[TLS] IV Generation was: Clarifications and questions: TLS1.3 - Static RSA and AEAD
Michael StJohns <msj@nthpermutation.com> Tue, 27 May 2014 15:53 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 870CF1A043D for <tls@ietfa.amsl.com>; Tue, 27 May 2014 08:53:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7muTUCdhUhUk for <tls@ietfa.amsl.com>; Tue, 27 May 2014 08:53:21 -0700 (PDT)
Received: from mail-pa0-f45.google.com (mail-pa0-f45.google.com [209.85.220.45]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA1261A0193 for <tls@ietf.org>; Tue, 27 May 2014 08:53:21 -0700 (PDT)
Received: by mail-pa0-f45.google.com with SMTP id ey11so9353574pad.4 for <tls@ietf.org>; Tue, 27 May 2014 08:53:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=VHs24BQujt+L5hyFGUl72LpjPWWsC9uds96IZ8RQnck=; b=f7sUMpODhtjuYDZkETIfABOOwge07LpVMHqMyn1xA3b5x3caMZn2ye++uqJb2mOJ2M CK2wohMj/V6c/HJAkeF+jujIGyTwxOTAkv6aoIwm7LTsclkJ8VaDrsq9BRNl9KCnzQIJ OPt7Oerm9ychzdl17GiK7OYoiaDyQaThlWtrId1I2QDHuxBXk4oDer2SfRvmpXqZ1dde jPPYoc6xRakY48Ev+KU+KPjHiq19KkGmsQPYQkrweyih4qmBdn8m3c9i1c+diXozTqGW 3Qe+i7ewGGbR2ZEmPSnyFhqNH1vw+8w1Wp7hjia6rc2nZBVotv7phsOcij+NtAz6rcyq jXwg==
X-Gm-Message-State: ALoCoQkvE3zd98Q8sbOqgEmSxS8n31YMi+M1djFJPwrPEJWMW95hyySNpH450Bhgg9be/ajs9Upo
X-Received: by 10.66.122.208 with SMTP id lu16mr36075979pab.129.1401205998517; Tue, 27 May 2014 08:53:18 -0700 (PDT)
Received: from [192.168.1.102] (c-68-34-113-195.hsd1.md.comcast.net. [68.34.113.195]) by mx.google.com with ESMTPSA id xk1sm75148252pac.21.2014.05.27.08.53.16 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 27 May 2014 08:53:17 -0700 (PDT)
Message-ID: <5384B4F4.9040109@nthpermutation.com>
Date: Tue, 27 May 2014 11:53:24 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Eric Rescorla <ekr@rtfm.com>
References: <5383F02F.4050706@nthpermutation.com> <CABcZeBPU8gQtpVOyD5KO28bv3Ggjf-7p1wj8uU8NztnFMfPJ6Q@mail.gmail.com> <53840318.10902@nthpermutation.com> <CABcZeBNCjddKRR=ayBr1LmOeMCv93aYZAquOHhqKHGLnDO81xg@mail.gmail.com>
In-Reply-To: <CABcZeBNCjddKRR=ayBr1LmOeMCv93aYZAquOHhqKHGLnDO81xg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------090607050406040909030402"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/xjRZl-zZhHxku_VpHJLAZFNp_7U
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: [TLS] IV Generation was: Clarifications and questions: TLS1.3 - Static RSA and AEAD
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 May 2014 15:53:24 -0000
On 5/26/2014 11:25 PM, Eric Rescorla wrote: > On Mon, May 26, 2014 at 8:14 PM, Michael StJohns > <msj@nthpermutation.com <mailto:msj@nthpermutation.com>> wrote: > > On 5/26/2014 10:32 PM, Eric Rescorla wrote: >> >> Does it also result in changing the output of the "key >> expansion" phase as only "client_write_key" and >> "server_write_key"s will be needed for AEAD? >> >> >> I don't believe so, since AEAD still at least potentially >> requires an IV. > > Right - but we really need to get IV material in a way where it > isn't derived from the master secret. > > > I don't agree with this claim. As I understand the constraints, they > merely > need to be derived in a way that is isolated from the keying material. > Is there a reason that it's unsafe to generate the IVs from the MS > provided > that this condition is met? I'm going to answer this twice because EKR's comment appears to include an slight internal inconsistency or I'm mis-understanding what he meant: 1) ---------------------------------- "isolated from the keying material" can be accomplished one of two ways - by deriving a sub-secret from the master secret and then using that for generating the IV in a keyed PRNG, or by deriving a second secret from the pre-master secret at the same time you generate the master secret and generating the IV from that second secret. I would claim that neither of those is equivalent to "generate the IV's from the MS...." There's a third way that basically injects per-key and iv length information into the KDF expansion - I looked at this and rejected it as it made the KDF security analysis complex and it violated the general principle that cryptographic functions output either public (cipher text, signatures) or private data (key material) and not both. Is there a fourth way you were thinking of? and "isolated" needs to mean "cryptographically isolated". 2) ---------------------------------- As a specific comment on how the master secret is used: The general rule is that the same key shouldn't be used for multiple things. In this case the master secret is used (ignoring for a moment that the functions are all iterations of the PRF): * with a Key Derivation Function to derive key material * with a MAC function to sign the finished messages * with a keyed pseudo random number generator to derive the IV's. By my count that's two too many. The fact that the KDF and PRNG steps are part of the same process is even more problematic. There's literature on this - but an easy reference is section 5.2 of NIST's SP800-57 part 1 rev 3 - http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-57-Part%203-Rev.1: > 5.2 Key Usage > In general, a single key should be used for only one purpose (e.g., > encryption, authentication, > key wrapping, random number generation, or digital signatures). There > are several reasons for > this: > 1. The use of the same key for two different cryptographic processes > may weaken the > security provided by one or both of the processes. > 2. Limiting the use of a key limits the damage that could be done if > the key is compromised. > 3. Some uses of keys interfere with each other. For example, consider > a key pair used for > both key transport and digital signatures. In this case, the private > key is used as both a > private key-transport key to decrypt data-encryption keys and a > private signature key to > apply digital signatures. It may be necessary to retain the private > key-transport key > beyond the cryptoperiod of the corresponding public key-transport key > in order to decrypt > the data-encryption keys needed to access encrypted data. On the other > hand, the private > signature key shall be destroyed at the expiration of its cryptoperiod > to prevent its > compromise (see Section 5.3.6). In this example, the longevity > requirements for the > private key-transport key and the private digital-signature key > contradict each other. > This principle does not preclude using a single key in cases where the > same process can provide > multiple services. This is the case, for example, when a digital > signature provides assurance of > the identity of the originating entity, non-repudiation, source > authentication and integrity > protection using a single digital signature, or when a single > symmetric data-encryption key can > be used to encrypt and authenticate data in a single cryptographic > operation (e.g., using an > authenticated-encryption operation, as opposed to separate encryption > and authentication > operations). Also refer to Section 3.7. > This Recommendation also permits the use of a private key-transport or > key-agreement key to > generate a digital signature for the following special case: > When requesting the (initial) certificate for a static > key-establishment key, the associated > private key may be used to sign the certificate request. Also refer to > Section 8.1.5.1.1.2. Because the IV may be used for things like nonces, the IV generator needs to be unpredictable, but able to be generated synchronously from data available to the sender and receiver. It's unclear that it needs any more entropy (e.g. a key) than that available in the client_random and server_random. If the per-message IV is carried in its entirety in the message, then the IV generator need not be coordinated between sender and receiver. From a general cryptographic point of view, an IV is NOT a confidential data element. A cipher mode is required to be secure even if the IV is available to an attacker, so again, it's unclear the IV generator needs to be a keyed PRNG. Mike
- [TLS] Clarifications and questions: TLS1.3 - Stat… Michael StJohns
- Re: [TLS] Clarifications and questions: TLS1.3 - … Eric Rescorla
- Re: [TLS] Clarifications and questions: TLS1.3 - … Michael StJohns
- Re: [TLS] Clarifications and questions: TLS1.3 - … Eric Rescorla
- Re: [TLS] Clarifications and questions: TLS1.3 - … Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Clarifications and questions: TLS1.3 - … Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Clarifications and questions: TLS1.3 - … Alyssa Rowan
- Re: [TLS] Clarifications and questions: TLS1.3 - … Eric Rescorla
- Re: [TLS] Clarifications and questions: TLS1.3 - … Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Clarifications and questions: TLS1.3 - … Watson Ladd
- Re: [TLS] Clarifications and questions: TLS1.3 - … Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Clarifications and questions: TLS1.3 - … Eric Rescorla
- Re: [TLS] Clarifications and questions: TLS1.3 - … Jakob Breier
- Re: [TLS] Clarifications and questions: TLS1.3 - … Dan Brown
- Re: [TLS] Clarifications and questions: TLS1.3 - … Jakob Breier
- Re: [TLS] Clarifications and questions: TLS1.3 - … Dan Brown
- Re: [TLS] Clarifications and questions: TLS1.3 - … Watson Ladd
- [TLS] IV Generation was: Clarifications and quest… Michael StJohns
- Re: [TLS] Clarifications and questions: TLS1.3 - … Michael StJohns
- Re: [TLS] Clarifications and questions: TLS1.3 - … Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Clarifications and questions: TLS1.3 - … Michael StJohns
- Re: [TLS] Clarifications and questions: TLS1.3 - … Michael StJohns
- Re: [TLS] Clarifications and questions: TLS1.3 - … Michael StJohns
- Re: [TLS] Clarifications and questions: TLS1.3 - … Michael StJohns
- Re: [TLS] Clarifications and questions: TLS1.3 - … Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Clarifications and questions: TLS1.3 - … Alyssa Rowan
- Re: [TLS] Clarifications and questions: TLS1.3 - … Andy Lutomirski
- Re: [TLS] Clarifications and questions: TLS1.3 - … Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] IV Generation was: Clarifications and q… Martin Rex
- Re: [TLS] IV Generation was: Clarifications and q… Michael StJohns
- Re: [TLS] IV Generation was: Clarifications and q… Martin Rex
- Re: [TLS] IV Generation was: Clarifications and q… Michael StJohns
- Re: [TLS] IV Generation was: Clarifications and q… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] IV Generation was: Clarifications and q… Michael StJohns