Re: [TLS] TLS and KCI vulnerable handshakes
Clemens Hlauschek <clemens.hlauschek@rise-world.com> Tue, 11 August 2015 23:38 UTC
Return-Path: <clemens.hlauschek@rise-world.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66EA91A00F9 for <tls@ietfa.amsl.com>; Tue, 11 Aug 2015 16:38:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ajr3mSM1FkZD for <tls@ietfa.amsl.com>; Tue, 11 Aug 2015 16:38:49 -0700 (PDT)
Received: from mail01.rise-w.com (mail01.rise-w.com [88.116.105.226]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC68F1A00C3 for <tls@ietf.org>; Tue, 11 Aug 2015 16:38:49 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail01.rise-w.com (Postfix) with ESMTP id 44FE440E43C; Wed, 12 Aug 2015 01:38:48 +0200 (CEST)
Received: from [192.168.43.233] (unknown [172.56.2.230]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.rise-world.com (Postfix) with ESMTPSA id 61E8C40E431; Wed, 12 Aug 2015 01:38:46 +0200 (CEST)
Message-ID: <55CA8783.8060201@rise-world.com>
Date: Tue, 11 Aug 2015 19:38:43 -0400
From: Clemens Hlauschek <clemens.hlauschek@rise-world.com>
User-Agent: mutt 1.5.23 (Plan 9)
MIME-Version: 1.0
To: Martin Thomson <martin.thomson@gmail.com>, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
References: <55C8CD7A.7030309@rise-world.com> <9A043F3CF02CD34C8E74AC1594475C73F4AD80F3@uxcn10-5.UoA.auckland.ac.nz> <9690882F-B794-4D1D-973F-DE7F90120CC3@gmail.com> <CABkgnnXruou6BbgZK8vWUeyb-gW5OTSZKPwPVPwZ826usNz9RA@mail.gmail.com> <20150811190544.GA13734@LK-Perkele-VII> <CABkgnnXnx7Fvt8oXNwMC3oLtXD4A4gFw6j-LWWuSkS3BasWqrg@mail.gmail.com>
In-Reply-To: <CABkgnnXnx7Fvt8oXNwMC3oLtXD4A4gFw6j-LWWuSkS3BasWqrg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/23ghKrPGqsEOrDCjFbTbe7BvL4I>
Cc: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS and KCI vulnerable handshakes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2015 23:38:51 -0000
On 08/11/2015 05:06 PM, Martin Thomson wrote: > On 11 August 2015 at 12:05, Ilari Liusvaara <ilari.liusvaara@elisanet.fi> wrote: >>> I don't see how that would work. A client that understands the cert >>> to be ECDSA won't pair the key with the server's ECDH share, they will >>> sign the session transcript with it. >> >> a) ECDSA certs are usable for ECDH (modulo KeyUsage) because there is >> no ECDSA-specific keytype in X.509. > > Maybe I should have been clearer. The certificate might not include a > (strong) signal that allows the client to distinguish between ECDSA > and fixed ECDH, but the client might be configured with that > knowledge. There is no difference between an ECDH and an ECDSA, apart from (possibly) the KeyUsage Extension. > > I checked NSS and there doesn't seem to be any way that it could be > coerced into using the (EC)DH pair from a client certificate in a key > exchange. Even though it supports some fixed (EC)DH suites. To the best of our knowledge, NSS does not support fixed ECDH client authentication. I checked the code manually. Prof Matt Green also verified with EKR at Mozilla during the pre-public disclosure phase that NSS is not vulnerable. > > NSS (incorrectly) adopts the posture that _ECDH_ suites are > half-static: the server share is in the certificate, but the client > side is fully ephemeral. This is clearly in violation of RFC 5246, > Section 7.4.7 and RFC 4492, Section 3.2. I'm not going to worry about > that right now :) > Please elaborate. I do not see how this half-static behaviour constitutes any violations of the mentioned RFCs. I would say half-static ECDH handshake is not only fully spec conforming, but *the* way to do an ECDH handshake when client authentication (*_fixed_(ec)dh) is not requested by the server. OpenSSL, as well as other implementations, do the same. Clemens
- [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Peter Gutmann
- Re: [TLS] TLS and KCI vulnerable handshakes Karthikeyan Bhargavan
- Re: [TLS] TLS and KCI vulnerable handshakes Martin Thomson
- Re: [TLS] TLS and KCI vulnerable handshakes Ilari Liusvaara
- Re: [TLS] TLS and KCI vulnerable handshakes Martin Thomson
- Re: [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Martin Thomson
- Re: [TLS] TLS and KCI vulnerable handshakes Daniel Kahn Gillmor
- Re: [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Peter Gutmann
- Re: [TLS] TLS and KCI vulnerable handshakes Peter Gutmann
- Re: [TLS] TLS and KCI vulnerable handshakes Viktor Dukhovni
- Re: [TLS] TLS and KCI vulnerable handshakes Viktor Dukhovni
- Re: [TLS] TLS and KCI vulnerable handshakes Peter Gutmann
- Re: [TLS] TLS and KCI vulnerable handshakes Salz, Rich
- Re: [TLS] TLS and KCI vulnerable handshakes Viktor Dukhovni
- Re: [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Watson Ladd