IETF Logo Mail Archive

Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.

Michael StJohns <msj@nthpermutation.com> Sat, 27 December 2014 17:41 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C58E1A8AB1 for <tls@ietfa.amsl.com>; Sat, 27 Dec 2014 09:41:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xUvQOuchNZDw for <tls@ietfa.amsl.com>; Sat, 27 Dec 2014 09:41:19 -0800 (PST)
Received: from mail-qa0-f49.google.com (mail-qa0-f49.google.com [209.85.216.49]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B04CD1A8AA0 for <tls@ietf.org>; Sat, 27 Dec 2014 09:41:19 -0800 (PST)
Received: by mail-qa0-f49.google.com with SMTP id dc16so7719139qab.8 for <tls@ietf.org>; Sat, 27 Dec 2014 09:41:18 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=vUkAqQgGkiO7QBq+QI7avUpLr1W4B88qqVa0lktxdII=; b=DEItS3GLHaCZjd4Z6YgYiUppfuYJOtEQbGoZAwdXqLvg5zBTgaXHxor25kyWxcxj0G 2XwNcXPLH22/Jntxpvr9qWj3/zhIDRuijXHSNhIeORKGUop+DajeRGoW4zOndnPTb422 hlZwailEepp2jRINibnaIKQLonrljT6JWfH+BFhqK6TRKx/lZMR7wFdioUHoe1Hr349b x5oUg6cgRg2FBafmmL08VviTDK9gOXrtvkzPZNMEB10LheDfkrPsrfmfHPedKQlJHDB+ KBcqMR32qPIY8H0mLjsXVeqj1hNW0uxYIzUxZv8+lqdiVdVRLrkRz1vXWj5eVpQ0e5lB EGKw==
X-Gm-Message-State: ALoCoQkPV5BeVLpgRH79VATpejrgTwvBeatxWbWb638hckdUqf+JroMSYTmcNGgLs2Kus3raMIWl
X-Received: by 10.224.37.5 with SMTP id v5mr79057507qad.25.1419702078842; Sat, 27 Dec 2014 09:41:18 -0800 (PST)
Received: from [192.168.1.105] (c-69-255-115-150.hsd1.md.comcast.net. [69.255.115.150]) by mx.google.com with ESMTPSA id l7sm29041483qai.37.2014.12.27.09.41.18 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 27 Dec 2014 09:41:18 -0800 (PST)
Message-ID: <549EEF43.3020608@nthpermutation.com>
Date: Sat, 27 Dec 2014 12:41:23 -0500
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Eric Rescorla <ekr@rtfm.com>
References: <CAMfhd9XgR-N6BZVLojfyf6E2+0fhYVHopp5FKALoup_GjTji5A@mail.gmail.com> <CABcZeBMmFWOoh6Av=eAaMi6AA1Kb7X41Efie-0PuRZWwPPVz_A@mail.gmail.com> <860778484.3559563.1416987612674.JavaMail.zimbra@redhat.com> <CABcZeBPHQGMNYU1QbG=oeuVZYG71BqVaJU9E9e2Kh+rEWq=RXA@mail.gmail.com> <CAL9PXLwrZCgDUqd8ugqhcpYEBwLOcQXSLg8Kx8fgCq6tzLvO4A@mail.gmail.com> <CABcZeBPY8Jrg_ou_=frs9O2-0nrfL+V-H-jBCxDgQ4Ora55kvQ@mail.gmail.com> <20141223143719.GB11149@LK-Perkele-VII> <CABcZeBOb9tL5UO94Qrdn7AuamkPvs=+7aU0EF78p3Lac=JEh9w@mail.gmail.com> <20141224185031.GA4583@LK-Perkele-VII> <CABcZeBO2D+DBW+XAzNv9BgXqXzmy8GgwbX24iGZDYXN=aqZ9fg@mail.gmail.com> <20141224193906.GB4583@LK-Perkele-VII> <CABcZeBOD_6Uan73ntOBKb3JwhYB2xzhrz+xGue_sy-B4-1VA4A@mail.gmail.com> <549EE32B.7050703@nthpermutation.com> <CABcZeBN1_o4Dqv90iK9-z_robXNFsChCe016LU7tBRkjycH4dg@mail.gmail.com>
In-Reply-To: <CABcZeBN1_o4Dqv90iK9-z_robXNFsChCe016LU7tBRkjycH4dg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------000104090304020703060406"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/4BZTanduoaAVvm9q9YRQ-EgY_W8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Dec 2014 17:41:23 -0000

On 12/27/2014 12:01 PM, Eric Rescorla wrote:
>
>
> On Sat, Dec 27, 2014 at 8:49 AM, Michael StJohns 
> <msj@nthpermutation.com <mailto:msj@nthpermutation.com>> wrote:
>
>     On 12/24/2014 4:01 PM, Eric Rescorla wrote:
>>
>>         > >
>>         > > That is, it would be digital signature of:
>>         > >
>>         > > - 32 padding bytes (or ClientRandom)
>>         > > - 32 padding bytes (or ServerRandom)
>>         > > - Context string
>>         > > - Ciphersuite ID (to provode domain separation)
>>         > > - handshake_hash(transcript)
>>         > >
>>         >
>>         > So to be clear, you are proposing that we might (for
>>         instance) have
>>         > a signature with (say) SHA-1 over a handshake hash computed
>>         with
>>         > SHA-256?
>>
>>         Yes.
>>
>>         E.g ECDSA/SHA1 for signatures and
>>         TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
>>         for connection. That would result in SHA-1 signature over
>>         SHA-256 hash.
>>
>>
>>         The other way around can't happen with any current
>>         ciphersuite (because
>>         every current one has prf-hash of either SHA-256 or SHA-384).
>>
>>
>>     Thanks for the clarification. What do other people think about
>>     this suggestion?
>>
>>     -Ekr
>
>     Three items -
>
>     Doing it this way means that SHA1 is a permanent part of TLS1.3 -
>     every implementation will need it.  It also means that the
>     security of the handshake transcript part is no better than that
>     given by SHA1 so if further attacks on SHA1 are discovered, the
>     fix will be TLS1.4.
>
>
> I don't believe that this is correct.
>
> - In the current draft, you sign transcript using whatever 
> signature/hash pair
>   you have selected. Call that hash H1. So, you sign H1(transcript).
>
> - In AGL's existing PR, you sign H1(context || H1(transcript))
>
> - In Ilari's proposal, you sign H1(context || H2(transcript)) where H2 is
>   that Hash used by the PRF, which is SHA-256 for the current cipher
>   suites.
>
> So, in the case where you want to sign with RSA-SHA1, you would in the
> first case just sign with SHA1, in the second do SHA1(... || SHA1()),
> and in the third case do SHA1(...., || SHA256()).

I admit to a lot of confusion then as to what you're trying to do here:

1) Client offers a number of cipher suites, with the result that there 
are multiple hash functions (PRF) possible.
2) Client uses which hash function to summarize the transcript?
3) Server knows which hash function the client is using so it can use 
the same one?  Assuming it implements that.


My point here is that I don't see that you're gaining anything as mostly 
the client doesn't know what the server knows until after the server 
tells it.  The clients choice of which hash (or even which handshake 
signature algorithm) to use will be prone to error until it gets a 
response from the server confirming it.  I think a client has to 
maintain parallel hash contexts for all offered hash functions until the 
server makes its choice known.

So the way to get around the above is to: pick a set of handshake 
algorithms that everyone has to implement and make them fixed. Which led 
me to the "everyone has to implement SHA1" based on the prior email.

>
>
>     If the client is willing to negotiate to TLS1.2, the client will
>     still need to run multiple hashes in parallel until it gets the
>     tls version selection confirmation (and the cipher suite
>     selection) from the server as we're not changing how the TLS1.2
>     signature is calculated.
>
>
> Yes. This is at least in principle also true with TLS 1.3 if we were 
> to define
> (and the client were to support) a PRF based on some other hash, such
> as SHA-512.

Yup - but AFAICT, the only restriction for what goes into the .prf slot 
in the cipher suite is that it must be a hash function useable with 
HMAC.  I would expect future suites to propose SHA3 based hashes for 
example as well as regional/national hash functions.  And I would expect 
those to work without changes to the underlying TLS protocol.

Mike




>
> -Ekr
>

v2.23.0 | Report a Bug | By Email