[TLS]Re: Adoption call for Extended Key Update for TLS 1.3

Dan Wing <danwing@gmail.com> Wed, 31 July 2024 23:26 UTC

Return-Path: <danwing@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16100C151545 for <tls@ietfa.amsl.com>; Wed, 31 Jul 2024 16:26:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p-CymCOv-l_v for <tls@ietfa.amsl.com>; Wed, 31 Jul 2024 16:26:26 -0700 (PDT)
Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45C0FC14F5EE for <tls@ietf.org>; Wed, 31 Jul 2024 16:26:26 -0700 (PDT)
Received: by mail-pf1-x42b.google.com with SMTP id d2e1a72fcca58-7104f939aaaso1023544b3a.1 for <tls@ietf.org>; Wed, 31 Jul 2024 16:26:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722468385; x=1723073185; darn=ietf.org; h=message-id:in-reply-to:to:references:date:subject:mime-version:from :from:to:cc:subject:date:message-id:reply-to; bh=twzikuoGfdRTE0aWa+TyUymzduEEGLFhC842ggxlLZs=; b=bWI5cUNsJ6dmBV1NDs8OlznqMnecF6D49wLu8v6mYFMjR8a4JUHpVdqRVCrOKLKtqn BD9s2ZtWyeLR0ZugH9vORaF378x3476AsieYJo3LpLsxrWVdpBac4ms87tDYMvnfq1Bq zPcLDETQcHzv7R3zV6SEwRsuCn61J9xNs6hgkh3VrHMHm1l6iA/NZr3XeD7a999ZkI9H cCmU6r6z0gPr4O7/+hBnePT/qaN2ijgsFC1PIQkoENg8DcV9NCDHePW/MVMapWtMhmWS niSCWKlvgaf47JI3cY+uPpgaXgg7IeCeRIBLJ8Cspud0enK4YrZxZpOIpAvfeL2xHa3M pdTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722468385; x=1723073185; h=message-id:in-reply-to:to:references:date:subject:mime-version:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=twzikuoGfdRTE0aWa+TyUymzduEEGLFhC842ggxlLZs=; b=knfVX6iuXwejqnXR5g92827yw1GK0K6gPGReacyAYorRBQVJG1IR0NuXNMi0vuya1H pyXTwxcgOeK5LNsKlVto5pHtdheI1xY1hzspstcFljwkhwPRUIHw8ETlwJ4t97PDDjLj w1LRWFvRPssXs1NrT37L0Mb4WFtJe54mOtKWQzsRer7EvQw+FA37jv3pd2GB5q04hvdN RUownxkCU/jFcldZYabbYHKxLDVIrxOwUKHathFK8UYrSvo6dQ2QIR8RMHeDremgsoJy WmPXHQqZhuHmEKhcPLkHykLTk3xXYcjc8CvivwwlkAtYj/meuDj4bvST8EgUiyq7bCPO mPDQ==
X-Gm-Message-State: AOJu0YwAJNeFxp7LfY3jKQ6bEpIMoQgz4vVqBClwzGEunxnVAIe1+1o/ G3Mx4EUpGKZaMyV1m0tPI+k35gmCNO/040OlKUTUwTyWM5KhFHHIRd8CJQ==
X-Google-Smtp-Source: AGHT+IHAH1Cq9AYgGSQI+8bhy9lpMFxmZLa8znrkwI0kLdt/709CZHkLeg4JJF7+Hrccp6OfHGC9OQ==
X-Received: by 2002:a05:6a00:8586:b0:70d:3938:f1a5 with SMTP id d2e1a72fcca58-7105d7a8cd7mr935013b3a.22.1722468384903; Wed, 31 Jul 2024 16:26:24 -0700 (PDT)
Received: from smtpclient.apple ([47.208.219.53]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-7a9f9ec4236sm10967999a12.62.2024.07.31.16.26.23 for <tls@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 31 Jul 2024 16:26:23 -0700 (PDT)
From: Dan Wing <danwing@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_73770C79-2D17-48D7-AB7D-5D4A90F68F11"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51\))
Date: Wed, 31 Jul 2024 16:26:23 -0700
References: <595B81B5-6E50-4809-AD56-8646F31C99CD@sn3rd.com> <CE5E830A-7173-46A8-962F-4B92E62A3D3C@lurchi.franken.de> <CAF8qwaCRhpDYL+Nyji=L6ZHbiUSRdh5L_0zFzk21zgptZBwAKA@mail.gmail.com>
To: TLS WG <tls@ietf.org>
In-Reply-To: <CAF8qwaCRhpDYL+Nyji=L6ZHbiUSRdh5L_0zFzk21zgptZBwAKA@mail.gmail.com>
Message-Id: <02E4203A-684C-440A-B3E4-C2DE4D03F4AE@gmail.com>
X-Mailer: Apple Mail (2.3776.700.51)
Message-ID-Hash: WBTEA4Y3R57AP6M7SVBRPAXLPQZOKWYK
X-Message-ID-Hash: WBTEA4Y3R57AP6M7SVBRPAXLPQZOKWYK
X-MailFrom: danwing@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: Adoption call for Extended Key Update for TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/uKjVp8Pv2uJ0FLfM2UIt5SndO74>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

I also support adoption of this draft.  

I share David's observation that the client and server could simultaneously initiate an Extended Key Update, but I had a different mitigation in mind: each side chooses a random value and the higher value wins if there is another ExtendedKeyUpdate already in progress with a lower value.  However, I prefer David's design.  


nit in Introduction,
OLD:
including the update keys with a Diffie-Hellman exchange during the lifetime of a session.
NEW:
including updating keys with a Diffie-Hellman exchange during the lifetime of a session.

-d


> On Jul 25, 2024, at 3:51 PM, David Benjamin <davidben@chromium.org> wrote:
> 
> I support adoption of the draft to solve this problem, but I suspect the construction will need some changes. I'm not sure the construction in the draft actually works.
> 
> A single extended key update flow in the draft sends NewKeyUpdate in both directions. Now, imagine if both client and server initiate an extended key update in parallel. Messages don't get sent instantaneously, so we can't prevent this scenario. We will then have two concurrent instances of this flow:
> 
> Client-initiated:
> C->S: ExtendedKeyUpdateRequest1
> S->C: ExtendedKeyUpdateResponse1
> C->S: NewKeyUpdate1a; update C->S traffic secret
> S->C: NewKeyUpdate1b; update S->C traffic secret
> 
> Server-initiated:
> S->C: ExtendedKeyUpdateRequest2
> C->S: ExtendedKeyUpdateResponse2
> S->C: NewKeyUpdate2a <-- updates S->C traffic secret
> C->S: NewKeyUpdate2b <-- updates C->S traffic secret
> 
> Now, the problem is that NewKeyUpdate1b and NewKeyUpdate2a are the same message, sent in the same direction and may flow in parallel. Same for NewKeyUpdate1a and NewKeyUpdate2b. That means you can get in a situation where both flows are waiting for a NewKeyUpdate message and you can't tell which one to progress. If the client and server disagree on the order in which to apply the two secrets, the protocol will break.
> 
> One could fix this by making the two messages different, but that seems unnecessary. I believe we only need three messages, not four.
> 
> C->S: ExtendedKeyUpdateRequest
> S->C: ExtendedKeyUpdateResponse; update the S->C traffic secret
> C->S: NewKeyUpdate; update the C->S traffic secret
> 
> I might suggest that NewKeyUpdate be called ExtendedKeyUpdateFinish in this version. This avoids the ambiguity and is simpler.
> 
> (Not sure what the consequences of either design is on DTLS? I think I'd need to spend time with pen and paper there. Perhaps it is sufficient to just drive the update on ACKs, after apply the fixes described in https://mailarchive.ietf.org/arch/msg/tls/_ku3-YDcroNmG_QKZsYTtqYzC0M/ )
> 
> But, as for adoption, I think solving this problem makes sense, and I think this draft is still a reasonable starting point.
> 
> David
> 
> On Thu, Jul 25, 2024 at 1:48 PM Michael Tuexen <michael.tuexen@lurchi.franken.de <mailto:michael.tuexen@lurchi.franken.de>> wrote:
>> > On 25. Jul 2024, at 09:39, Sean Turner <sean@sn3rd.com <mailto:sean@sn3rd.com>> wrote:
>> > 
>> > At the IETF 120 TLS session there was interest in adopting the Extended Key Update for TLS 1.3 I-D (https://datatracker.ietf.org/doc/draft-tschofenig-tls-extended-key-update/) This message starts a two-week call for adoption. If you support adoption and are willing to review and contribute text, please send a message to the list. If you do not support adoption of this I-D, please send a message to the list and indicate why. This call will close on 8 August 2024.
>> Dear all,
>> 
>> I do support adoption and I'm willing to work on it, in particular to make
>> sure that it works on the contexts of DTLS over SCTP, one of its use cases.
>> 
>> Best regards
>> Michael
>> > 
>> > Thanks,
>> > Sean
>> > _______________________________________________
>> > TLS mailing list -- tls@ietf.org <mailto:tls@ietf.org>
>> > To unsubscribe send an email to tls-leave@ietf.org <mailto:tls-leave@ietf.org>
>> 
>> _______________________________________________
>> TLS mailing list -- tls@ietf.org <mailto:tls@ietf.org>
>> To unsubscribe send an email to tls-leave@ietf.org <mailto:tls-leave@ietf.org>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org