Re: [TLS] Closing on keys used for handshake and data messages

[Douglas Stebila]

On Jun 3, 2016, at 17:54, Joseph Salowey  wrote:
> 
> Unfortunately, the TLS record framing is not easily compatible with having 
> multiple keys used simultaneously: because we encrypt the content type, it is 
> not possible to use it to determine which key to use to decrypt. We examined 
> a number of proposals which would allow you to simultaneously have encrypted 
> content types and separate keys, but they all appear to be nonviable for one 
> reason or another:

[...]

>   • Separately encrypting the content type is inefficient in a number of 
> ways, especially for DTLS (and would need separate security analysis). This 
> is probably the most viable of the “try to get both” designs.

I'd also like more information about the reasoning behind saying that 
separately encrypting the content type is inefficient.  

There was some discussion off-list (but not much) about a proposal to encrypt 
content type (handshake or application) with a separate key, then encrypting 
data with the corresponding key (handshake key or application key).  The 
content type would be encrypted using unauthenticated encryption, resulting in 
a single byte of ciphertext.  The authenticated encryption using the 
corresponding key would include the type as associated data to authenticate it. 
 

This had a few drawbacks as I remember it: 
1) requires one additional byte in the communication; 
2) requires deriving and keeping an extra key (the "content type key") around;
3) requires additional encryption/decryption
4) composability of the application key would still be lost because of 
post-handshake client authentication.

In the off-list discussion, Eric had a potential solution to (1).  (3) was 
unavoidable but in my opinion relatively minimal cost.  (4) is true, but we now 
have Hugo's results that give a form of restricted composability that 
accommodate post-handshake client authentication.  

There may have been additional discussions that I wasn't around for.  I have 
heard it suggested that (2) is the particularly problematic aspect for DTLS, 
but I do not know enough about DTLS to understand this.  Even if it is 
problematic for DTLS, if it is not so problematic for TLS, then why not do it 
for at least TLS?  

Douglas
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Closing on keys used for handshake and data messages

[Björn Tackmann]

Hi dkg,

sorry for my late response.

Let me start by saying that I do not believe that this is really critical; 
after all, we can prove alternative (1) as well — it’s just less clean and 
makes the proofs harder to write, read, and verify, which is generally not a 
good thing for a cryptographic protocol. On the other hand, the privacy 
improvements offered by alternative (2) appear to be rather moderate; even if 
we were to realistically achieve the best privacy it could offer, it would 
protect the fact that a “new session ticket” message (is this a gain at all?) 
or a client auth message was sent. If I understood correctly, client auth has 
not been widely used in previous TLS versions, and even if this would change, 
it’s not quite clear how big the gain is. Maybe you have more precise insights 
into this than I do?


> On Jun 9, 2016, at 11:56 PM, Daniel Kahn Gillmor  
> wrote:
> 
> I confess i was hoping that double-encrypting would provide some measure
> of useful key separation for cryptanalysis.  I don't think i understand
> Ilari's explanation in this thread, though, so i'd appreciate any other
> attempts to clarify.

Double encryption is not problematic. It just does not have advantages over 
alternative (1) in terms of cryptographic analysis (it does not quite help in 
modularizing the proofs). On the other hand, we’ve heard (others may want to 
chime in) that it /does/ make the implementation more cumbersome, in the sense 
that it requires more changes to the existing code base.

In that sense, it appears to be strictly dominated by alternative (1).


>> PUBLIC CONTENT TYPES
>> 
>> Clearly, having a public content type and separate keys for handshake and
>> application data provides full key separation, at the cost of revealing
>> whether a given record is handshake or application data (and potentially
>> alerts). The major question that the group had was whether it was actually
>> possible to conceal this information effectively, even with encrypted
>> content types, since hiding the handshake messages in the application
>> traffic requires detailed knowledge about the application traffic pattern
>> (e.g., packet lengths, timing, response patterns, etc.). It’s clear some
>> analysis of this is needed.
> 
> We know that traffic analysis is difficult, and may in some cases be
> impossible.  This is an area in need of active research.  However,
> deciding to make it *always* impossible to protect because we don't know
> how to protect it absolutely is "security nihilism", and i hoped we were
> moving beyond that mindset as a community.

I beg to disagree here.

First, we would not drop it for no reason whatsoever. We would drop it because 
dropping it has other advantages. It’s a trade-off.
Second, we should in any case carefully point out that this mechanism alone, 
i.e., without proper padding etc., may not provide any additional privacy 
guarantees. A security mechanism that does not work can be worse than no 
mechanism at all if people start relying on it without understanding what it 
achieves.

Introducing a mechanism without analyzing it is somewhat akin to what happened 
to encryption with compression. (Used properly, it can be useful.) I hoped we 
were moving beyond that mindset — sorry for echoing ;-)


> If we don't have a mechanism to hide this metadata, then we certainly
> won't develop any useful practice around actually making it
> indistinguishable.  Protecting users is a multidimensional problem.  We
> should provide a mechanism to make this information indistinguishable in
> the axis we know how to handle (encrypting the material itself) so that
> there is a reason for people to work on the axes we don't yet know how
> to handle (protecting against traffic analysis).

I’m totally in for protecting user privacy. I simply believe that we should 
first specify what we want, then see whether we can achieve it, and then build 
the mechanism that does it.


Cheers,
Bjoern


--
Björn Tackmann
Postdoctoral Research Scholar
Computer Science & Engineering, UC San Diego



___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Closing on keys used for handshake and data messages

[Daniel Kahn Gillmor]

On Fri 2016-06-03 17:54:53 -0400, Joseph Salowey wrote:
>Trial decryption has serious implementation problems
>-
>Double-encrypting handshake messages in both the handshake key and the
>application key does not actually provide the required key separation
>-
>Separately encrypting the content type is inefficient in a number of
>ways, especially for DTLS (and would need separate security analysis). This
>is probably the most viable of the “try to get both” designs.

I'm saddened by this analysis :( I understand that trial decryption
precludes inplace decryption, and i can see why that makes it a
non-starter for some implementations.

I confess i was hoping that double-encrypting would provide some measure
of useful key separation for cryptanalysis.  I don't think i understand
Ilari's explanation in this thread, though, so i'd appreciate any other
attempts to clarify.

> This leaves us with two primary alternatives:
>
>1. Use the same key (as in the current draft-13)
>2. Restore a public content type and different keys

Between these two options, I strongly prefer option 1.

> PUBLIC CONTENT TYPES
>
> Clearly, having a public content type and separate keys for handshake and
> application data provides full key separation, at the cost of revealing
> whether a given record is handshake or application data (and potentially
> alerts). The major question that the group had was whether it was actually
> possible to conceal this information effectively, even with encrypted
> content types, since hiding the handshake messages in the application
> traffic requires detailed knowledge about the application traffic pattern
> (e.g., packet lengths, timing, response patterns, etc.). It’s clear some
> analysis of this is needed.

We know that traffic analysis is difficult, and may in some cases be
impossible.  This is an area in need of active research.  However,
deciding to make it *always* impossible to protect because we don't know
how to protect it absolutely is "security nihilism", and i hoped we were
moving beyond that mindset as a community.

If we don't have a mechanism to hide this metadata, then we certainly
won't develop any useful practice around actually making it
indistinguishable.  Protecting users is a multidimensional problem.  We
should provide a mechanism to make this information indistinguishable in
the axis we know how to handle (encrypting the material itself) so that
there is a reason for people to work on the axes we don't yet know how
to handle (protecting against traffic analysis).

  --dkg


signature.asc
Description: PGP signature
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Closing on keys used for handshake and data messages

[Ilari Liusvaara]

On Sat, Jun 04, 2016 at 02:26:00AM -0400, Dave Garrett wrote:
> On Friday, June 03, 2016 05:54:53 pm Joseph Salowey wrote:
> > Unfortunately, the TLS record framing is not easily compatible with having
> > multiple keys used simultaneously: because we encrypt the content type, it
> > is not possible to use it to determine which key to use to decrypt. We
> > examined a number of proposals which would allow you to simultaneously have
> > encrypted content types and separate keys, but they all appear to be
> > nonviable for one reason or another:
> > 
> >- Trial decryption has serious implementation problems
> >- Double-encrypting handshake messages in both the handshake key and the
> >application key does not actually provide the required key separation
> >- Separately encrypting the content type is inefficient in a number of
> >ways, especially for DTLS (and would need separate security analysis). 
> > This
> >is probably the most viable of the “try to get both” designs.
> 
> Could someone please elaborate on why nested encryption would be a
> problem?

The problem is that nested encryption does not solve the separation
problem (application misusing keys it has[1] in ways that interact
badly with the (late) handshake[2]).

Essentially the difference is "the generated key is safe to use with
any protocol" versus "the generated key is safe to use for TLS 1.3".

And if the first is not true, proving the second is harder (even if
it should be true, barring massive design errors[3] or applications
doing utterly crazy stuff[4]).


[1] Nevermind it REALLY SHOULD NOT actually have those keys, but only
plaintext access to its own mux stream.

[2] In normal TLS operation, the protocol mux/demux prevents such
interference from actually occuring.

[3] Like grossly broken protocol mux.

[4] Stuff applications have absolutely no legimate business of doing
(if I ever see such things, my first assumption about the cause will
be malice).


-Ilari

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Closing on keys used for handshake and data messages

[Dave Garrett]

On Friday, June 03, 2016 05:54:53 pm Joseph Salowey wrote:
> Unfortunately, the TLS record framing is not easily compatible with having
> multiple keys used simultaneously: because we encrypt the content type, it
> is not possible to use it to determine which key to use to decrypt. We
> examined a number of proposals which would allow you to simultaneously have
> encrypted content types and separate keys, but they all appear to be
> nonviable for one reason or another:
> 
>- Trial decryption has serious implementation problems
>- Double-encrypting handshake messages in both the handshake key and the
>application key does not actually provide the required key separation
>- Separately encrypting the content type is inefficient in a number of
>ways, especially for DTLS (and would need separate security analysis). This
>is probably the most viable of the “try to get both” designs.

Could someone please elaborate on why nested encryption would be a problem? No 
objection to avoiding trial decryption, though.

The general expectation I would have for doing double encryption here would be 
to encrypt TLSCiphertext normally with the application traffic key and 
TLSCiphertext.content would be the real unencrypted length plus an 
aead-ciphered struct of the message which is encrypted with the relevant key. 
(the unencrypted length would be the inner encrypted block's length, in this 
scenario)


Dave

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls