[TLS] Key update routine
"Ken Ivanov" <ivanov@eldos.com> Fri, 28 April 2017 18:40 UTC
Return-Path: <ivanov@eldos.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B30C1293FB for <tls@ietfa.amsl.com>; Fri, 28 Apr 2017 11:40:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.374
X-Spam-Level: ***
X-Spam-Status: No, score=3.374 tagged_above=-999 required=5 tests=[BAYES_50=0.8, MIMEOLE_DIRECT_TO_MX=0.381, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439, STOX_REPLY_TYPE_WITHOUT_QUOTES=1.757] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OtQm8qademav for <tls@ietfa.amsl.com>; Fri, 28 Apr 2017 11:40:56 -0700 (PDT)
Received: from widernetics.com (mail.eldos.com [198.50.222.230]) by ietfa.amsl.com (Postfix) with ESMTP id 585BF1293EE for <tls@ietf.org>; Fri, 28 Apr 2017 11:40:51 -0700 (PDT)
X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=86.137.1.107;
Message-ID: <24DAECF17FE0434CA3111200D77E1911@WhiteBox>
From: Ken Ivanov <ivanov@eldos.com>
To: tls@ietf.org
Date: Fri, 28 Apr 2017 19:41:59 +0100
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="UTF-8"; reply-type="original"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
X-Authenticated-User: ivanov@widernetics.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rA-ho6KTpZQNqB2RMpyMoB72JgE>
Subject: [TLS] Key update routine
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Apr 2017 18:51:07 -0000
Hi Eric and everyone, Glad to meet you all here in this group. I've been working my way through the latest TLS 1.3 draft (the 20th), and I hope you wouldn't mind me putting in my 2p about the key update routine. While section 4.6.3 (Key and IV update) provides good insight as to what the implementations should do if everything goes right, it is unclear on what they should do if something goes wrong. Specifically, while the spec instructs the party that receives a KeyUpdate with its request_update set to update_requested to respond with its own KeyUpdate with request_update set to update_not_requested, there are no provisions as to what the originator of the key update should do if it never receives the requested KeyUpdate response from the remote party (or does not receive it within a reasonable time scope). As, following the spec, the originator will be prepared to, I'm going to quote it here, 'receive an arbitrary number of messages between sending a KeyUpdate with request_update set to update_requested and receiving the peer’s KeyUpdate, because those messages may already be in flight,' I am afraid this might lead to various implementation mistakes where the implementations will simply wait for the KeyUpdate response to come in infinitely, thus creating a security flaw (the inbound key may never get actually updated). I guess we need clearer rules here, for the sabotage of the remote party to participate in the key update routine wasn't tolerated. We probably also need a well-defined cap on how many key update requests are allowed to be sent within a given time frame, as excessive key update requests from clients may consume valuable server resources. Such cap will also be helpful against buggy implementations which will always be responding to the other's KeyUpdate messages with their own request_update set to update_requested, effectively creating an endless loop of key updates. Hope this makes sense. Thanks in advance. Kind regards, Ken Ivanov EldoS Corporation
- Re: [TLS] Key update routine Ilari Liusvaara
- [TLS] Key update routine Ken Ivanov
- Re: [TLS] Key update routine Ken Ivanov