IETF Logo Mail Archive

Re: [TLS] Kill Finished (and other tricks for hardware)

Michael StJohns <msj@nthpermutation.com> Fri, 18 April 2014 14:45 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98A5B1A01BB for <tls@ietfa.amsl.com>; Fri, 18 Apr 2014 07:45:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X2cX02zR_sSH for <tls@ietfa.amsl.com>; Fri, 18 Apr 2014 07:45:02 -0700 (PDT)
Received: from mail-qc0-f171.google.com (mail-qc0-f171.google.com [209.85.216.171]) by ietfa.amsl.com (Postfix) with ESMTP id 92BD41A030E for <tls@ietf.org>; Fri, 18 Apr 2014 07:44:59 -0700 (PDT)
Received: by mail-qc0-f171.google.com with SMTP id c9so1754137qcz.16 for <tls@ietf.org>; Fri, 18 Apr 2014 07:44:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=BKEFYswUfYMLMwYjhaSd/bysqMIp241d4kFyWR1ieRg=; b=ivrSNJtvUdC2ELWisaAJA2QgffKKqrjJo0Ki+wLytsWcDGgL1ZwVQbJT5PveRO5Fbd zV91PaBBacN/0TGnwHdXJonXy0R7TrCXoLEEdQbr/AZ+RWq7kcSbWHHgtxtcoZom/u20 5qo9DrnW06KSYQEat0GUWUvWHYxyJ40ApEwc8GD59C9Q+hnJkRse//ND1cWFR8k1v8DA cJOuKTIbKtkJJ5sFf5ZmRAK089UWr+PnlnaxPvNJyVkHAxDKnO47N1aDF4wZ8DYEwaCK XY1EhmC6A8pQ5hC83PDPSAn1GZzBYPaZSQQ3zDnDICfFbR9MhLMm+Kj3s5sxyH9R1M+j GSqg==
X-Gm-Message-State: ALoCoQnhOCGErB6+ulBlnpjgFRJGJ5TTH0Nf1PqC5G1RBR5HhSYl085Pi76Xbw82iwrUyXNL485v
X-Received: by 10.224.13.7 with SMTP id z7mr21297090qaz.4.1397832295466; Fri, 18 Apr 2014 07:44:55 -0700 (PDT)
Received: from [192.168.1.105] (c-68-34-113-195.hsd1.md.comcast.net. [68.34.113.195]) by mx.google.com with ESMTPSA id s13sm56011227qag.19.2014.04.18.07.44.55 for <tls@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 18 Apr 2014 07:44:55 -0700 (PDT)
Message-ID: <53513A6B.8080606@nthpermutation.com>
Date: Fri, 18 Apr 2014 10:44:59 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: tls@ietf.org
References: <CACsn0cm7CU3HBOY-m90+HwGBuw+nZ7vyqRdHZcfDjw7wiTmDMw@mail.gmail.com> <5350BF46.7000608@pobox.com>
In-Reply-To: <5350BF46.7000608@pobox.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/-jQEF7CkW_bRCV0xuVfxxK76wf8
Subject: Re: [TLS] Kill Finished (and other tricks for hardware)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Apr 2014 14:45:04 -0000

Edited and comments in line.

On 4/18/2014 1:59 AM, Michael D'Errico wrote:
> Watson Ladd wrote:
>>
>> So I propose the following changes:...
>>
>> Finished dies.  .........
>
> This is a much weaker failure indication than checking the Finished
> messages, so I'd prefer to keep them.  Can you think of an alternate
> construction for the Finished message that doesn't use the PRF?

The simplest thing here is to use the negotiated PRF algorithm 
(SecurityParameters.prf_algorithm, not the TLS PRF wrapper around that 
algorithm) directly, but key it with a different key than the master 
secret that would also be derived from the pre-master secret.

_____________________________________________________

draft-stjohns-tls-tls13-crypto-infra has the complete details on what 
I'm proposing along with the above.  It recommends doing a straight MAC 
over the handshake data, but I realized last night that that might not 
(will not?) be possible as you may not (will not?) have the derived key 
you're going to need for this until later in the processing.  You'd have 
to keep a copy of the negotiation messages around until you acquired the 
other side's random data (e.g. on the client side until you heard 
ServerHello).  So having some sort of summary function is going to be 
necessary.    We know how to do this for hash-based (e.g. HMAC) MACs 
(use the underlying hash directly), but would have to define something 
for a block-cipher (e.g. CMAC) MAC to do the summary function - probably 
using the CMAC with a zero key.

So something like:

if MAC is a CMAC then
      verify_data = MAC (handshake_key, MAC (0, 
handshake_messages))[0..verify_data_length-1];
else
     verify_data = MAC (handshake_key, HASH 
(handshake_messages))[0..verify_data_length-1];


Mike


>
> Mike
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email