Re: [TLS] RFC 4492 and HSM
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 22 April 2014 04:07 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DFC71A004A for <tls@ietfa.amsl.com>; Mon, 21 Apr 2014 21:07:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 605spaqEuLCQ for <tls@ietfa.amsl.com>; Mon, 21 Apr 2014 21:07:23 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id B1E031A002F for <tls@ietf.org>; Mon, 21 Apr 2014 21:07:23 -0700 (PDT)
Received: from [192.168.13.159] (lair.fifthhorseman.net [108.58.6.98]) by che.mayfirst.org (Postfix) with ESMTPSA id 83074F984; Tue, 22 Apr 2014 00:07:16 -0400 (EDT)
Message-ID: <5355EAF4.1020603@fifthhorseman.net>
Date: Tue, 22 Apr 2014 00:07:16 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.3.0
MIME-Version: 1.0
To: Watson Ladd <watsonbladd@gmail.com>, "tls@ietf.org" <tls@ietf.org>
References: <CACsn0c=eV9NODQ8t5N0kjxB4_fC4kz__DH0POvhsd0g3SvGSMg@mail.gmail.com>
In-Reply-To: <CACsn0c=eV9NODQ8t5N0kjxB4_fC4kz__DH0POvhsd0g3SvGSMg@mail.gmail.com>
X-Enigmail-Version: 1.6+git0.20140323
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="C08B3pUgc9PmM0VbWrkV9HKiNR8wsXLIi"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/0X0KtJZeyRR2MwasyBBpWD4tsZE
Subject: Re: [TLS] RFC 4492 and HSM
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Apr 2014 04:07:38 -0000
On 04/21/2014 09:00 PM, Watson Ladd wrote: > RFC 4492 specifies an ECDSA signature of the server's curve parameters > and ephemeral point, but not any fresh data. As a result the ephemeral > exponent is equal in sensitivity to the long-term exponent of the > ECDSA key, forcing an HSM to protect both, and thus do three > exponentiations per connection. It looks to me like RFC 4492 specifies that the data signed includes both the ClientHello.random and the ServerHello.random: https://tools.ietf.org/html/rfc4492#page-20 fwiw the traditional discrete-log-based DHE key exchange includes the same data in the signature: https://tools.ietf.org/html/rfc5246#page-52 I would consider this "fresh data", particularly the inclusion of the ClientHello.random. I agree that if there were no fresh data, then every single ephemeral key used would be equivalent to the server's static public key for reuse by an active attacker, which seems like it would a problem (especially given any attacker's ability to trivially harvest new signatures over novel ephemeral keys). > If an HSM has limited signing power compared to the CPU of the machine > it is attached to this is a real limitation. An extra layer of > indirection, in which a time limited key is signed by the certificate, > avoids this issue, but is not currently supported if I'm reading > everything correctly. Triple-DH handshakes partially mitigate this > issue, reducing the online impact to one exponentiation per > connection. if the ClientHello.random isn't enough protection for you, how are you proposing that the key be time-limited? are we assuming some minimal clock skew? Would stuffing a timestamp in the SignedParams satisfy your concern? What guidelines would we suggest for a client for deciding whether to accept or reject the timestamp? inclusion of a timestamp raises similar concerns about fingerprinting as discussed in: https://tools.ietf.org/html/draft-mathewson-no-gmtunixtime-00#section-1.3 Do you see other ways to mitigate those concerns? > If this wrinkle doesn't get ironed out I'm not terribly unhappy. But > if we are going to do major surgery on the PRF and related things, the > ECDHE handshake is exposed anyway. I think the triple-DH handshake has some very nice properties in general, by avoiding any sort of non-repudiable signature; i'm not convinced that we need to make that radical a change for TLS 1.3, but i'm open to the argument. --dkg
- [TLS] RFC 4492 and HSM Watson Ladd
- Re: [TLS] RFC 4492 and HSM Daniel Kahn Gillmor
- Re: [TLS] RFC 4492 and HSM Watson Ladd