[TLS] Minor note: static DH key exchange also impacted by KCI attacks
Dan Brown <dbrown@certicom.com> Tue, 15 April 2014 14:14 UTC
Return-Path: <dbrown@certicom.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2EA81A0441 for <tls@ietfa.amsl.com>; Tue, 15 Apr 2014 07:14:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.802
X-Spam-Level:
X-Spam-Status: No, score=0.802 tagged_above=-999 required=5 tests=[BAYES_50=0.8, CTYPE_001C_B=0.001, HTML_MESSAGE=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zh8LdO_L80N1 for <tls@ietfa.amsl.com>; Tue, 15 Apr 2014 07:14:49 -0700 (PDT)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) by ietfa.amsl.com (Postfix) with ESMTP id C54FA1A00CF for <tls@ietf.org>; Tue, 15 Apr 2014 07:14:46 -0700 (PDT)
Received: from xct106cnc.rim.net ([10.65.161.206]) by mhs215cnc.rim.net with ESMTP/TLS/AES128-SHA; 15 Apr 2014 10:14:38 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT106CNC.rim.net ([fe80::d824:6c98:60dc:3918%16]) with mapi id 14.03.0174.001; Tue, 15 Apr 2014 10:14:37 -0400
From: Dan Brown <dbrown@certicom.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: Minor note: static DH key exchange also impacted by KCI attacks
Thread-Index: Ac9YAEy+i62WjDR6Se6hWsKbkTXMtQ==
Date: Tue, 15 Apr 2014 14:14:37 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5C710BE@XMB116CNC.rim.net>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.249]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0000_01CF5893.81216540"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/-afJn-JXXVO2HK1bfsj1Gju2IbU
Subject: [TLS] Minor note: static DH key exchange also impacted by KCI attacks
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Apr 2014 14:14:52 -0000
The following point about attacks on static DH may be moot because (1) static DH key exchange is rarely (or never?) used in TLS, especially on the client side, (2) maybe most hosts do not even have static DH certs to support these TLS ciphersuites, (3) static DH is already vulnerable to FS attacks, and (4) static DH is likely to be deprecated in favour of ephemeral DH (I'm only presuming this, because I haven't been following TLS closely enough to be sure). Recall that key-compromise impersonation (KCI) means that if Eve learns Bob's long-term private key, then Eve can use it to impersonate Alice to Bob (i.e. not just impersonate Bob to anybody else). Like a forward secrecy (FS) attack, its pre-requisite is a compromised long-term key, but the negative consequence is impersonation rather than secret compromise. Static DH has long been known not to resist either KCI or FS attacks. The heartbleed bugs suggests that the long-term private key compromise pre-requisite to both FS and KCI attacks might have been available. Static DH usage in TLS may therefore have been affected by KCI or FS attacks. If a server lost its static DH private key via heartbleed, then a KCI adversary may have been able to impersonate client's static DH keys (or re-used ephemeral DH keys for any server trusting re-used ephemerals as in TOFU). If some similar bug, or something else, ever leaks client static DH private keys, or re-used ephemeral DH private keys, then such a client may be affected by a KCI attack in which servers using static DH for authentication are impersonated. So, KCI attacks give all the more reason (i.e. in addition to FS attacks) to use key agreement involving ephemeral keys from both sides, and in particular to deprecate static DH key exchange. It TLS wants to keep static DH around, then it should somehow explain or remedy both FS and KCI threats. Authentication via run-time signing prevents KCI attacks, so TLS's [EC]DHE suites resist KCI attacks. If TLS wants authentication without signing (say, for better efficiency or for better off-the-record properties), then it should also be careful to avoid KCI attacks. By the way, resistance to FS attacks does not imply resistance to KCI attacks: for example, the unified model key agreement scheme from SP 800-56A does not resist KCI attacks. Best regards, Daniel Brown Research In Motion Limited