IETF Logo Mail Archive

Re: [TLS] Initial draft of DH-based key exchange

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Sat, 28 March 2015 10:06 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 653261A70FE for <tls@ietfa.amsl.com>; Sat, 28 Mar 2015 03:06:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UVqSNjrbNaeQ for <tls@ietfa.amsl.com>; Sat, 28 Mar 2015 03:06:49 -0700 (PDT)
Received: from emh07.mail.saunalahti.fi (emh07.mail.saunalahti.fi [62.142.5.117]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD7A01A702E for <tls@ietf.org>; Sat, 28 Mar 2015 03:06:48 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh07.mail.saunalahti.fi (Postfix) with ESMTP id D44A5402E; Sat, 28 Mar 2015 12:06:46 +0200 (EET)
Date: Sat, 28 Mar 2015 12:06:46 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Message-ID: <20150328100646.GB21290@LK-Perkele-VII>
References: <CABcZeBNmufvfJ_2Nvw1YwvwGZ2u1=WvL45rPGJXARN1tAxOEfw@mail.gmail.com> <20150327150032.GA27825@LK-Perkele-VII> <D13ADBCE.43E69%kenny.paterson@rhul.ac.uk> <20150327161746.GA28742@LK-Perkele-VII> <CADi0yUN9Q7X1nm-bRwD6H2oqMANNLsTxhgSXbgF7odHTYRbbtw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CADi0yUN9Q7X1nm-bRwD6H2oqMANNLsTxhgSXbgF7odHTYRbbtw@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/vAJyAgwhaxif3tUmrjtuD_2KAfg>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Initial draft of DH-based key exchange
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Mar 2015 10:06:50 -0000

On Fri, Mar 27, 2015 at 07:51:54PM -0400, Hugo Krawczyk wrote:
> The theme of simplification applies to your concerns below too.
> The simpler the protocol the closer it stays to its underlying
> cryptographic core hence the closer it stays to the cryptographic semantics.
> Actually, the issue of simplifying semantics is of utmost importance.
> 
> For example, the hierarchical key derivation scheme in TLS 1.3/OPTLS bind
> terminal keys (those used for data protection either inside the handshake
> or output for record protection) to a unique context encompassing a label
> defining the key's functionality and information that ties the key to
> particular handshake session (including nonces, negotiated parameters,
> identities, etc.). That defines the semantics and provenance of keys which
> should be the only thing that consumers of the TLS handshake need to know
> about these keys.
> 
> One thing to double check when specifying the handshake protocol is that
> context and intended semantics match indeed.

I consider it important to:

1) Ensure that there are point where entiere context is captured.

E.g. Handshake master secret not being in every key derivation chain
or not including transcript so far makes security analysis quite a bit
harder.

This is from attackers being able to penetrate deeper into structure
in less well defined ways.

See the session_hash I-D for example of things potentially going
wrong due lack of such point ("attacks [...] are not yet known").

To be fair to session_hash, TLS 1.2 structure is the problem. But
TLS 1.3 has very natural point of doing so: The place where handshake
goes encrypted and associated handshake MS.

2) Capture entiere relevant context for anything potentially used for
   authentication.

TLS-Extractor MS needs to incorporate EncryptedExtensions in case
there is some extension affecting TLS-Extractor.

3) Mix in input keys at the earliest available stage.

The PSK and static-DH inputs are not the same!

4) Keep separate keys separate

Using application MS as exporter MS seems like a bad idea.


-Ilari

v2.23.0 | Report a Bug | By Email