Re: [TLS] Proposed text for removing renegotiation
Brian Smith <brian@briansmith.org> Wed, 28 May 2014 19:59 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9404F1A068F for <tls@ietfa.amsl.com>; Wed, 28 May 2014 12:59:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tZBV_Epwx2EE for <tls@ietfa.amsl.com>; Wed, 28 May 2014 12:59:36 -0700 (PDT)
Received: from mail-qg0-f41.google.com (mail-qg0-f41.google.com [209.85.192.41]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AA801A068B for <tls@ietf.org>; Wed, 28 May 2014 12:59:36 -0700 (PDT)
Received: by mail-qg0-f41.google.com with SMTP id j5so19485700qga.14 for <tls@ietf.org>; Wed, 28 May 2014 12:59:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=GEDcZzAAn0pDwlGhzBisSwz9g8Abdj7TD4lZ3Pk8lFo=; b=mjT5F74+Gg9lMyreQj/LRTcW15l2ALlAJ82CrDheKOyLv9kwIFtsPKyM+cyujy9MTM 4bV19hGHUTzyDlGyiNKGb6KmArZEcPSCwPheped3cUOIIs4/69aYSzwCwUWS5htfGOq+ gcwAOCcJQUjeAMm1VHjQi0sVF2YF1/2nNzX6QLEwmEQEjowvdt9TxQH14k3a36fjQgGd gTK5bqVv0S5mQ9MU2+eOYnpCGg8SEf37GgxZWaJ50Kl1A3/d4aHbjjlL+5xb8KUpkYZ5 /KvbMYkNkyO6k66nNgCXi1i76EMPeQ4liFYyPHB9cJBq9JeibCcOkueRydltWgUUgwF/ Mrbg==
X-Gm-Message-State: ALoCoQli/5GVfFJ1GPcyD19YI/m07FMrHusXWer0yu54xGoYzeeQ3IfOBce0ciZHOOkQeaV+9mrM
MIME-Version: 1.0
X-Received: by 10.229.70.196 with SMTP id e4mr3128867qcj.16.1401307172435; Wed, 28 May 2014 12:59:32 -0700 (PDT)
Received: by 10.224.201.193 with HTTP; Wed, 28 May 2014 12:59:32 -0700 (PDT)
In-Reply-To: <CABkgnnW0YAhsbMoN0JSdWWpxt9TsOWpvq3c67cw8_eyt4mprbA@mail.gmail.com>
References: <CABkgnnXaLKmxXL01hQEdxHSNGt3nZQQNBLDD5H2LqBzTo3vK4g@mail.gmail.com> <CAFewVt5GCmH8wSdUYLy_Q9RNEtAggzG3_k-9E8ME-nP9jZNX3Q@mail.gmail.com> <CABkgnnW0YAhsbMoN0JSdWWpxt9TsOWpvq3c67cw8_eyt4mprbA@mail.gmail.com>
Date: Wed, 28 May 2014 12:59:32 -0700
Message-ID: <CAFewVt6p95UidCverJ4aHoaHUW7fUEte70fhsxo-Hz6pup=1RQ@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="001a1133bb583c0e4704fa7b40ff"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/vZzc0wsaRNQO3fel-_kWjraPCc8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Proposed text for removing renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 May 2014 19:59:37 -0000
On Wed, May 28, 2014 at 9:38 AM, Martin Thomson <martin.thomson@gmail.com>wrote: > On 27 May 2014 22:47, Brian Smith <brian@briansmith.org> wrote: > >> It's not possible to just remove renegotiation. > > > > > > Why not? What is the motivation for keeping any form of renegotiation, > even > > rekeying? It isn't clear from the public mailing list discussions what is > > motivating the rekeying feature. (Perhaps I overlooked something; if so, > a > > link to the past decision on this would be appreciated.) > > That statement was merely referring to the fact that there are other > considerations that removing renegotiation exposes: > > AES-GCM (for example) can't be used with the same key indefinitely. > 2^32 records is the limit apparently. We have reports of services > that use the same connection for up to months with high volumes of > traffic. Over that period, the sequence number might roll over, even > if the keys are still good. Rekeying allows for those uses. > Understood. However, as I implied in my other responses today, I don't think TLS is the place to support that use case. It is enough for the TLS implementation to be only responsible for ensuring that we don't use a key beyond safe limits for its usage. How the application recovers from that limit being reached can be delegated to the application. The advantage with this is that only the applications that need to deal with this problem are impacted by it. > It also provides a measure of forward security in that old keys can be > thrown away. A break of a server only allows the attacker to gain the > plaintext of a connection back to the last rekeying event. > I understand the idea is that both sides could throw away the old master secret right away and then nobody would be able to decrypt the traffic protected by that old master secret. However, the "master secret advancement" mechanism you proposed is calculated using only the old master secret plus public nonces, which raises some risk of related-key attacks. As Martin Rex was saying, the advantage of TLS-1.2-style renegotiation is that the new master secret is clearly (could be made to be) completely unrelated to the the previous master secret so that related key attacks aren't (could be made to not be) an issue. Thus, while a simpler rekeying mechanism definitely makes the protocol simpler, we'd be trading a useful cryptographic property for that simplicity. And, most implementations that would support it would actually become more complicated by having to support both TLS < 1.3 renegotiation AND TLS 1.3 rekeying. Consequently, I still think we should keep trying to get rid of renegotiation without adding anything new in TLS to replace it. Cheers, Brian
- [TLS] Proposed text for removing renegotiation Martin Thomson
- Re: [TLS] Proposed text for removing renegotiation Salz, Rich
- Re: [TLS] Proposed text for removing renegotiation Martin Thomson
- Re: [TLS] Proposed text for removing renegotiation Andy Lutomirski
- Re: [TLS] Proposed text for removing renegotiation Martin Rex
- Re: [TLS] Proposed text for removing renegotiation Watson Ladd
- Re: [TLS] Proposed text for removing renegotiation Salz, Rich
- Re: [TLS] Proposed text for removing renegotiation Brian Smith
- Re: [TLS] Proposed text for removing renegotiation Nikos Mavrogiannopoulos
- Re: [TLS] Proposed text for removing renegotiation Yoav Nir
- Re: [TLS] Proposed text for removing renegotiation Yoav Nir
- Re: [TLS] Proposed text for removing renegotiation Martin Thomson
- Re: [TLS] Proposed text for removing renegotiation Martin Thomson
- Re: [TLS] Proposed text for removing renegotiation Martin Thomson
- Re: [TLS] Proposed text for removing renegotiation Eric Rescorla
- Re: [TLS] Proposed text for removing renegotiation Brian Smith
- Re: [TLS] Proposed text for removing renegotiation Brian Smith
- Re: [TLS] Proposed text for removing renegotiation Martin Thomson
- Re: [TLS] Proposed text for removing renegotiation Daniel Kahn Gillmor
- Re: [TLS] Proposed text for removing renegotiation Martin Thomson
- Re: [TLS] Proposed text for removing renegotiation Andy Lutomirski
- Re: [TLS] Proposed text for removing renegotiation Brian Smith
- Re: [TLS] Proposed text for removing renegotiation Salz, Rich
- Re: [TLS] Proposed text for removing renegotiation Martin Thomson
- Re: [TLS] Proposed text for removing renegotiation Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Proposed text for removing renegotiation Salz, Rich
- Re: [TLS] Proposed text for removing renegotiation Eric Rescorla
- Re: [TLS] Proposed text for removing renegotiation Martin Thomson
- Re: [TLS] Proposed text for removing renegotiation Brian Smith
- Re: [TLS] Proposed text for removing renegotiation Geoffrey Keating
- Re: [TLS] Proposed text for removing renegotiation Martin Thomson
- Re: [TLS] Proposed text for removing renegotiation Hubert Kario
- Re: [TLS] Proposed text for removing renegotiation Brian Sniffen
- Re: [TLS] Proposed text for removing renegotiation Martin Thomson
- Re: [TLS] Proposed text for removing renegotiation Hubert Kario
- Re: [TLS] Proposed text for removing renegotiation James Cloos
- Re: [TLS] Proposed text for removing renegotiation Hubert Kario
- Re: [TLS] Proposed text for removing renegotiation James Cloos
- Re: [TLS] Proposed text for removing renegotiation Martin Rex
- Re: [TLS] Proposed text for removing renegotiation Watson Ladd
- Re: [TLS] Proposed text for removing renegotiation Salz, Rich
- Re: [TLS] Proposed text for removing renegotiation Eric Rescorla
- Re: [TLS] Proposed text for removing renegotiation Eric Rescorla
- Re: [TLS] Proposed text for removing renegotiation Nikos Mavrogiannopoulos
- Re: [TLS] Proposed text for removing renegotiation Martin Thomson
- Re: [TLS] Proposed text for removing renegotiation Andrei Popov
- Re: [TLS] Proposed text for removing renegotiation Watson Ladd
- Re: [TLS] Proposed text for removing renegotiation Martin Thomson
- Re: [TLS] Proposed text for removing renegotiation Martin Thomson
- Re: [TLS] Proposed text for removing renegotiation Nikos Mavrogiannopoulos
- Re: [TLS] Proposed text for removing renegotiation Salz, Rich
- Re: [TLS] Proposed text for removing renegotiation Nikos Mavrogiannopoulos
- Re: [TLS] Proposed text for removing renegotiation Watson Ladd
- Re: [TLS] Proposed text for removing renegotiation Nikos Mavrogiannopoulos
- Re: [TLS] Proposed text for removing renegotiation Watson Ladd
- Re: [TLS] Proposed text for removing renegotiation Kemp, David P.
- Re: [TLS] Proposed text for removing renegotiation Andrei Popov
- Re: [TLS] Proposed text for removing renegotiation Andrei Popov
- Re: [TLS] Proposed text for removing renegotiation Martin Thomson
- Re: [TLS] Proposed text for removing renegotiation Andrei Popov
- Re: [TLS] Proposed text for removing renegotiation Watson Ladd
- Re: [TLS] Proposed text for removing renegotiation Martin Thomson
- Re: [TLS] Proposed text for removing renegotiation Kemp, David P.
- Re: [TLS] Proposed text for removing renegotiation David Holmes
- Re: [TLS] Proposed text for removing renegotiation Eric Rescorla
- Re: [TLS] Proposed text for removing renegotiation Paul Hoffman
- Re: [TLS] Proposed text for removing renegotiation Yoav Nir
- Re: [TLS] Proposed text for removing renegotiation Martin Thomson
- Re: [TLS] Proposed text for removing renegotiation David Holmes
- Re: [TLS] Proposed text for removing renegotiation Martin Thomson
- Re: [TLS] Proposed text for removing renegotiation David Holmes
- Re: [TLS] Proposed text for removing renegotiation Nikos Mavrogiannopoulos
- Re: [TLS] Proposed text for removing renegotiation Watson Ladd
- Re: [TLS] Proposed text for removing renegotiation Steve Checkoway
- Re: [TLS] Proposed text for removing renegotiation Salz, Rich
- Re: [TLS] Proposed text for removing renegotiation Salz, Rich
- Re: [TLS] Proposed text for removing renegotiation Nikos Mavrogiannopoulos
- Re: [TLS] Proposed text for removing renegotiation Daniel Kahn Gillmor
- Re: [TLS] Proposed text for removing renegotiation Nikos Mavrogiannopoulos
- Re: [TLS] Proposed text for removing renegotiation Martin Thomson
- Re: [TLS] Proposed text for removing renegotiation Kemp, David P.
- Re: [TLS] Proposed text for removing renegotiation Nikos Mavrogiannopoulos
- Re: [TLS] Proposed text for removing renegotiation Martin Thomson
- Re: [TLS] Proposed text for removing renegotiation Nikos Mavrogiannopoulos
- Re: [TLS] Proposed text for removing renegotiation Martin Thomson
- Re: [TLS] Proposed text for removing renegotiation henry.story@bblfish.net
- Re: [TLS] Proposed text for removing renegotiation henry.story@bblfish.net