Re: [TLS] Should exporter keys be updated with post-handshake authentication and/or KeyUpdate?
Bill Cox <waywardgeek@google.com> Tue, 12 July 2016 15:43 UTC
Return-Path: <waywardgeek@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D7AB12D0ED for <tls@ietfa.amsl.com>; Tue, 12 Jul 2016 08:43:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.987
X-Spam-Level:
X-Spam-Status: No, score=-3.987 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kogzp69ooCTJ for <tls@ietfa.amsl.com>; Tue, 12 Jul 2016 08:43:15 -0700 (PDT)
Received: from mail-vk0-x233.google.com (mail-vk0-x233.google.com [IPv6:2607:f8b0:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FB8512D9DD for <tls@ietf.org>; Tue, 12 Jul 2016 08:34:34 -0700 (PDT)
Received: by mail-vk0-x233.google.com with SMTP id x130so27106374vkc.0 for <tls@ietf.org>; Tue, 12 Jul 2016 08:34:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=MCaHradSXSTh4/pk6yWYNH2LPr/NRcZ3maR6JSfldUU=; b=dP8F/DvJLsHXGf0N8UYFYoNsOvomgqveS9Lsm+0qPugcmE9YrZASDEpTroGvKYzNNa Q55R/JhnBc15D7U2vod5LqnA1wmU0FEAWYzwqnLQF2MwaXAC7xpxZMUXQGIaClaswL5U KUVhNjq4XiUkknfIxJgjQIy80Eqoaz8/lq16cE7ovIiWM/EsRzzSV5kCg8+ZaYHaGX5J ttRSCV0u+h7H5rZCDfwJWZnrKUsX9KnJfxGjk+nfgdQZF7lXGLU5D6nh4Xm7ayLCcnv2 0izk4OkqJXEPsA9O0gB+7r3/myD/1L9odlaCe4hZuCP2OBhfR5N1QoptmtfmbIx5d2Fs n5Uw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=MCaHradSXSTh4/pk6yWYNH2LPr/NRcZ3maR6JSfldUU=; b=Q7YeQU6zaacSkDVQ7ZLa9Xisiylp7t54rCUM7OZ1LqCjJAHA9wmCDkLhOSf0XVv+z4 rM0gd8Yr5oVipaKnyjNRF6oUsKEDlIm2hqvFSjTKARy4U+WW7j4jbdwaom9QBwYLJd4/ ghVfduFuDKhDm04QCK/uvq3EwKe3H+W/Z7y+SQzz/gnj+KE78ONjEOIf4WhwxNq1vEJN YQw/OcdtvlOxDXhfAtcBnJbAQRwmQa9BAgTI+hIjc4zAFQF6gszy3Sy3k1RADDxp9rMl MlYskksW5P5HjnInkKXwNFsf7CCptjrkdmJeCoI0xd/CUNT4N5YSLx4sVwTsdfCmcU8/ Nztg==
X-Gm-Message-State: ALyK8tJ2SBtGWbQ5jFXV8R5DuYh6uEp3FAJmV5KPTDWtQGuV7Oh5x3VHYi6X0a7LLNTZHVZF0UXI2fWrGsZJXqzL
X-Received: by 10.176.0.56 with SMTP id 53mr1478924uai.113.1468337673093; Tue, 12 Jul 2016 08:34:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.83.194 with HTTP; Tue, 12 Jul 2016 08:34:32 -0700 (PDT)
In-Reply-To: <3F568B47-BE31-4EBB-AA95-C3045911956B@gmail.com>
References: <C6FAB38B-FF5A-43D3-A0DB-554FAF23ED92@gmail.com> <CY1PR03MB21554CF98C27A89230DDD5F18C3F0@CY1PR03MB2155.namprd03.prod.outlook.com> <3F568B47-BE31-4EBB-AA95-C3045911956B@gmail.com>
From: Bill Cox <waywardgeek@google.com>
Date: Tue, 12 Jul 2016 08:34:32 -0700
Message-ID: <CAH9QtQEZh-SXt1uUz6XU7QKD1AqNAaRqH0OYFivaCmcABBSeZg@mail.gmail.com>
To: Douglas Stebila <dstebila@gmail.com>
Content-Type: multipart/alternative; boundary="001a113db6da6a84ee05377201eb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/t4QZAnb2Gg8Xj9Q-N5vt8m4zKPw>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Should exporter keys be updated with post-handshake authentication and/or KeyUpdate?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2016 15:43:16 -0000
IIRC, in TLS 1.2 the same keys are used after resumption, and EKM values do not change. I think most applications currently using EKM will break if the EKM values change after a PSK resume. However, forcing TLS 1.3 to remember a 256-bit EKM seed will bloat tickets by 32 bytes, and complicate the state machine. I think this could partially be addressed by enhancing the custom extension APIs found in popular TLS libraries to enable custom extensions to specify state that needs to be remembered on a resume. That, in combination with requiring extensions to be sent and processed in order of extension number, could enable a lot of this complexity to be taken out of the main TLS code, and only connections that actually need such extensions would see the increase in ticket size. Could something like this could work well for channel binding? Bill
- Re: [TLS] Should exporter keys be updated with po… Eric Rescorla
- Re: [TLS] Should exporter keys be updated with po… Ilari Liusvaara
- Re: [TLS] Should exporter keys be updated with po… Andrei Popov
- Re: [TLS] Should exporter keys be updated with po… Eric Rescorla
- Re: [TLS] Should exporter keys be updated with po… Bill Cox
- Re: [TLS] Should exporter keys be updated with po… Douglas Stebila
- Re: [TLS] Should exporter keys be updated with po… Eric Rescorla
- Re: [TLS] Should exporter keys be updated with po… Hugo Krawczyk
- Re: [TLS] Should exporter keys be updated with po… Martin Thomson
- Re: [TLS] Should exporter keys be updated with po… Andrei Popov
- [TLS] Should exporter keys be updated with post-h… Douglas Stebila