IETF Logo Mail Archive

Re: [TLS] Consensus call for keys used in handshake and data messages

Yoav Nir <ynir.ietf@gmail.com> Wed, 15 June 2016 08:45 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EF3112D0CB for <tls@ietfa.amsl.com>; Wed, 15 Jun 2016 01:45:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JtXXyw7h2Vid for <tls@ietfa.amsl.com>; Wed, 15 Jun 2016 01:45:04 -0700 (PDT)
Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7530512B04B for <tls@ietf.org>; Wed, 15 Jun 2016 01:45:03 -0700 (PDT)
Received: by mail-wm0-x22c.google.com with SMTP id v199so153017752wmv.0 for <tls@ietf.org>; Wed, 15 Jun 2016 01:45:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=xqPRrxk15DCb9W2kigo+950FvW1r5QegH1wLEN8YoCo=; b=jDU7M1yPkayeESoVwFnrRRhO9VLSlTF4Xm+KFME5rSBzzinnN8oLjVKO2K8A2WuomZ 0p4hQi+RB7mgSt7UF9J8ncrgx8TzyvotP4+I09miYbQANIAJUewuuDbrcC0jMadO5cTF ZkUCubB14ZPw0z6oVd9H2U/Kd5fnwkDj9Vbmt+VU6oYD3VAumKmCttfGtHHnkXWH5Yi9 oDPqBttgAxvatYNh183R3KB2U40nhlyYAxsEX4gzt9xoiL/9VFju335ifX4gDpaYCHGh S+dG4IoinAPU7yKAMrVAaaDq9UVsrj/SLzQi4NQ/5uO/yrb5m3AxwDIo8ZS3pl68VW9C nSgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=xqPRrxk15DCb9W2kigo+950FvW1r5QegH1wLEN8YoCo=; b=NtFKanp4D7g57rrYkd/p8BISEZDQuwMq8uh8HRz85P044EV7AbR3TEEQvpTUJ9j4Vd A+qkfGNtQ50zJkk4SS46PjDjuyndyPBG10YjBmy5nVOOSmMbsCt9TBTkHlRbKF16L9nY hK9ato3lscnszHNf1oPyh6vjPFCYt/V5qM5hx73kusWbLmSK2Jr1gYi20NBnQmyoD/Fr 9IEXORoV6NpAv0uzaENAzZDoQNvneu2d7o4hnRoZzfzkxxLi5ALEpbVfNyampJyzz57n emcQRN3xdOYVTgqGyNlIQ+9K+bJgkRJAJ8+Q4x7rit61uHEIOMdXF4EyBRtzAbGe7du7 UOuQ==
X-Gm-Message-State: ALyK8tIIcTgtdVi5g63NG8keJU3GK7L0tSVeoGHwHX+X2DLYY/Ds17SKHBMyYa1cZAbZog==
X-Received: by 10.28.109.198 with SMTP id b67mr10733922wmi.53.1465980301831; Wed, 15 Jun 2016 01:45:01 -0700 (PDT)
Received: from [172.24.248.248] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id u4sm37202695wjz.4.2016.06.15.01.45.00 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 15 Jun 2016 01:45:01 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <1465977655.20266.3.camel@redhat.com>
Date: Wed, 15 Jun 2016 11:44:59 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <26741B4E-3C0F-4E0C-AB44-F7DFCCEFED53@gmail.com>
References: <CAOgPGoDRZdJN7DY10tDoEEidVkxeKabCcW_U3vQqaaH6x162gw@mail.gmail.com> <1465977655.20266.3.camel@redhat.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ozXrEq36J48uUPB4tTRIVuZT0Zk>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Consensus call for keys used in handshake and data messages
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2016 08:45:05 -0000

Hi, Nikos

> On 15 Jun 2016, at 11:00 AM, Nikos Mavrogiannopoulos <nmav@redhat.com> wrote:
> 
> On Mon, 2016-06-13 at 12:00 -0700, Joseph Salowey wrote:
>> For background please see [1].
>> 
>> Please respond to this message indicating which of the following
>> options you prefer by Monday June, 20, 2016 
>> 
>> 1. Use the same key for handshake and application traffic (as in the
>> current draft-13)
>> 
>> or
>> 
>> 2. Restore a public content type and different keys
> 
> Unless participants are really expert on what is the issue is and how
> these proofs are constructed, I doubt that people in the TLS WG can
> resolve that in a way that provides assurance. There are good arguments
> presented in the thread by few cryptographers, but since this is mainly
> a low level crypto decision, why not ask the CFRG instead?

I disagree that this is a low level crypto decision, or at least that this is mainly so. 

There is the question of whether using the same key for application data and handshake is harmful. That question is mainly low level crypto and could be asked of CFRG.

There is the other question of whether exposing the fact that there are handshake messages and when they occur is harmful. That is security-related, but not at all related to crypto.

Weighing these two potential harms against each other and coming to a decision is entirely an engineering issue, and we should not offload that to CFRG.

Yoav

v2.23.0 | Report a Bug | By Email