Re: [TLS] Premaster/Master convention

Michael StJohns <msj@nthpermutation.com> Wed, 30 July 2014 15:45 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BC3A1A0190 for <tls@ietfa.amsl.com>; Wed, 30 Jul 2014 08:45:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KSXv6gcPPUMk for <tls@ietfa.amsl.com>; Wed, 30 Jul 2014 08:45:56 -0700 (PDT)
Received: from mail-qg0-f43.google.com (mail-qg0-f43.google.com [209.85.192.43]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C8AB1A0048 for <tls@ietf.org>; Wed, 30 Jul 2014 08:45:55 -0700 (PDT)
Received: by mail-qg0-f43.google.com with SMTP id a108so1713805qge.2 for <tls@ietf.org>; Wed, 30 Jul 2014 08:45:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=nOAvhUNGyP5UIwCVev3DNme41H7qDgwh3qFhugFDdfw=; b=KjDrEZUU5pr1Vyj9TgMqkP4jbt64Dl6Brncxr0/wjPZs4Ct2tRoVOk8wu1oxLwMiF6 yaXK1DxGviOIfCXPDKJMIopwY79lvodJMkvxqkLq11JGWWMa2Fde+VOhEtixoNIVEbXu DzP1mHcw2TJzcEryvbPHKl3Ak9nijBIfQO/9VMoT7EfyU8v29zd9kQt7KLBzQ6rgkj1x 6r6z3uS9EJxoP9jNZHYHxXALzgb0lBpeVGOfXWXyIn8XBLJvvUQI70TqvjbV8+LXHsnu OxEUFdge9cj/FHXxLdCUGi/rqu47gcwHD5rNt7urifj+YBdYhg/8siV30/8HVQUJg0PT 7LsQ==
X-Gm-Message-State: ALoCoQmq0MnqFwgWhSsJS7nqC/W9vkJl+LRNejeOwDFCP3q6MqzFY2oMC6/P2LPR9bhVMaeUubrH
X-Received: by 10.224.223.199 with SMTP id il7mr8455257qab.10.1406735154735; Wed, 30 Jul 2014 08:45:54 -0700 (PDT)
Received: from [192.168.1.111] (c-68-34-113-195.hsd1.md.comcast.net. [68.34.113.195]) by mx.google.com with ESMTPSA id c16sm4557047qae.49.2014.07.30.08.45.53 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 30 Jul 2014 08:45:53 -0700 (PDT)
Message-ID: <53D91332.9070103@nthpermutation.com>
Date: Wed, 30 Jul 2014 11:45:54 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "Gero, Charlie" <cgero@akamai.com>, "tls@ietf.org" <tls@ietf.org>
References: <53D907B0.3000006@nthpermutation.com> <D40A7DE25C5AA54195F82EA553F2446033900BFC0A@USMBX1.msg.corp.akamai.com>
In-Reply-To: <D40A7DE25C5AA54195F82EA553F2446033900BFC0A@USMBX1.msg.corp.akamai.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/nJs3iBA8YP5Diu7z0xzbYyPSDFI
Subject: Re: [TLS] Premaster/Master convention
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 15:45:59 -0000

On 7/30/2014 11:02 AM, Gero, Charlie wrote:
> We have a number of technologies at Akamai that utilize the fact that the PMS is split from the MS and that MS is produced in conjunction with the randoms.  It allows us to do splitting between machines that have keys and those that don't (machines in safe locales and those which are simply terminators).  I don't think we could use the same methods we use today without that sub step.  It would make it very difficult for Akamai to adopt 1.3.

So you send the master secret from the handshaker machine out to several 
other machines which then do what with it?  Couldn't you send the 
traffic keys instead?

I'm not sure I understand the constraints you're working under. Could 
you expand on that?

Thanks - Mike


>
> -----Original Message-----
> From: Michael StJohns [mailto:msj@nthpermutation.com]
> Sent: Wednesday, July 30, 2014 10:57 AM
> To: tls@ietf.org
> Subject: [TLS] Premaster/Master convention
>
> Given that TLS1.3 only does KeyAgreement, is there still any reason for the premaster -> master_secret derivation step?  We do (KA)->premaster
> and then premaster -> master and then master->(session keys).   We could
> probably do (KA)->master->(session keys) where the master secret is now the KA shared secret rather than premaster.
>
> 1) Is there any security reason for retaining the extra step given there is no longer a KeyTransport mechanism in TLS1.3?
> 2) Are there other *good* - non-security - reasons for retaining the extra step?
>
> Mike
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>