Re: [TLS] Computation of static secret in anonymous DH
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Wed, 17 June 2015 08:25 UTC
Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8D5A1A7005 for <tls@ietfa.amsl.com>; Wed, 17 Jun 2015 01:25:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v7lqEq_pm1oX for <tls@ietfa.amsl.com>; Wed, 17 Jun 2015 01:25:33 -0700 (PDT)
Received: from emh02.mail.saunalahti.fi (emh02.mail.saunalahti.fi [62.142.5.108]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F6E21A6FED for <tls@ietf.org>; Wed, 17 Jun 2015 01:25:33 -0700 (PDT)
Received: from LK-Perkele-VII (a91-155-194-207.elisa-laajakaista.fi [91.155.194.207]) by emh02.mail.saunalahti.fi (Postfix) with ESMTP id 1251781CA2; Wed, 17 Jun 2015 11:25:29 +0300 (EEST)
Date: Wed, 17 Jun 2015 11:25:29 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Douglas Stebila <stebila@qut.edu.au>
Message-ID: <20150617082529.GA17280@LK-Perkele-VII>
References: <2AA11887-2F82-48EF-BD45-4D85CFA83847@qut.edu.au>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <2AA11887-2F82-48EF-BD45-4D85CFA83847@qut.edu.au>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/-pFbdLgWVR_0CWBQVee63ougymA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Computation of static secret in anonymous DH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2015 08:25:36 -0000
On Wed, Jun 17, 2015 at 07:33:31AM +0000, Douglas Stebila wrote: > In the DH-based draft of TLS 1.3 (https://github.com/ekr/tls13-spec/blob/ietf92_materials/draft-ietf-tls-tls13-dh-based.txt), > how is the ServerParameters message containing the static secret SS > constructed in the unauthenticated setting? There's much newer version in ekr/tls13-spec#WIP_draft_06 (seems to have fixed most of the mistakes in the original WIP) There for anonymous setting, seemingly SS is copy of ES, and configurations (essentially replacement of ServerParameters) can't appear at all (because one needs a certificate to send one). I can't figure out what to use as configurations hash part of session hash in case there isn't assumed or negotiated configuration (some session hashes are seemingly always that way, especially things like the one used for handshake key derivation). It also does not say what master key to use for handshake encryption key derivation. I presume tmp2. Also, I note that seemingly if configuration private key gets compromised, one can MITM all sessions using it at will (it has finite lifetime, but other than that, I see no good way to revoke). -Ilari
- [TLS] Computation of static secret in anonymous DH Douglas Stebila
- Re: [TLS] Computation of static secret in anonymo… Ilari Liusvaara
- Re: [TLS] Computation of static secret in anonymo… Eric Rescorla
- Re: [TLS] Computation of static secret in anonymo… Ilari Liusvaara
- Re: [TLS] Computation of static secret in anonymo… Eric Rescorla
- Re: [TLS] Computation of static secret in anonymo… Ilari Liusvaara
- Re: [TLS] Computation of static secret in anonymo… Eric Rescorla
- Re: [TLS] Computation of static secret in anonymo… Ilari Liusvaara
- Re: [TLS] Computation of static secret in anonymo… Eric Rescorla
- Re: [TLS] Computation of static secret in anonymo… Nico Williams
- Re: [TLS] Computation of static secret in anonymo… Eric Rescorla
- Re: [TLS] Computation of static secret in anonymo… Hugo Krawczyk
- Re: [TLS] Computation of static secret in anonymo… Eric Rescorla
- Re: [TLS] Computation of static secret in anonymo… Ilari Liusvaara
- Re: [TLS] Computation of static secret in anonymo… Eric Rescorla
- Re: [TLS] Computation of static secret in anonymo… Hubert Kario
- Re: [TLS] Computation of static secret in anonymo… Ilari Liusvaara
- Re: [TLS] Computation of static secret in anonymo… Nico Williams