IETF Logo Mail Archive

Re: [TLS] Kill Finished (and other tricks for hardware)

Watson Ladd <watsonbladd@gmail.com> Fri, 18 April 2014 15:15 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DD3C1A021C for <tls@ietfa.amsl.com>; Fri, 18 Apr 2014 08:15:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ni07HHCSeyHG for <tls@ietfa.amsl.com>; Fri, 18 Apr 2014 08:15:52 -0700 (PDT)
Received: from mail-yk0-x22d.google.com (mail-yk0-x22d.google.com [IPv6:2607:f8b0:4002:c07::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 044D71A022A for <tls@ietf.org>; Fri, 18 Apr 2014 08:15:51 -0700 (PDT)
Received: by mail-yk0-f173.google.com with SMTP id 10so1473037ykt.18 for <tls@ietf.org>; Fri, 18 Apr 2014 08:15:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=3dLHhZvTZden/DLqqsZP7sZaE60Q7h1gFIV6k6rgqp0=; b=n7ktd/lw0VsKX3z6XjtBlEDvQM8DsFRF1MbmwMS0JuacaSEzgakGmH9B4DnPUsYg7Q tTcMMBn9nwe2FnQdwYDhV/hlggsXm9HVqM17ecImyiQrZjS3G5nGkpAJbKN6XNHEFdjf lXn7hM30ZeOvwvcfyuHGO0RYk2AngVLK7NpoFwk63jU+IF7HTthm44QlvRNATDSZhF6r Bt6WW/f8pnJeWE4DO78367Ki6xWcFTLjasbmN9fmlYBz9QBGwYpBqA4JEg/FYLf+LUfq Z/z6HZ7NejmblRiEdZgclgB9Nq+jmlXyh14AG4sFPLxfrcWn9YbwtdL/vyDAT5mCWGLg gGNA==
MIME-Version: 1.0
X-Received: by 10.236.139.70 with SMTP id b46mr2976924yhj.63.1397834147999; Fri, 18 Apr 2014 08:15:47 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Fri, 18 Apr 2014 08:15:47 -0700 (PDT)
In-Reply-To: <53513A6B.8080606@nthpermutation.com>
References: <CACsn0cm7CU3HBOY-m90+HwGBuw+nZ7vyqRdHZcfDjw7wiTmDMw@mail.gmail.com> <5350BF46.7000608@pobox.com> <53513A6B.8080606@nthpermutation.com>
Date: Fri, 18 Apr 2014 08:15:47 -0700
Message-ID: <CACsn0c=gvQ9BbEifDkiiiNnUN-qdnYNOkVFZe0HX6hWwZNJNGQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Michael StJohns <msj@nthpermutation.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/4r61m_WmzogOUt5SwdxRXi8FNcQ
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Kill Finished (and other tricks for hardware)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Apr 2014 15:15:57 -0000

On Fri, Apr 18, 2014 at 7:44 AM, Michael StJohns <msj@nthpermutation.com> wrote:
> Edited and comments in line.
>
>
> On 4/18/2014 1:59 AM, Michael D'Errico wrote:
>>
>> Watson Ladd wrote:
>>>
>>>
>>> So I propose the following changes:...
>>>
>>> Finished dies.  .........
>>
>>
>> This is a much weaker failure indication than checking the Finished
>> messages, so I'd prefer to keep them.  Can you think of an alternate
>> construction for the Finished message that doesn't use the PRF?
>
>
> The simplest thing here is to use the negotiated PRF algorithm
> (SecurityParameters.prf_algorithm, not the TLS PRF wrapper around that
> algorithm) directly, but key it with a different key than the master secret
> that would also be derived from the pre-master secret.

This still has the key-dependent encryption issue. If we fix the key
generation, the finished messages can be constants.
If we need to use finished messages related to keys, then for
technical reasons verification gets hard.

I'm not an expert on this matter: I only had it explained to me at
DIAC '13 by someone. I don't know how the miTLS paper deals with it,
or if new methods can avoid it. There are key-confirmation messages
that do not have this issue.

It does fix your hardware issue though.
>
> _____________________________________________________
>
> draft-stjohns-tls-tls13-crypto-infra has the complete details on what I'm
> proposing along with the above.  It recommends doing a straight MAC over the
> handshake data, but I realized last night that that might not (will not?) be
> possible as you may not (will not?) have the derived key you're going to
> need for this until later in the processing.  You'd have to keep a copy of
> the negotiation messages around until you acquired the other side's random
> data (e.g. on the client side until you heard ServerHello).  So having some
> sort of summary function is going to be necessary.    We know how to do this
> for hash-based (e.g. HMAC) MACs (use the underlying hash directly), but
> would have to define something for a block-cipher (e.g. CMAC) MAC to do the
> summary function - probably using the CMAC with a zero key.

There is a problem here: CMAC is a MAC, not a hash. In particular, I
can make collisions in CMAC(0, message) trivially, by letting m_1' be
the decryption of m_2+m_2'.

Sincerely,
Watson Ladd

-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email