IETF Logo Mail Archive

Re: [TLS] Curve25519 and TLS

Watson Ladd <watsonbladd@gmail.com> Mon, 23 June 2014 14:23 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF7181B2961 for <tls@ietfa.amsl.com>; Mon, 23 Jun 2014 07:23:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wk6Ilb8gtLwJ for <tls@ietfa.amsl.com>; Mon, 23 Jun 2014 07:23:56 -0700 (PDT)
Received: from mail-yh0-x236.google.com (mail-yh0-x236.google.com [IPv6:2607:f8b0:4002:c01::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B37711A0401 for <tls@ietf.org>; Mon, 23 Jun 2014 07:23:56 -0700 (PDT)
Received: by mail-yh0-f54.google.com with SMTP id i57so5055829yha.41 for <tls@ietf.org>; Mon, 23 Jun 2014 07:23:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Rioau62lW0zW+pH8zPE3tAd3zLW7nJaJeYp1r0zBlxI=; b=N/2s/Rm7h/3YGpw4A9BRjZlwttYMLHf2/OGAU9ltxPj6F9QvHOhdE7s7aJsnSgveSi 4S56nNkpUixjyed+WjoKSCHaM2y6vkRLYn5RTiNB2wmVSTeyQBRQ+UThwhPSdB7aeOpG UPi4NL1CK5SQ2Jih469EQ2O5v7Gh/yAIo6hqXV95aidiqSWzdHRr/z18b/RklJ1tiwKA lZpRKj90MLCz7SalqRj5nyQ4FhyLLu39OXayC6o2IakUdOluYNuzicfguATnqXvtD9EY 8HyKOxI8q7YrvYE4fWQUBWxKOtTXWS5RgRhTMhoCw8dYEeVKX0Pes2kCSi3VpmvkuEt7 CpYQ==
MIME-Version: 1.0
X-Received: by 10.236.15.133 with SMTP id f5mr36013563yhf.63.1403533436012; Mon, 23 Jun 2014 07:23:56 -0700 (PDT)
Received: by 10.170.39.136 with HTTP; Mon, 23 Jun 2014 07:23:55 -0700 (PDT)
In-Reply-To: <8583B665-5964-4AD0-977B-D53620D465EE@vpnc.org>
References: <CACsn0cnm3wp6iN57fHAiY+=n=nSxOxvrZOj65bzXYTDy=Xyvkg@mail.gmail.com> <539B6F1B.4030407@mit.edu> <CACsn0c=VUakySUwAh-JGX4FTUwp4Y5kwaoT5=+RXuJnsKxmRTQ@mail.gmail.com> <CABcZeBPNa-q90H+D=jf7ceFVv6OQNb7_YZnD6QyTpTv6YSrPjQ@mail.gmail.com> <CACsn0ckaDuhgWhFRgMsmguwK460WBAFikG=Kqu0YBSNosU7+ng@mail.gmail.com> <CABcZeBOqVKMk8-BDzKnuLRbh+PeqscMRcXOYSBfxjaBn85Xb4w@mail.gmail.com> <CACsn0cneqxgZQQDp1UF+2f1b=ySA7T6sReh83NqPtG-PgDFBpg@mail.gmail.com> <8583B665-5964-4AD0-977B-D53620D465EE@vpnc.org>
Date: Mon, 23 Jun 2014 07:23:55 -0700
Message-ID: <CACsn0ckYL_MSMRn9zk5GzjO+Q7HLDzZqXetnfwMzYpXZ80sPrw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/29lkv5IopPPGhUM1g9LOtbhFXB0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Curve25519 and TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jun 2014 14:23:59 -0000

On Sun, Jun 22, 2014 at 11:36 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> On Jun 23, 2014, at 2:24 AM, Watson Ladd <watsonbladd@gmail.com> wrote:
>
>>>> Why wouldn't it be? If H(m)=H(m'), that's just as much a collision as
>>>> if H(m || stuff)=H(m' || stuff).
>>>
>>>
>>> Well, this isn't quite the two cases we are considering, since we are
>>> computing either:
>>>
>>> HMAC(Key, stuff)
>>>
>>> or:
>>>
>>> HMAC(Key, H(stuff))
>>>
>>> with:
>>> - stuff being under partial control of the attacker and
>>> - the Key being subject to the issue you raise in the message
>>> that started this thread.
>>
>> HMAC is H(key || H(stuff)) right? So it turns into H(key || H(stuff))
>> vs H(key || H(H(stuff))). (Yes, there is padding: that's an injective
>> function, so doesn't matter for this analysis). Once again a collision
>> means stuff equals stuff both ways.
>
> Bellare showed that weakening of the collision resistance in the underlying hash doesn't matter, right? <http://cseweb.ucsd.edu/~mihir/papers/hmac-new.html>? I haven't seen any refutation or weakening of that paper, but I could have missed it.

But here the key is known to the attacker (because it was the result
of a DH operation on a point of small order) : that paper is
completely irrelevant.

Furthermore, all TLS implementations somehow validate signatures: we
can use the collision resistant hash from that and avoid having to
think about these issues.

Sincerely,
Watson Ladd

>
> --Paul Hoffman
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email