Re: [TLS] Resumption Contexts and 0-RTT Finished

Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 21 July 2016 07:12 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE53B12DA83 for <tls@ietfa.amsl.com>; Thu, 21 Jul 2016 00:12:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.187
X-Spam-Level:
X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nO-8Hyeln6YU for <tls@ietfa.amsl.com>; Thu, 21 Jul 2016 00:12:23 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) by ietfa.amsl.com (Postfix) with ESMTP id 5F81F12DA80 for <tls@ietf.org>; Thu, 21 Jul 2016 00:12:23 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id A3B137E25 for <tls@ietf.org>; Thu, 21 Jul 2016 10:12:21 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id ApeJqmdGF03l for <tls@ietf.org>; Thu, 21 Jul 2016 10:12:21 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-177-32.bb.dnainternet.fi [87.100.177.32]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 4D4B7C4 for <tls@ietf.org>; Thu, 21 Jul 2016 10:12:21 +0300 (EEST)
Date: Thu, 21 Jul 2016 10:12:17 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: tls@ietf.org
Message-ID: <20160721071217.GB23604@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20160719134626.GA14259@LK-Perkele-V2.elisa-laajakaista.fi> <013101d1e1cc$253eddb0$6fbc9910$@delignat-lavaud.fr> <CADi0yUMRGF6LBauyVjp=Zn4vXft15jy+jOtjn1MsMEoEwgtQxg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CADi0yUMRGF6LBauyVjp=Zn4vXft15jy+jOtjn1MsMEoEwgtQxg@mail.gmail.com>
User-Agent: Mutt/1.6.0 (2016-04-01)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/nlU6M1R1BLdxL9cxnmshNq-q2Ig>
Subject: Re: [TLS] Resumption Contexts and 0-RTT Finished
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2016 07:12:26 -0000

On Wed, Jul 20, 2016 at 01:42:58AM -0400, Hugo Krawczyk wrote:
> Without taking a position on the implementation issues, I am in favor of
> Option A with a dedicated context value (and an explicit name "PSK
> Context") as this makes clear the function of this value. Relying in
> Finished makes it more fragile and open to be dropped in the future when
> its binding role is "forgotten" or when deriving some other protocol or
> variant.

Furthermore, I think that there are only two ways to do the kind of
binding required that aren't fatally flawed (as far as I know) in some
way.

One is ADL's "Option A", and the other is implicit variant of "Option B"
I came up with. Both are ugly.

I think ADL's "Option A" is easier to implement (no need to mess with
Finished generation).


I also think that the 0-RTT Finished message should be removed (as
suggested before by one of the "crypto guys", I forgot who). It
is major implementation problem, and doesn't seem to even provode any
security.


> Also, I insist on the need to remark about the need for collision
> resistance of any value with a binding functionality. If this value is
> produced with HKDF (or HMAC as in he case of Finished) the need for
> collision resistance is not explicit and can lead to truncation (which is
> perfectly fine when just deriving keys or when used with a regular PRF
> functionality).

The properties that HKDF and HMAC actually provodes here:

If the base hash is CR and has output length at most blocklength,
then...

- HMAC is CR w.r.t. its message input.
- If the HMAC key is of constant length, the HMAC is CR w.r.t. its
  key.
- HKDF-Extract is CR w.r.t. its key input.
- If the salt is of constant length, HKDF-Extract is CR w.r.t. its
  salt.
- If length is at least one hash output, HKDF-Expand-Label is CR
  w.r.t. its label.
- If length is at least one hash output, HKDF-Expand-Label is CR
  w.r.t. its hashvalue.
- If length is at least one hash output and secret is of constant
  length, HKDF-Expand-Label is CR w.r.t. its secret.

These all can be shown by supposing an counterexample, and showing
that it inevitably follows that the base hash is both CR and not CR
at the same time, which is not possible.

(Conviniently, all length constraints are currently always met).


> Actually, I would suggest that for any such value, we add "collision
> resistance" to the label for that derivation - this would apply to
> resumption/PSK context and to Exporter key (and possibly others)

<bikeshed>
I suggest appending ", collision resistant".
</bikeshed>

(E.g. "TLS 1.3, exporter master secret, collision resistant", after
fully expanding the label)


-Ilari