[TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis)
Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> Mon, 02 June 2025 17:35 UTC
Return-Path: <muhammad_usama.sardar@tu-dresden.de>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 08C242FD1994 for <tls@mail2.ietf.org>; Mon, 2 Jun 2025 10:35:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=tu-dresden.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lWN9l2tNZbAV for <tls@mail2.ietf.org>; Mon, 2 Jun 2025 10:35:25 -0700 (PDT)
Received: from mailout3.zih.tu-dresden.de (mailout3.zih.tu-dresden.de [141.30.67.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D820F2FD1984 for <tls@ietf.org>; Mon, 2 Jun 2025 10:35:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tu-dresden.de; s=dkim2022; h=Content-Type:In-Reply-To:From:References:CC:To :Subject:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=lXvJ/NynidfSnONwJ98phZ90DYaMuLGg6teb92ZJB6I=; b=pmz1VmjynLRi3fdH589GmKM+JP dYfUXnI60iaF2v+jLdm6tZUKbPOPEgPYf99JAlYks9RoV+DwcDzkNb0LPr2XbCZsup/k440WPcISd hjqTfWQtfhkhps7JwF3z4XHjZqg2jDzRpVi0P/6861Y9VDhZPeXff2Y6u/PlM/3FRBaz/8FVqnAc6 m99Ad42pD+I0yU+FGjA4ODQhhERUJ1Y+ezjE6/5rJTopin24sDwYv6HPzGUqxEdrmAyXICZxiHQXg lFGIqNx8Y+g+MqtkQQ4n6cXvjIm6PeH+RBauI6GhLczuxWwZvg+5aO3/wSJqaK81h3UFJ91T8ZpsA BQVHdeGg==;
Received: from msx-t422.msx.ad.zih.tu-dresden.de ([172.26.35.139] helo=msx.tu-dresden.de) by mailout3.zih.tu-dresden.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <muhammad_usama.sardar@tu-dresden.de>) id 1uM94E-00A1X1-Vo; Mon, 02 Jun 2025 19:35:23 +0200
Received: from [10.12.5.228] (141.76.13.165) by msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.10; Mon, 2 Jun 2025 19:35:20 +0200
Message-ID: <85357124-bb8e-4caf-9a41-94d3e51fe07c@tu-dresden.de>
Date: Mon, 02 Jun 2025 19:35:19 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Eric Rescorla <ekr@rtfm.com>
References: <90bdd3cd-a5d0-4a82-b28c-2965536a7154@tu-dresden.de> <CADi0yUP27w+gcLvfWjn=+EqxfiWebFiyaNa1aUomVai8AUAU5w@mail.gmail.com> <f16029e7-33ea-449d-9a6d-936b649d30d5@tu-dresden.de> <b805cab0-1395-44cc-9dfb-8599e491226d@tu-dresden.de> <CABcZeBP_fqYBjUhNdEhZJcUorVYhAiTnP-2x6zqU9BQTs=Rm+A@mail.gmail.com> <42ac6c35-6277-4c64-a479-553edd70627d@tu-dresden.de> <CABcZeBN5UkzZesn+AoSObFqosisnOn6KnVfeTn=C3p-2yzBvxA@mail.gmail.com>
Content-Language: en-US
From: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
In-Reply-To: <CABcZeBN5UkzZesn+AoSObFqosisnOn6KnVfeTn=C3p-2yzBvxA@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms020305060306000306010003"
X-ClientProxiedBy: MSX-L421.msx.ad.zih.tu-dresden.de (172.26.34.141) To msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139)
X-TUD-Virus-Scanned: mailout3.zih.tu-dresden.de
Message-ID-Hash: ML2EP2L6MHIFM4GJQACMD44AUT6PW2AK
X-Message-ID-Hash: ML2EP2L6MHIFM4GJQACMD44AUT6PW2AK
X-MailFrom: muhammad_usama.sardar@tu-dresden.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/pPV-uCcsmXHmTAq6NJZiKU1aCLo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
On 30.05.25 18:08, Eric Rescorla wrote: > >> >> > Issue 2: "Binder Finished Key" > > I would appreciate an explicit entry in Table 2, rather than > burying it deep in Section 4.2.11.2. Something like: > > Mode = PSK | Handshake Context = ... | Base Key = binder_key > > > I don't think this change is indicated. It is not a Finished key. > ok fine, but the least we should do is to make PSKBinderEntry explicit. I have submitted a PR [1]. Please check. [1] https://github.com/tlswg/tls13-spec/pull/1392 >> >> > --- >> > >> > Issue 4: Full key derivation schedule: >> > >> > TL;DR: Please add full key derivation schedule in >> specifications in RFC8446bis. >> > >> > Details: >> > >> > The text in section 7.1 says >> > >> > > This produces a full key derivation schedule shown in the >> diagram below. >> > >> > The figure, however, by no means is anything close to a full key >> > schedule. It shows only the first stage of keys. Seems like it >> would >> > be very beneficial if at least the Appendix of RFC8446bis >> includes a >> > full key derivation schedule. Right now, the key schedule is >> > scattered around in sections 7.1, 7.3, 7.5, 4.4 and 4.4.4. >> >> This diagram is already quite large, so I fear it would be a lot of >> work to produce something that was readable. I agree it's not helpful >> to say "full" here, and I'd welcome some revised text. >> > Happy to propose revised text but without such a complete diagram, > I don't know how we can have consensus on what is a "full" key > schedule. For example, how can I be sure that I have not missed a > key buried somewhere deep in the specs? How can I be sure that the > "reference" key schedule -- that I am using to validate the key > schedule -- is correct and complete? > > Well "full key schedule" isn't used otherwise, so I'm not sure we need > to have a definition for this. I am not asking for a definition per se. See below. > Are you saying that there is some lack of clarity on what keys are > generated, or merely that > you think it requires a close read to find it. Well, I may be a careless reader but many experts who have several years of work on TLS have got it wrong too. In particular, the level of detail in ECH formal analysis [3] is really amazing, but they have got the key schedule wrong too. I will share some statistics of my preliminary working: * The formal model "reftls" [2] has missed at least 6 keys and has generated at least 12 keys incorrectly. * The formal model of ECH [3] has missed at least 5 keys and has generated at least 12 keys incorrectly. * The formal model of ECH [3] has invented a new key in the key schedule, namely "client_fkad" [4] which they claim to be modeling "[sender]_finished_key" (in addition to the two finished keys). I don't find anything like this in the TLS or ECH specs. So where is this coming from? I agree with you that it is perhaps a lot of work to have a full key schedule diagram and to still keep it readable. But I haven't received a satisfactory answer to my question, namely how do I ensure that my "reference key schedule" is correct and complete? Who other than TLS WG can provide such a "reference key schedule"? It is not even clear how many keys are there in the full key schedule. I am not insisting on a diagram. It could be in text form, e.g., a complete list of *all keys* as a starting point. It could be in the Appendix. I will happily propose something as a starting point. To my understanding, it would be table 3 in [5] + PSKBinderEntry + [sender]_write_iv. Is there any other key? Usama [2] https://github.com/Inria-Prosecco/reftls/blob/master/pv/tls13-draft20-only.pv [3] https://gitlab.inria.fr/chevalvi/echo_tls [4] https://gitlab.inria.fr/chevalvi/echo_tls/-/blob/9fd6b2a0523087d41ba480c6180b9da92833ca50/libraries/key_schedule.pvl#L95 [5] https://ieeexplore.ieee.org/document/10752524
- [TLS] Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- Re: [TLS] Key Hierarchy TLS 1.3 RFC8446(bis) Hugo Krawczyk
- Re: [TLS] Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Fwd: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Eric Rescorla
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Eric Rescorla
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Eric Rescorla
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Eric Rescorla
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar
- [TLS] Re: Key Hierarchy TLS 1.3 RFC8446(bis) Muhammad Usama Sardar