Re: [TLS] DTLS KeyUpdate
Eric Rescorla <ekr@rtfm.com> Wed, 01 November 2017 13:04 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DE5A13FC99 for <tls@ietfa.amsl.com>; Wed, 1 Nov 2017 06:04:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tBdQBcWVSVwn for <tls@ietfa.amsl.com>; Wed, 1 Nov 2017 06:04:13 -0700 (PDT)
Received: from mail-yw0-x22e.google.com (mail-yw0-x22e.google.com [IPv6:2607:f8b0:4002:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF65013F442 for <tls@ietf.org>; Wed, 1 Nov 2017 06:04:12 -0700 (PDT)
Received: by mail-yw0-x22e.google.com with SMTP id q1so1754979ywh.5 for <tls@ietf.org>; Wed, 01 Nov 2017 06:04:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JWqxGPIZLTHqiC1sngDVpQaiIRbnWy3jBF90zsJ221E=; b=sq1BU3h1iLH9qGkLUJ2gZcM4KVf3TvwHqcLiayLr/1YEFt7H/+ng25RWVVz5Sv3uMk pUuXXvoRwK5S/IcRVrnBY95/4Bzes1GNxwSW48MUv5X49WUowwbnUt+3OBZcy6XBbAhy iFm6HUijOA3LikQ1EkqY327/e6ujmxCuHSyte81Kzx9moZt6fWpFJw3j4peGUgtXTOJh DmV6t143XjTs61LZ9e0npkwpFjnN498/fRLeIGmxe0xmuyN8Nglgp5LyvqenOpsNYxtB fcT5y+Y28BxtmC41RMYh6NGuE/Y6euapOn5fuwWd4bPHB71L6rPvmSwPbWNRWzW5VXGk 6Lvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JWqxGPIZLTHqiC1sngDVpQaiIRbnWy3jBF90zsJ221E=; b=Ij3mD34wLoJMQmHU4ZDeShWYd4n3cAXO/QpW5ne19tGBfW4wjdtKl7dmirXOalnrPQ i3bSayeVIqvPJjRUsTBVQMeh7WXM0nBbApzzO/NjvdGhr5TuOHZx8T27IJhhHy+XPr7M QNcieCX5zsoCaNE67BE4OVkJNOG3KN//XYECbZH/j6dYXph138eRSfNWROV30DHBGwGF IvRQdhuMqkAOQ5CvLiRuJpMzx+OrR6Qz08s5cebtVMDZV/sM4fzaaxP4ZceOPK8Pv1n2 jQ60a5tu/u52hiHFldnhthU4thQxrro0UjEZlJq06BzMMSUjCixAauabzmoseSYthhko uTNQ==
X-Gm-Message-State: AMCzsaVNZ/56tzXNlNBXVtzoBk/ZsiDjYyuB11km72g/IvX5VKmVxa8i lT8XXqbv4PqELojtQuBdwm/dpZSO1RDJxqAulduGt4kb
X-Google-Smtp-Source: ABhQp+SvhSwXrB3EfmKbofjFsDL6KhGefF+kkhe7y2IWRE2DDCjePIk46PloiMfyBZHvIWR5Gm9lC4XtoJ99Xq0Uonw=
X-Received: by 10.37.209.208 with SMTP id i199mr3374998ybg.339.1509541451925; Wed, 01 Nov 2017 06:04:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.75.194 with HTTP; Wed, 1 Nov 2017 06:03:31 -0700 (PDT)
In-Reply-To: <CABkgnnV9qZEfD3YgSV2+d3Y0wn12Er-G-tKJVyNWjqTctAerjA@mail.gmail.com>
References: <CABkgnnV9qZEfD3YgSV2+d3Y0wn12Er-G-tKJVyNWjqTctAerjA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 01 Nov 2017 06:03:31 -0700
Message-ID: <CABcZeBMn+2HskMVX-xRxuVPVPVWs-WZ7TTZWz12_ap50YFvAbg@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c05e1a6043398055ceb826c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/sAo-485cKh_9RlVk69WNgXoWiQg>
Subject: Re: [TLS] DTLS KeyUpdate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Nov 2017 13:04:14 -0000
On Tue, Oct 31, 2017 at 10:45 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > (From https://github.com/tlswg/dtls13-spec/issues/25) > > Using the TLS process for KeyUpdate - as the current draft does - > leads to a suboptimal set of choices in implementations. > > Sending KeyUpdate followed immediately by a key change means that > KeyUpdate isn't a reliable indicator of a key change at the receiver. > If the record containing the KeyUpdate is lost, then the receiver will > be unable to decrypt anything sent after it unless it looks at the > epoch and tries the new keys. It's important to be clear that this creates head-of-line blocking, not deadlock. The sender will retransmit the KeyUpdate eventually. And (though it's not in the document), the sender could also retransmit the packet itself. Given the comparative rarity of KeyUpdates, I don't actually think either of these is disastrous. I would prefer a different design, even if it diverges from the TLS design. > > 1. That could be the same design as QUIC uses, with the epoch bit > signaling intent. The cost there is that you need to use the bit as an > acknowledgment of a key update, so you end up having to keep key > updates in lock step, even if no update is needed. If there are > asymmetric sending patterns, this isn't ideal. > Yeah, I don't think this is a good design in QUIC and I wouldn't be in favor of it here. We've gone to some trouble to have explicit updates in DTLS and this is far cleaner than the situation in QUIC, and I'm not eager to make a change in the opposite direction. > 2. Wait until the KeyUpdate is acknowledged before installing new > keys. When KeyUpdate is received, the receiver installs new keys, but > retains old keys on a timer (the holddown timer would do). This is already required by the spec and would be needed in any case. > The sender > waits for the ACK and starts using new keys when it sees it. The cost > here is that switching keys can't be immediate True, but that logic only happens at the sender. > and it requires hooks > into the ACK handling logic, neither of which is ideal > As above, I'm not persuaded that this change is necessary, given that DTLS is inherently a lossy protocol, and that receivers *can* be clever, but if the resolution is that it is, then I think this is the right approach. -Ekr > I have implemented the former and it's a little ugly, but I haven't > tried the latter. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] DTLS KeyUpdate Martin Thomson
- Re: [TLS] DTLS KeyUpdate Eric Rescorla