Re: [TLS] Initial draft of DH-based key exchange
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Sat, 28 March 2015 10:06 UTC
Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 653261A70FE for <tls@ietfa.amsl.com>; Sat, 28 Mar 2015 03:06:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UVqSNjrbNaeQ for <tls@ietfa.amsl.com>; Sat, 28 Mar 2015 03:06:49 -0700 (PDT)
Received: from emh07.mail.saunalahti.fi (emh07.mail.saunalahti.fi [62.142.5.117]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD7A01A702E for <tls@ietf.org>; Sat, 28 Mar 2015 03:06:48 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh07.mail.saunalahti.fi (Postfix) with ESMTP id D44A5402E; Sat, 28 Mar 2015 12:06:46 +0200 (EET)
Date: Sat, 28 Mar 2015 12:06:46 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Message-ID: <20150328100646.GB21290@LK-Perkele-VII>
References: <CABcZeBNmufvfJ_2Nvw1YwvwGZ2u1=WvL45rPGJXARN1tAxOEfw@mail.gmail.com> <20150327150032.GA27825@LK-Perkele-VII> <D13ADBCE.43E69%kenny.paterson@rhul.ac.uk> <20150327161746.GA28742@LK-Perkele-VII> <CADi0yUN9Q7X1nm-bRwD6H2oqMANNLsTxhgSXbgF7odHTYRbbtw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CADi0yUN9Q7X1nm-bRwD6H2oqMANNLsTxhgSXbgF7odHTYRbbtw@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/vAJyAgwhaxif3tUmrjtuD_2KAfg>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Initial draft of DH-based key exchange
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Mar 2015 10:06:50 -0000
On Fri, Mar 27, 2015 at 07:51:54PM -0400, Hugo Krawczyk wrote: > The theme of simplification applies to your concerns below too. > The simpler the protocol the closer it stays to its underlying > cryptographic core hence the closer it stays to the cryptographic semantics. > Actually, the issue of simplifying semantics is of utmost importance. > > For example, the hierarchical key derivation scheme in TLS 1.3/OPTLS bind > terminal keys (those used for data protection either inside the handshake > or output for record protection) to a unique context encompassing a label > defining the key's functionality and information that ties the key to > particular handshake session (including nonces, negotiated parameters, > identities, etc.). That defines the semantics and provenance of keys which > should be the only thing that consumers of the TLS handshake need to know > about these keys. > > One thing to double check when specifying the handshake protocol is that > context and intended semantics match indeed. I consider it important to: 1) Ensure that there are point where entiere context is captured. E.g. Handshake master secret not being in every key derivation chain or not including transcript so far makes security analysis quite a bit harder. This is from attackers being able to penetrate deeper into structure in less well defined ways. See the session_hash I-D for example of things potentially going wrong due lack of such point ("attacks [...] are not yet known"). To be fair to session_hash, TLS 1.2 structure is the problem. But TLS 1.3 has very natural point of doing so: The place where handshake goes encrypted and associated handshake MS. 2) Capture entiere relevant context for anything potentially used for authentication. TLS-Extractor MS needs to incorporate EncryptedExtensions in case there is some extension affecting TLS-Extractor. 3) Mix in input keys at the earliest available stage. The PSK and static-DH inputs are not the same! 4) Keep separate keys separate Using application MS as exporter MS seems like a bad idea. -Ilari
- [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Nikos Mavrogiannopoulos
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Salz, Rich
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Salz, Rich
- Re: [TLS] Initial draft of DH-based key exchange Dave Garrett
- Re: [TLS] Initial draft of DH-based key exchange Nikos Mavrogiannopoulos
- Re: [TLS] Initial draft of DH-based key exchange Nikos Mavrogiannopoulos
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Paterson, Kenny
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Russ Housley
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Eric Rescorla
- Re: [TLS] Initial draft of DH-based key exchange Hugo Krawczyk
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara
- Re: [TLS] Initial draft of DH-based key exchange Ilari Liusvaara