[TLS] DTLS KeyUpdate
Martin Thomson <martin.thomson@gmail.com> Wed, 01 November 2017 05:45 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 592A113FCBC for <tls@ietfa.amsl.com>; Tue, 31 Oct 2017 22:45:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nHkTwKtruHd1 for <tls@ietfa.amsl.com>; Tue, 31 Oct 2017 22:45:03 -0700 (PDT)
Received: from mail-oi0-x230.google.com (mail-oi0-x230.google.com [IPv6:2607:f8b0:4003:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45BF913FCB1 for <tls@ietf.org>; Tue, 31 Oct 2017 22:45:03 -0700 (PDT)
Received: by mail-oi0-x230.google.com with SMTP id g125so1905542oib.12 for <tls@ietf.org>; Tue, 31 Oct 2017 22:45:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=wPfvWqcJqzv0SweMahEkLIRjcFAKajJ81caCb+goHuQ=; b=mCuSFjBkzdGYPP8D1aMA4Ere5Mh3HGnF3CggPHGm9OVGTjJeT0VgynU4FBWbFBp5qw S1shiCEwr5FzvJ7lxIpd1wvbGpiZZ+cBeIKWLaAdnboPCcM2KT+kE07lNA4r6GdP82p5 YmLbpk5zAMtYKBbufgfCbcsHwrM9VOjfkXGdhmpgN8VAo3QAy+4EeEFFi1pIYy2bg0YP HazTZbDmyDsPz5Pmx3jrn3COko2WEuyO4AxooskUq/NtkD+krYBd5Ag+xw/Ly21WAM3B pwtTRPXeRWfxhaJiy6iRa0gfkiPx/iYzXFvBq8ADf82Q26iiVw0CTFnGeTil9hRsTyj2 TjaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=wPfvWqcJqzv0SweMahEkLIRjcFAKajJ81caCb+goHuQ=; b=ltreu3f7x1zg9gnd4yPQiyoWLq6YcXm773lXvyIqZV0u1vXXxNTX9iffeDh95Ljs15 qTuHaXf25A/9QosfpLe5hH9maUnXY0DZF5J4Nan1UoyZnH12Naqv/AC+2nyPunf+6pHF Bzz7lj8pjksPN/gYQE1iz0TOCuBDc/8U9zd9ytKQvYPqy0GhKtYguNL7sfEJ2g1Q4jFw jXzSleL83Vx5zDGpKX6X5lyJmgn0zE+fxRZis1KdfzlZ82g61qlSk6vZtRKPTTJ2yfsm ylP5rgE5nG8OfO8UeAFYymAP6oT5qPusbAJ3HfHCfrI+L9sf0GyTNiNPpx806BC8sDWi OJvg==
X-Gm-Message-State: AMCzsaXE/NNt4XIio5RuE/nM0X0tiLxny64+O/mFp5dSuAtX8qduiUWr 0OdmgecfZSP0JzD/P8Sp68U8eqbohSA6EvEBJiNvEdCK
X-Google-Smtp-Source: ABhQp+Q+KmRXmsmyIQ4CfTO0Pe8MJx4hpMenczTAX/UBWmhwrFokuZHmzyHUD8+20+OLvHBbak2hJokeqi2U4gU1Um0=
X-Received: by 10.202.166.141 with SMTP id t13mr2255527oij.392.1509515102283; Tue, 31 Oct 2017 22:45:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.72.178 with HTTP; Tue, 31 Oct 2017 22:45:01 -0700 (PDT)
From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 01 Nov 2017 16:45:01 +1100
Message-ID: <CABkgnnV9qZEfD3YgSV2+d3Y0wn12Er-G-tKJVyNWjqTctAerjA@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/yjRfOsigQVNT2duJaS4M-UbJo-c>
Subject: [TLS] DTLS KeyUpdate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Nov 2017 05:45:06 -0000
(From https://github.com/tlswg/dtls13-spec/issues/25) Using the TLS process for KeyUpdate - as the current draft does - leads to a suboptimal set of choices in implementations. Sending KeyUpdate followed immediately by a key change means that KeyUpdate isn't a reliable indicator of a key change at the receiver. If the record containing the KeyUpdate is lost, then the receiver will be unable to decrypt anything sent after it unless it looks at the epoch and tries the new keys. That suggests a receiver design much closer to the one in QUIC, where the KEY_PHASE bit (here, the low bit of the epoch) is the only signal of a key update. The receiver could buffer those records, but I don't see why it would choose head-of-line blocking and a potentially-large memory commitment over trialing the new epoch. I would prefer a different design, even if it diverges from the TLS design. 1. That could be the same design as QUIC uses, with the epoch bit signaling intent. The cost there is that you need to use the bit as an acknowledgment of a key update, so you end up having to keep key updates in lock step, even if no update is needed. If there are asymmetric sending patterns, this isn't ideal. 2. Wait until the KeyUpdate is acknowledged before installing new keys. When KeyUpdate is received, the receiver installs new keys, but retains old keys on a timer (the holddown timer would do). The sender waits for the ACK and starts using new keys when it sees it. The cost here is that switching keys can't be immediate and it requires hooks into the ACK handling logic, neither of which is ideal. I have implemented the former and it's a little ugly, but I haven't tried the latter.
- [TLS] DTLS KeyUpdate Martin Thomson
- Re: [TLS] DTLS KeyUpdate Eric Rescorla