IETF Logo Mail Archive

Re: [TLS] Comments on EndOfEarlyData

Benjamin Kaduk <bkaduk@akamai.com> Wed, 17 May 2017 04:32 UTC

Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 449C11294E1 for <tls@ietfa.amsl.com>; Tue, 16 May 2017 21:32:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e4Qs30XzXvy8 for <tls@ietfa.amsl.com>; Tue, 16 May 2017 21:32:35 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D3611296C9 for <tls@ietf.org>; Tue, 16 May 2017 21:28:36 -0700 (PDT)
Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.16.0.21/8.16.0.21) with SMTP id v4H4RZ2q000745; Wed, 17 May 2017 05:28:34 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=subject : to : references : cc : from : message-id : date : mime-version : in-reply-to : content-type; s=jan2016.eng; bh=wrr32BbKcY81SxiN66YbDDZX+0ZKHJ22I3hmCkVVoQo=; b=ouj53rEubZQq4+oNzshIA+gHuLoT+yWI260UmiRybD8IYa6235QnNtJuWt78OToCOP93 kOZGhv1L9v1daCuSfXoFVBME5FxXBHcX47UGqjT9w9WPhZo11QNu2yhwXKLvBVMwP5tt z0CRGcxnFRp3MJh2kTBrNohAoIBoWcpZGP2eNhojKEA2umC0mBR1VYwiK/nLw5mcEK+d BI7LmFPB802Hhn+Fg+R9RZiIbcZkPqH0pDKDsizKaDjNdNRsfmh2o7wIUCKXqGUGHH7b /StMdtcSFgy3N25fZnstXbViuKIP38Yue2Q+EkO7phYHoekWFD1Lw3czN9zNtTYPgbQ1 tQ==
Received: from prod-mail-ppoint3 ([96.6.114.86]) by m0050096.ppops.net-00190b01. with ESMTP id 2ag0985bsm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 May 2017 05:28:33 +0100
Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.16.0.17/8.16.0.17) with SMTP id v4H4L24l008107; Wed, 17 May 2017 00:28:33 -0400
Received: from prod-mail-relay14.akamai.com ([172.27.17.39]) by prod-mail-ppoint3.akamai.com with ESMTP id 2adwfv39w0-1; Wed, 17 May 2017 00:28:32 -0400
Received: from [172.19.17.86] (bos-lpczi.kendall.corp.akamai.com [172.19.17.86]) by prod-mail-relay14.akamai.com (Postfix) with ESMTP id 92FB680059; Tue, 16 May 2017 22:28:32 -0600 (MDT)
To: Britta Hale <britta.hale@ntnu.no>
References: <66025639-5ceb-021a-61c4-60620c402a6c@ntnu.no> <CABcZeBMu=9KPvmz-sDknXpa4Vjer=md=ZqsFqGd6WNEFdAxSdg@mail.gmail.com> <1f7c62a1-db73-aeae-97d0-77c769606198@ntnu.no> <CABcZeBPb6HrykcJ8qxktiaH1rMaGv4jEkBBJnDNkdMjOSG-5sw@mail.gmail.com> <238d04ec-eb56-7879-b8c5-754c910bae30@ntnu.no> <CABcZeBPJUQXxoE2FYyrnG7yYPRhUxy2y_D6CdvwZKEuyRopA3g@mail.gmail.com> <c270a7db-73e6-9d7f-e1f7-1bc45ba25717@ntnu.no>
Cc: "tls@ietf.org" <tls@ietf.org>
From: Benjamin Kaduk <bkaduk@akamai.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <a8e9867b-31db-4043-b9cd-0d7bfee3bdc4@akamai.com>
Date: Tue, 16 May 2017 23:28:32 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <c270a7db-73e6-9d7f-e1f7-1bc45ba25717@ntnu.no>
Content-Type: multipart/alternative; boundary="------------15DEAC457CB3B885630C480F"
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-17_03:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705170034
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-17_03:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705170035
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/pXS65c3khKR_RfOHkdQaNZUkP3Q>
Subject: Re: [TLS] Comments on EndOfEarlyData
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 May 2017 04:32:37 -0000

On 05/16/2017 05:57 PM, Britta Hale wrote:
> It is a matter of consistency not aesthetics, and that has actual 
> implications on analysis. 

I think there are some unsupported (and unstated!) assumptions about
what framework in which to analyze things going on here.

> Classifying message types is meaningful in terms of truncation attacks.
> Under a application traffic secret, a receiver is only guaranteed protection 
> from a truncation if it receives an alert (close_notify). According to the 
> current draft, a server is only guaranteed protection from such an attack 
> for 0-RTT data if it receives a handshake message. Such a difference is sloppy
> in terms of analysis.

For truncation attacks, maybe alert makes more sense.  In the area of
advancing the state machine without terminating the connection,
handshake makes more sense.  You are talking as if there is a single
right answer without stating your assumptions; you need to say more
about what you are assume and what analyses hinge on such assumptions if
you want your argument to carry much weight.

> Furthermore, there is the inconsistency of placement of the EOED message in 
> the Finished hash. The lack of synchronization of EOED, i.e. not being fixed 
> with respect to the other handshake messages, could complicate analysis in 
> terms of matching server/client transcripts.

The location in the handshake hash is well-specified in the "The
Transcript Hash" section -- it comes after server Finished.
It looks like we need to update the preceding table covering base key
generation to match, though.

-Ben

v2.23.0 | Report a Bug | By Email