IETF Logo Mail Archive

Re: [TLS] TLS 1.3 Key Schedule

Eric Rescorla <ekr@rtfm.com> Fri, 04 September 2015 16:13 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68C021A8826 for <tls@ietfa.amsl.com>; Fri, 4 Sep 2015 09:13:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.996
X-Spam-Level:
X-Spam-Status: No, score=-0.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_FONT_FACE_BAD=0.981, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C7wGk9QfMueK for <tls@ietfa.amsl.com>; Fri, 4 Sep 2015 09:13:17 -0700 (PDT)
Received: from mail-wi0-f175.google.com (mail-wi0-f175.google.com [209.85.212.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AC691A1B13 for <tls@ietf.org>; Fri, 4 Sep 2015 09:13:11 -0700 (PDT)
Received: by wiclk2 with SMTP id lk2so27737542wic.0 for <tls@ietf.org>; Fri, 04 Sep 2015 09:13:09 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=7nLoRMZJ+fijui1Mc2hvabu3CzdRFONKMzyyS1Tq6mY=; b=WfPBTfe5i16L3/3UiiiVvePIKKMcEzzzqCU/rcKnlHQiDiDBlNmYERtfxX/TX8kV5V K/WLzzqIJP3Pj4k8thMB1piSqmL8shvwIXSz4lBP0vAonYKWcQw2vNVorECa+0FH2xLQ SvP8OV3pBIOfknIP1DsLkc00aFPJklGdC9kZz6AYPubxAZyCaOJUJGp5u9oAusnTo/f+ 3jiwd4XtwpVT8Dc2WI0qpW8dgpNRkLEgyp5Spfat0uv9fAUNNfW/vWK6YQQewBxwZ8YE DIqXmXTunjYVvHFdP0u01vrV5ipNmvFdcGKn6XMliJFrb82EBn9LJki6KRl2U3ji3DV8 KQpA==
X-Gm-Message-State: ALoCoQn2bqBg0VdntsnASloMj2DJqvjtzrSh6VsKVh0i6sdMFRjHAjuwYKCGCudJ49I7DiBeD4Uc
X-Received: by 10.180.96.164 with SMTP id dt4mr9043068wib.53.1441383189555; Fri, 04 Sep 2015 09:13:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.79.200 with HTTP; Fri, 4 Sep 2015 09:12:30 -0700 (PDT)
In-Reply-To: <D2BE6707-1D2D-472B-8367-040486D202A3@vigilsec.com>
References: <581ED6DF-2D2B-4B74-92F0-F4CBEDF565B0@vigilsec.com> <CABcZeBPnUesZE4Tr8ek4aFXmio4epCjivUTHgU++GQ8Uc5b16g@mail.gmail.com> <D2BE6707-1D2D-472B-8367-040486D202A3@vigilsec.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 04 Sep 2015 09:12:30 -0700
Message-ID: <CABcZeBO8DiVT1FW5Va0V-W_ztJWAZfZJLue=R23yiQOpHwbxkQ@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Content-Type: multipart/alternative; boundary="f46d04426e20ffbe50051eee2ce1"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/rbKBtroKwj6vGC_mZCwVY3kftTg>
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 Key Schedule
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Sep 2015 16:13:18 -0000

On Fri, Sep 4, 2015 at 8:58 AM, Russ Housley <housley@vigilsec.com> wrote:

> Eric:
>
> I looked at Hugo's message in the context of the table in Section 7.1:
>
>      Key Exchange            Static Secret (SS)    Ephemeral Secret (ES)
>      ------------            ------------------    ---------------------
>      (EC)DHE                   Client ephemeral         Client ephemeral
>      (full handshake)       w/ server ephemeral      w/ server ephemeral
>
>      (EC)DHE                   Client ephemeral         Client ephemeral
>      (w/ 0-RTT)                w/ server static      w/ server ephemeral
>
>      PSK                         Pre-Shared Key           Pre-shared key
>
>      PSK + (EC)DHE               Pre-Shared Key         Client ephemeral
>                                                      w/ server ephemeral
>
> If I understand Hugo's message correctly, he is saying that in the second
> row, the SS must be part of the key derivation.  I think we need to
> consider the bottom row as well.
>
> It seems to me that using the master_secret capture the benefits of both
> the SS and the ES.  This meets Hugo's requirement for the second row, and
> gets the benefits of the ephemeral values for the bottom row.
>

I don't think you are reading that correctly. The point is that in the case
where SS
is authenticated (e.g., a PSK or a static DH), then the Finished MAC
authenticates
the ServerKeyShare. If you include ES in the Finished key, then you are
using ES to authenticate ServerKeyShare, which apparently makes analysis
harder.

-Ekr




Russ

>
>
> On Sep 4, 2015, at 11:33 AM, Eric Rescorla wrote:
>
> See:
> http://www.ietf.org/mail-archive/web/tls/current/msg17184.html
>
> On Fri, Sep 4, 2015 at 8:27 AM, Russ Housley <housley@vigilsec.com> wrote:
>
>> In Section 7.1, the document says:
>>
>>      4. finished_secret = HKDF-Expand-Label(xSS,
>>                                             "finished secret",
>>                                             handshake_hash, L)
>>
>>      5. resumption_secret = HKDF-Expand-Label(master_secret,
>>                                               "resumption master secret"
>>                                               session_hash, L)
>>
>> Why don't we use the master_secret in both the finished_secret and the
>> resumption_secret formula?
>>
>> Russ
>>
>
>

v2.23.0 | Report a Bug | By Email