded write obligatio… Ilari Liusvaara
- Re: [TLS] KeyUpdate and unbounded write obligatio… Keith Winstein