[TLS] Possible deadlock when ACKing KeyUpdate messages?
Hanno Becker <Hanno.Becker@arm.com> Sat, 28 March 2020 22:30 UTC
Return-Path: <Hanno.Becker@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B302C3A07F4 for <tls@ietfa.amsl.com>; Sat, 28 Mar 2020 15:30:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=IodbY+gx; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=IodbY+gx
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id isExo5CS1b3V for <tls@ietfa.amsl.com>; Sat, 28 Mar 2020 15:30:52 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60073.outbound.protection.outlook.com [40.107.6.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C0943A07F1 for <tls@ietf.org>; Sat, 28 Mar 2020 15:30:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=D9Lq4wbfUq0dyxk/qtnRN6G3coEpoOfvpL3wh7J/oXs=; b=IodbY+gxoYsNj5EbVujgJ/V+phfux5sdhHfh297/XPW9kI8ZhNebHjqVRTksv+KrwjZzccbKtjo+dOnp1yGhHm5HFN1TRjvHlAbAgZnJerIImuPWH1bGRZK7KkvaWDqND8ELDkTB3St94NRBGJ4PXavMs1BQOk7rWKQcQzrUb1s=
Received: from AM3PR05CA0093.eurprd05.prod.outlook.com (2603:10a6:207:1::19) by HE1PR0801MB2009.eurprd08.prod.outlook.com (2603:10a6:3:50::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.20; Sat, 28 Mar 2020 22:30:48 +0000
Received: from VE1EUR03FT012.eop-EUR03.prod.protection.outlook.com (2603:10a6:207:1:cafe::55) by AM3PR05CA0093.outlook.office365.com (2603:10a6:207:1::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.20 via Frontend Transport; Sat, 28 Mar 2020 22:30:48 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT012.mail.protection.outlook.com (10.152.18.211) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.17 via Frontend Transport; Sat, 28 Mar 2020 22:30:47 +0000
Received: ("Tessian outbound 8f06d475fc37:v48"); Sat, 28 Mar 2020 22:30:47 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: f56c0c784d18ef90
X-CR-MTA-TID: 64aa7808
Received: from 6688ee450ea5.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 91FE51BA-34C2-483C-A52F-1C4AA405E6A4.1; Sat, 28 Mar 2020 22:30:41 +0000
Received: from EUR04-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 6688ee450ea5.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Sat, 28 Mar 2020 22:30:41 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SKJWYkvT0Tu7es9K0eNgszZgB54IsEZPqfbq3cAwQmhxITvm/UNkiex7E/dh+mYcU7EITrKT4GBS6c2FdntHmcKTwXmObY4vHlnEf0oN+rUx2TtchlPECWMv594YzaMU2c5xmPC5VtX3Y5HjwWT2+zZNOQ6Kc1hYp4j2sIXMVIcpqivHfgkEmdi9cYeuDcsSnNprhYC5dIkiS5+C3mSbUsgGAoFmiSTgLXOMU9E9AQslpSxC8/KNbLNJXv13rVRNS3akZUWDX7XWe8fp2o8N6uQi/GtKEG+5drIw4frPKb+t2/vTT1eF8Wq+ypFieIWFAtTWFwiw+ucGCb64tlc/7A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=D9Lq4wbfUq0dyxk/qtnRN6G3coEpoOfvpL3wh7J/oXs=; b=iAXXE5NvdKYuB8oEmuRoQ5kYwPOpCUMsKic9FN6mBP4I2Z+fNmmR7eTe+36RX8YUnHrw2MbO4jh/fAVNqjJhjK+Yugi2cO+49OOsdlNus5r5qFXbYH6lrt8h2oyTWo3xC9Qs5s5n/HZ0FTu0uMgIuSzijTh4PYbUc0loB4UJ2q1+ZBhb9uo0EGe13fD/6FZP5SdPa6mr5OPloV4t0/pw4aIsS/XHRjYJs0hsIhN9KMFPB/9Dnwr7zNVDwSKpEBHh+yjwhNmMjzX4HgRh4NXDyOsO9C/XyzMRBw/t6m6GsVGfFcUKJLIWX8sjLqpI1Nx5ORpPc5/VQZo77XTPdlPdtA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=D9Lq4wbfUq0dyxk/qtnRN6G3coEpoOfvpL3wh7J/oXs=; b=IodbY+gxoYsNj5EbVujgJ/V+phfux5sdhHfh297/XPW9kI8ZhNebHjqVRTksv+KrwjZzccbKtjo+dOnp1yGhHm5HFN1TRjvHlAbAgZnJerIImuPWH1bGRZK7KkvaWDqND8ELDkTB3St94NRBGJ4PXavMs1BQOk7rWKQcQzrUb1s=
Received: from AM6PR08MB3318.eurprd08.prod.outlook.com (52.135.163.143) by AM6PR08MB5047.eurprd08.prod.outlook.com (10.255.34.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.20; Sat, 28 Mar 2020 22:30:39 +0000
Received: from AM6PR08MB3318.eurprd08.prod.outlook.com ([fe80::1579:b7d9:f543:200d]) by AM6PR08MB3318.eurprd08.prod.outlook.com ([fe80::1579:b7d9:f543:200d%5]) with mapi id 15.20.2856.019; Sat, 28 Mar 2020 22:30:39 +0000
From: Hanno Becker <Hanno.Becker@arm.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Possible deadlock when ACKing KeyUpdate messages?
Thread-Index: AQHWBUxJ8anoCpmsBUC57Xe/3C4BZw==
Date: Sat, 28 Mar 2020 22:30:39 +0000
Message-ID: <AM6PR08MB3318966B8BEE7B818D6AB0409BCD0@AM6PR08MB3318.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Hanno.Becker@arm.com;
x-originating-ip: [86.181.127.140]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 270367f8-8546-47b2-e07b-08d7d367a9a9
x-ms-traffictypediagnostic: AM6PR08MB5047:|HE1PR0801MB2009:
X-Microsoft-Antispam-PRVS: <HE1PR0801MB20091206952AC4CEE612BBC29BCD0@HE1PR0801MB2009.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 03569407CC
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR08MB3318.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(346002)(136003)(366004)(39860400002)(376002)(396003)(52536014)(66946007)(316002)(478600001)(76116006)(86362001)(64756008)(66556008)(66476007)(7696005)(66446008)(19627405001)(2906002)(8936002)(81156014)(81166006)(8676002)(6506007)(186003)(15650500001)(5660300002)(9686003)(6916009)(55016002)(71200400001)(26005)(33656002); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: uqi7N4f4zLr15+PGHZ4MBHxeS1n1oxzMslVRG2LHK13RZF2RlDLEvlXdJGYJeICZXUBM0MTAazESgbgGd0bn+c7OviAFgVdlojqYAnjli3d6eqvpC2g/dwxys5kSx6/omMaao3a1ymU5eKVvOXkErkG09SsrQ9LApL8W3Atw6FZs19QsvQUu+EzhP9tgH7KmyYbS7OACYUXCOExHumuM31ra5aCrxjpzWMLQMrrrYGd8MzrOgopKfIxE9XMbMkuCZ1f3fC1G5/y+ZCfR66p8ysaKwUs7jlc/TxagU9YOSzvE+0lLkTEPyMSHntYt99MCYoOw7fC5wPAGpMCfjA8uusf8Du6QfRiqWOqPSfPeKk2tixdlrLfKJRDu5FMJz2/qebutUoGsYnqY5TQEv0G8Og11+MoeMpnsitIDkKV+h75Kimk+8pFqOBtPzDXCnLaZ
x-ms-exchange-antispam-messagedata: 1eupUa/EPxi/F3uryaqKacdS61HF/mvTn10JE22Xmg55RbfbNEwbXIkvtUl+jzGkzFf57ZhM+9KKIoEoPjqvo0IwJtUV7U32YxP05pXO4fml6pRiLHM4S8BHk5taLexo9yyXDutyCrDCD/CR7vJrfw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM6PR08MB3318966B8BEE7B818D6AB0409BCD0AM6PR08MB3318eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB5047
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Hanno.Becker@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT012.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(346002)(39860400002)(376002)(136003)(396003)(46966005)(186003)(6506007)(26005)(52536014)(70586007)(356004)(86362001)(6916009)(47076004)(70206006)(36906005)(316002)(7696005)(19627405001)(5660300002)(82740400003)(33656002)(15650500001)(55016002)(478600001)(2906002)(26826003)(81166006)(81156014)(8936002)(336012)(8676002)(9686003); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 35f3b234-94dd-4ed5-df72-08d7d367a4dc
X-Forefront-PRVS: 03569407CC
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: B1NfDOTL5Ed2xws+06jsIx7PM6/3Hf2JQ+5nahFNzv8Lp0YCZTaEttWDhuDM7KfDs1wDPm5IjhRIdekLFshMgryPGmrKEoGKxpfiguE/JarzRkK5PH44eKtGl3geQstGCg2U3QeSbPzCt/y1Mg1g0vAVglOcZZe1JiTB4uMa0rrdaNOrDUoasRVGSVtZ+5PPJHr3+CLacpAfDb0bAIW3+a5InWxBObuWxwiTbLx289l94KNkzy1Rku+YEfr+1XXc8Ec3s+X3xFLhW4XnmAHJsaPgtJWOuljbClPE00yDLMX8YjOmonb0UfoqsnoSHUiDIjFa1nL9ahe1R0rRZjvnT2HqCUJLYHFogZWgk9yQtRz11llhnAG7mxF72OAbpkfF8c9yxT8hq3iywS1lKe+rBmp4DDOsYd0R1NW9csoliVZv9BcIO7HiMUU6P0YF9qJ/1IiROSKIO7JR3hh8NCMEHWk5coOSvresiFwpkGlL41DQjUX9C8xl1pA3xiiRKlKiAU6GCrTbZHDfeHZFIn1fjQ==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Mar 2020 22:30:47.6338 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 270367f8-8546-47b2-e07b-08d7d367a9a9
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0801MB2009
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KRmb5_uwV1pyGr2FIAuIzPkh1lI>
Subject: [TLS] Possible deadlock when ACKing KeyUpdate messages?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Mar 2020 22:30:55 -0000
In relation to ACKs for KeyUpdate messages, DTLS 1.3 Draft 37 states:
Although KeyUpdate MUST be acknowledged, it is possible for the ACK
to be lost, in which case the sender of the KeyUpdate will retransmit
it. Implementations MUST retain the ability to ACK the KeyUpdate for
up to 2MSL. It is RECOMMENDED that they do so by retaining the pre-
update keying material, but they MAY do so by responding to messages
which appear to be out-of-epoch with a canned ACK message; in this
case, implementations SHOULD rate limit how often they send such
ACKs.
This seems to allow implementations to remove old incoming keys immediately
after ACKing the KeyUpdate, which appears to open the door for the following
situation leading to deadlock:
+-------------------------+
| KeyUpdate, epoch N |-------------> received
+-------------------------+
+------------------------+
lost x-----| ACK, epoch M |
+------------------------+
[ new incoming epoch N+1,
remove keys for epoch N ]
- +------------------------+
received <-------------| KeyUpdate, epoch M |
+------------------------+
+-------------------------+
| ACK, epoch N |-------[ irrelevant whether it goes through - see below ]
+-------------------------+
[ new incoming epoch M+1,
remove keys for epoch M ]
Note: This isn't an entirely unlikely situation, since a KeyUpdate with update_requested flag
will result in a subsequent KeyUpdate from the other side, and the only unlucky thing that
needs to happen is for the original ACK to be lost while both KeyUpdate messages go through.
At this point, both sides have updated their incoming key material but
not their outgoing key material, since they're still awaiting the ACK -
however, it turns out that they can't actually read those ACKs anymore:
After some time, the peers resend the KeyUpdate messages, which will be
blindly ACKed by the peer according to the recommendation in the spec;
however, the ACKs will be encrypted with the wrong keys and cannot
be parsed on either side:
+---------------------------+
| resent KeyUpdate, epoch N |-------------> received, but can't be read
+---------------------------+ because incoming epoch N+1
send 'blind' ACK
received, but can't be read +------------------------+
because incoming epoch M+1 <--------------| ACK, epoch M |
+------------------------+
The same will happen to KeyUpdate retransmission from the other side.
It seems that this results in a deadlock. Am I missing / misunderstanding something?
A possible mitigation would be to force retaining the old key material for 2MSL,
or alternatively, to mandate that old key material must only be removed upon
receipt and successful decryption of a message using the new keys.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [TLS] Possible deadlock when ACKing KeyUpdate mes… Hanno Becker
- Re: [TLS] Possible deadlock when ACKing KeyUpdate… Hannes Tschofenig
- Re: [TLS] Possible deadlock when ACKing KeyUpdate… Hanno Becker
- Re: [TLS] Possible deadlock when ACKing KeyUpdate… Hannes Tschofenig
- Re: [TLS] Possible deadlock when ACKing KeyUpdate… Hanno Becker