Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS

Eric Rescorla <ekr@rtfm.com> Fri, 15 December 2017 18:17 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDA7E127419 for <tls@ietfa.amsl.com>; Fri, 15 Dec 2017 10:17:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rWBhASGWAxmc for <tls@ietfa.amsl.com>; Fri, 15 Dec 2017 10:17:40 -0800 (PST)
Received: from mail-yb0-x22f.google.com (mail-yb0-x22f.google.com [IPv6:2607:f8b0:4002:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CE23127077 for <tls@ietf.org>; Fri, 15 Dec 2017 10:17:40 -0800 (PST)
Received: by mail-yb0-x22f.google.com with SMTP id x83so6731392ybg.8 for <tls@ietf.org>; Fri, 15 Dec 2017 10:17:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=wRKA8KZvj29WpazxTzkYA2nmAt6rWB3JMO/zmVV/bvk=; b=O+7QZA5bPHsJD3zKlgJt5Zxzm1zRk78qs7Y4RXYPva0VbYKRw6COMl11DVL8OrsJnZ KjgcJRA7h1/C/cdhV4g7PKTJ1FOvaN0I8wqB2SQQ5y9BaaWXc8ij4OHO1aNmKUiH5NiB zDozqhFlYme22wO3itjVUR8V5WPOwomTp1xNRVg6W1K8O6VFGs5eQ4qtBMZVLJrGFIlh FRjCk0l9Mp5hKdDRUFOFJE59COarUUc+U2BWVdsd6dpFy9YPVNlAa2xiUpGKXbt2pDhv +SZ14O//qR94+XaObl0VpyPEYC3z8a1jfritZERKElZDvz069LBo6arYY4PvyX2R1V6i 1FsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=wRKA8KZvj29WpazxTzkYA2nmAt6rWB3JMO/zmVV/bvk=; b=LFukLQrKf7gc98TyWEt3pxXVntCG3CGWHHsjhsR5vvxtuGgzW4Jmntc4lYoMHvyBH0 8yijZ639uphB2Zb1yzPSyLwkScZbRjO/3VWqG2b7bS07+kCXI+Xo7LetQDD2MPp6bOt9 6LUDzB6OD5o7hAzF+rNtfhs40rImB4YGqijU0qqMd66Srvvd/QwYbdLUcV9LWDPgq8aG 0spkbW5cGKke0o+FLnLhi90/y0bqdRrf3HxcLTnu9Qy0wUNglvFZvLfYQpQl1WxfTMKQ XBU0PjGrV2MhEzmwo2vA4A8gFmOSqBcWmvKHwtAnrUkWEkUzc9rEiXpN041WKtJG1JPX 1roA==
X-Gm-Message-State: AKGB3mJwlyvQD70gZWA6+Aem1xjvLvsOKACsOWczLXP1IDE0T0o01Py8 O3izMVbCHVaIidZeZAUTcpPDNhRMyzOdANwy868RjA==
X-Google-Smtp-Source: ACJfBotExxkYg9AyOWvSNa0xyKkRsdASSgQk12TQl+1oBLlxW2LR/LceF9ndRBkcrGjje9u3/Y2XSoO6VQXmw51kvr4=
X-Received: by 10.129.85.198 with SMTP id j189mr7529148ywb.504.1513361859878; Fri, 15 Dec 2017 10:17:39 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.123.132 with HTTP; Fri, 15 Dec 2017 10:16:59 -0800 (PST)
In-Reply-To: <20171215181432.GA17685@LK-Perkele-VII>
References: <CAAF6GDeeo2xjv1Xu7SFXVZ_zM=XUVJHT=eqH4_-G3+4UHsfvgg@mail.gmail.com> <CACsn0cmMbbT1iAfmxnXHe00dNiqBMyoNkk7e2CyTKWrcdRTtcQ@mail.gmail.com> <CAAF6GDf+GxToBAN83O3NtLO4zJ-8Qax8KjMCGhXv_EhY+NDsKg@mail.gmail.com> <20171215020116.04f9ae15@pc1> <CAAF6GDe79w9XH1GrGvvR-+=uEKfi6GczacUX3Jhy0dL_zW67-Q@mail.gmail.com> <20171215143057.GA17121@LK-Perkele-VII> <MWHPR21MB01897F29048C1B2AB66EA7488C0B0@MWHPR21MB0189.namprd21.prod.outlook.com> <20171215174628.GA17601@LK-Perkele-VII> <CABcZeBOsL0a0xHvVWEus_EY3mUNioaV9fsz89Gt+HeqdHpoyDw@mail.gmail.com> <20171215181432.GA17685@LK-Perkele-VII>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 15 Dec 2017 10:16:59 -0800
Message-ID: <CABcZeBO9qWcARQ7JtSLymxEVM5t2g4Z1DW91VZBf3dD349ku9A@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: Andrei Popov <Andrei.Popov@microsoft.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a113f169e13289905606504e0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/3txN7so82CDds2Im0rR0vPyPghE>
Subject: Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Dec 2017 18:17:42 -0000

On Fri, Dec 15, 2017 at 10:14 AM, Ilari Liusvaara <ilariliusvaara@welho.com>;
wrote:

> On Fri, Dec 15, 2017 at 10:07:16AM -0800, Eric Rescorla wrote:
> > I'm not quite following how this helps. It's true that if SHA-256 is
> > broken, we're in serious trouble, but that's largely because of the fact
> > that that's what people's certificates have, so clients really can't
> refuse
> > to support SHA-256 certificates. So, how does adding new algorithms help?
> > (That's why I would argue that the existing SHA-384 support doesn't
> help).
>
> TLS handshake assumes the hash function is strongly collision-
> resistant. So if SHA-256/SHA-384 breaks, the handshake hash function
> needs to be replaced.
>

Yes. In 1.3, you would define new cipher suites with the new hash. But of
course you then have to worry about downgrade if clients jointly support
the weakest hash and it's weak enough.

-Ekr


This is separate from certificate signatures. Transitioning this would
> be much more nasty than TLS handshake hash, because there is no
> backward-compatible way of changing the hash. This is one major reason
> why SHA-1 transition took over 10 years (oh, then there is the "fun"
> post-quantum transition possibly coming up).
>
>
> -Ilari
>