Comments (10)
This was allowed but not described. I made a PR describing this. A problem is that KeyUpdate in DTLS 1.3 does not change the exporter master secret so we might need to add some sequence number to the exporter....
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
So the PR #21 does the information text. But the question about exporter remains.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
Yes, if new keys are needed we would need to add a sequence to the label or the context of the exporter. EAP-TLS 1.3 wanted to put a type code in the context but TLS people rather wanted concatenation with the label. (just a matter principles)
Might also be the case the we don't derive any new key for SCTP-AUTH and uses the same key during the lifetime of the DTLS connection. Untruncated HMAC-256 is very strong and has 256-bit key. (need to check these details, but I think it is a 32 byte key and tag). Without PFS the only reason to rekey would be AEAD limits.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
This was allowed but not described. I made a PR describing this. A problem is that KeyUpdate in DTLS 1.3 does not change the exporter master secret so we might need to add some sequence number to the exporter....
Interesting. Do you know why that master secret is not changed?
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
Might also be the case the we don't derive any new key for SCTP-AUTH and uses the same key during the lifetime of the DTLS connection. Untruncated HMAC-256 is very strong and has 256-bit key. (need to check these details, but I think it is a 32 byte key and tag). Without PFS the only reason to rekey would be AEAD limits.
OK. But why do we perform a change of key material used by DTLS layer and not perform one at SCTP layer?
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
The TLS AEAD (e.g. AES-GCM) need to change keys quite frequently. TLS 1.3 has put very strict limits of around s^23 records (or something like that). The HMAC-SHA256 is mush stronger and could be much longer without changign keys (for this reasons).
You might still want to change both keys to limit the effect of key leakage. That would with current TLS 1.3 require terminating the TLS connection and do resumption.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
I don't know for certain why the key is not changed but I can speculate.
The renegotiation in earlier versions was basically a handshake inside the connection theoretically allowing renegotiation of all parameters. It has been troubled with a lot of security issues, partly because it is big and complex. It seems to be disables in most libraries by default, but I don't know how severe the remaining security problems are.
Given this, I think the TLS working group wanted something small and simple that they could prove the security of. Also web connections are typically not that long. Some use cases of the Exported like EAP-TLS use the exporter once and then closes the connection. I guess nobody required this property when TLS 1.3 was designed.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
I don't know for certain why the key is not changed but I can speculate.
The renegotiation in earlier versions was basically a handshake inside the connection theoretically allowing renegotiation of all parameters. It has been troubled with a lot of security issues, partly because it is big and complex. It seems to be disables in most libraries by default, but I don't know how severe the remaining security problems are.
Given this, I think the TLS working group wanted something small and simple that they could prove the security of. Also web connections are typically not that long. Some use cases of the Exported like EAP-TLS use the exporter once and then closes the connection. I guess nobody required this property when TLS 1.3 was designed.
Thank you very much for the explanation.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
The TLS AEAD (e.g. AES-GCM) need to change keys quite frequently. TLS 1.3 has put very strict limits of around s^23 records (or something like that). The HMAC-SHA256 is mush stronger and could be much longer without changign keys (for this reasons).
OK.
You might still want to change both keys to limit the effect of key leakage. That would with current TLS 1.3 require terminating the TLS connection and do resumption.
Sure. Thanks for the clarification.
I was just looking for symmetry between
- DTLS 1.2 where a renegotiation is performed to refresh keys
- DTLS 1.3 where re-keying is performed to refresh keys
and updating the SCTP level key for 1. but not for 2.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
So SCTP-AUTH rekeys on DTLS connection renegotiation. Which will mean never for DTLS 1.3 unless there are future extensions to enable it. While it can occurr for DTLS 1.2. If that is correctly summarized I think this issue can be closed.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
Related Issues (20)
- Define how the SCTP-AUTH keys are derived HOT 5
- Don't reuse the RFC 6803 exporter label HOT 1
- EC(DHE) -> (EC)DHE HOT 1
- Resumption performance HOT 3
- Cryptographic considerations is very long HOT 1
- How do you limit new connections HOT 1
- Mandatory mutual authentication HOT 3
- Use RFC 7525(bis) HOT 3
- Authenticating fallback to RFC 6083 HOT 6
- DTLS 1.3 Only
- Editorial alignment in style of the IANA sub sections needed HOT 1
- DTLS considerations need to be clear that AEAD limits MUST be handled by new connection
- Address new vulnerabilities found in SCTP-AUTH HOT 10
- DTLS Considerations for Handling of Endpoint Pair Shared Secrets HOT 5
- Clarify that COOKIE-ECHO and COOKIE-ACK are not authenticated
- Align terminology with RFC 9260 HOT 10
- Create DTLS/SCTP Control Message IANA registry
- Update solution properties description
- Add text on how SCTP restart works
- Overstated Security Properties
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.