Re: [Cfrg] Help with the use of contexts
Tibor Jager <tibor.jager@gmail.com> Sun, 05 February 2017 07:48 UTC
Return-Path: <tibor.jager@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EAC51294C9 for <cfrg@ietfa.amsl.com>; Sat, 4 Feb 2017 23:48:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HgGf5QIb6mBR for <cfrg@ietfa.amsl.com>; Sat, 4 Feb 2017 23:48:03 -0800 (PST)
Received: from mail-qk0-x22e.google.com (mail-qk0-x22e.google.com [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8C3112945C for <cfrg@irtf.org>; Sat, 4 Feb 2017 23:48:02 -0800 (PST)
Received: by mail-qk0-x22e.google.com with SMTP id 11so29331929qkl.3 for <cfrg@irtf.org>; Sat, 04 Feb 2017 23:48:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=8DvZzCCgiZk0shW1SebR+twKG/r+RFkMcbgvEjElcNM=; b=JXdaIT3X2CFM8xtknTd1umVfhCTL+6gMw39Pw7nUsfWOiXLa6iK/OPqMggWJDBGZdm upeFaOOGhrQ7qt1RSBcTw+6Sd+ARDdTnHzXUe4cvVGTB9YTqrbJCejyLCpzC9vN1Dno/ Ij0xDZ0XSePNvgMAqFLNMvAMtp+XyCf13Xt08sauUPCIDkGvlUO8bSyc+rhugviPYUcw kU2WWM3IWBar5i/2WwfJprx2XnUYkpXV945W95SZ8bpBLjmTTklsDoQ+MdmQgjTYL/de 6zGFNUdxe6UVSTdXYt34bn77QzA2qC2K7NzaE3xEYpdjWZ0XEYFD+4vjkvodOj5FdBwO W0xw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=8DvZzCCgiZk0shW1SebR+twKG/r+RFkMcbgvEjElcNM=; b=s6cVhAvAmuLE/sXWYztXNMrfNYl7Ms+x4OD3GNNru+vorgHvhZDdiQNMSgCt09G3hH UYRj6V9o2f84uhPbZ7BsMrJrju3sa6HkkhdQ31I+FsVZIMMOHufRnbMuC3VS7O95ZMCU VdiIN52i+vsH8Uw/9tcPV8tZJ57Chmht3h0xbgYkyfdredSaXygW0VtCQt6mswPx0OTL tQmhCJwQte5mmEJiulsHEX/KhFCgm/RXdEp+ZSi1ZUtqZtVKWgUgv980EmlOI9LoI62a SeOBGoeEQjYhfOhEVYlU8Hk+odPilWFzwKBoUl0PMdH93qLDLBH6T0e3q4RYpi18Cero 5shQ==
X-Gm-Message-State: AMke39mlfOCjonAq4LVnEyvW9RmdRZX4dloAEZ0ssVhdvQnx7PwF273tIXyfeV4gasitaSlETahJ7RVQkzxRbg==
X-Received: by 10.55.183.1 with SMTP id h1mr4370809qkf.88.1486280881714; Sat, 04 Feb 2017 23:48:01 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.31.75 with HTTP; Sat, 4 Feb 2017 23:48:01 -0800 (PST)
In-Reply-To: <20170203125533.GA11515@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20170116200948.6535.qmail@cr.yp.to> <5eeb3d4d-1fc0-35ba-6f47-87fa0d808edc@cs.tcd.ie> <AA42E783-43FC-4C9B-A387-623B5B18B4FB@gmail.com> <708C8E8E-37AE-4B8F-9843-B0F8CDB29229@gmail.com> <CACsn0cm22h8_61CEZjKYyHfnd7vvnC39ZMjhusjWcZKu_Z0zhw@mail.gmail.com> <DA141A39-05C2-4B87-92FA-AE8C5421E104@gmail.com> <0435210f-0aa4-1c34-89d6-0f7a2aef0621@cs.tcd.ie> <D4B4D5E4.82A6D%kenny.paterson@rhul.ac.uk> <CA+yVaTxTbqDUBbX2oTgC6BT2LprOz8uqAbhTRukuqfZD124kSA@mail.gmail.com> <20170203125533.GA11515@LK-Perkele-V2.elisa-laajakaista.fi>
From: Tibor Jager <tibor.jager@gmail.com>
Date: Sun, 05 Feb 2017 08:48:01 +0100
Message-ID: <CA+yVaTzr+9rFM_GX--6B+M8hyz5O-bWFmjDwEiPKeOyCM17zXQ@mail.gmail.com>
To: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="94eb2c06fa2cfdc4730547c3bb12"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/DbFhTndnZq4yl0CcEIy0bb4QyOs>
Subject: Re: [Cfrg] Help with the use of contexts
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Feb 2017 07:48:04 -0000
On 03/02/2017 13:55, Ilari Liusvaara wrote: > On Fri, Feb 03, 2017 at 09:16:11AM +0100, Tibor Jager wrote: >> On 30 January 2017 at 12:40, Paterson, Kenny <Kenny.Paterson@rhul.ac.uk> >> wrote: >> >>> So: does anyone else want to offer an opinion on the question of contexts? >>> >>> >> Contexts are a clean and relatively simple way to prevent cross-protocol >> attacks, in particular when implemented in an as simple way as proposed >> by Adam and Dan. > > Unfortunately, in practice those are anything but clean and simple. > > Yes, the theoretical notion is pretty simple (where (context,message) > tuple replaces the message in standard notion of signature security). > > The biggest practical problem: Backwards compatiblity, the ever-present > nemsis of security. We do not have to change old protocols in order to enable domain separation via contexts in new protocols: - Old protocols: keep signing messages as before: sig = Sign(sk, m) - New protocols: sign messages as sig = Sign(sk, ctx||m) Here, ctx is a "unique" and sufficiently large context string, which even in presence of an attacker is unlikely to occur in the message m of any existing protocol. For example, one could use the ASCII string "TLS 1.3 TLS 1.3 TLS 1.3 ...", repeating "TLS 1.3" a suitable number of times. The symbol || denotes concatenation of bytes, possibly with a NULL-byte as a separator. This is how I understand the solution pointed to by Adam and explained by Dan, and it seems similar in spirit to (but simpler than) what Natanael described. In particular, it seems not to break backwards compatibility with existing protocols, but would allow a smooth transition to the use of contexts to achieve domain separation, and thus help to prevent cross-protocol attacks.
- [Cfrg] Help with the use of contexts Sean Turner
- Re: [Cfrg] Help with the use of contexts Paterson, Kenny
- Re: [Cfrg] Help with the use of contexts Adam Langley
- Re: [Cfrg] Help with the use of contexts D. J. Bernstein
- Re: [Cfrg] Help with the use of contexts Yaron Sheffer
- Re: [Cfrg] Help with the use of contexts Stephen Farrell
- Re: [Cfrg] Help with the use of contexts Watson Ladd
- Re: [Cfrg] Help with the use of contexts Yoav Nir
- Re: [Cfrg] Help with the use of contexts Adam Langley
- Re: [Cfrg] Help with the use of contexts Dan Brown
- Re: [Cfrg] Help with the use of contexts Yaron Sheffer
- Re: [Cfrg] Help with the use of contexts Ilari Liusvaara
- Re: [Cfrg] Help with the use of contexts Yoav Nir
- Re: [Cfrg] Help with the use of contexts Watson Ladd
- Re: [Cfrg] Help with the use of contexts Yoav Nir
- Re: [Cfrg] Help with the use of contexts Stephen Farrell
- Re: [Cfrg] Help with the use of contexts Paterson, Kenny
- Re: [Cfrg] Help with the use of contexts Tibor Jager
- Re: [Cfrg] Help with the use of contexts Ilari Liusvaara
- Re: [Cfrg] Help with the use of contexts Natanael
- Re: [Cfrg] Help with the use of contexts Tibor Jager
- Re: [Cfrg] Help with the use of contexts Ilari Liusvaara