Re: [TLS] Computation of static secret in anonymous DH

Eric Rescorla <ekr@rtfm.com> Fri, 26 June 2015 18:48 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 229C41ABD37 for <tls@ietfa.amsl.com>; Fri, 26 Jun 2015 11:48:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r1oTXZMTPaPS for <tls@ietfa.amsl.com>; Fri, 26 Jun 2015 11:48:22 -0700 (PDT)
Received: from mail-wg0-f42.google.com (mail-wg0-f42.google.com [74.125.82.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 308901ABC75 for <tls@ietf.org>; Fri, 26 Jun 2015 11:48:22 -0700 (PDT)
Received: by wgck11 with SMTP id k11so95493185wgc.0 for <tls@ietf.org>; Fri, 26 Jun 2015 11:48:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=nub/VePD5DI6334076qUDLtVWlr74/Q6xFXga11QdU4=; b=eQkORL9v5gkA3gRA8UrWdkuQKVJIHvT3vqJnhVyA9TZA6CD0V2812CQtEZtSItF/Wj fqsVT3/ERxWiDH26rcUKwk1bP1nSzG2pNfnbEnFs9PQSv6YmyHw1yZWQXOvvea3HDgWt EZekFjhEYsV6kx49VzXnIkQpli6ortzSdDW2usMwkKGotTwZWxueUHlZ2Tt83gOOT3z9 uUAZ/dexps9MASlvPQ0jfrvFxCG8RXiWbyXVdZ5lI/YJH4Wl5W91B8o09FRDSEva9P0O yldCK7eozxurwGPhdol/X+s1og+ggCuYIrEWM0dCUC8dTr832Px1JQW6RsnWOeZRD5g9 cyDg==
X-Gm-Message-State: ALoCoQnRfDiaaRtEQGb8vilcfozFQieA6xBftRvW81IvTb88W8h0677INXtRtmgxMbYOXIa9bYt6
X-Received: by 10.180.75.78 with SMTP id a14mr7629349wiw.68.1435344500974; Fri, 26 Jun 2015 11:48:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.95.211 with HTTP; Fri, 26 Jun 2015 11:47:41 -0700 (PDT)
In-Reply-To: <20150626184128.GG6117@localhost>
References: <2AA11887-2F82-48EF-BD45-4D85CFA83847@qut.edu.au> <20150617082529.GA17280@LK-Perkele-VII> <CABcZeBNzzfxo+xQRrS=7-7C65kr3DqtJ5BHqTnt0mC8v-oFuUw@mail.gmail.com> <20150617150505.GA19959@LK-Perkele-VII> <CABcZeBN8m6f=F14Qx1QctMCoF7_LYNrf9D3HstoTZsK2orS1SA@mail.gmail.com> <20150626085008.GA25187@LK-Perkele-VII> <CABcZeBMHim=qBw9L_PG3C4+E=N6n=AdV1AoWN+_19zi84cJJgQ@mail.gmail.com> <20150626165415.GA28534@LK-Perkele-VII> <CABcZeBOTMHVRNi-7JhKEz6KUt=U79SgiKPAmyqUeF3JauUt3Fw@mail.gmail.com> <20150626184128.GG6117@localhost>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 26 Jun 2015 11:47:41 -0700
Message-ID: <CABcZeBNbHTH-tsaEktpcVFhBx40y80YxLtjviHiV9r1Bh9neww@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: multipart/alternative; boundary=f46d0438eb9d1c7a7f0519702f8f
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/6OIdj_-rQFKuSMaAQCFIaERhYAY>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Computation of static secret in anonymous DH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2015 18:48:24 -0000

On Fri, Jun 26, 2015 at 11:41 AM, Nico Williams <nico@cryptonector.com>;
wrote:

> On Fri, Jun 26, 2015 at 10:08:55AM -0700, Eric Rescorla wrote:
> > On Fri, Jun 26, 2015 at 9:54 AM, Ilari Liusvaara <
> > ilari.liusvaara@elisanet.fi>; wrote:
> > > On Fri, Jun 26, 2015 at 05:55:21AM -0700, Eric Rescorla wrote:
> > > > On Fri, Jun 26, 2015 at 1:50 AM, Ilari Liusvaara <
> > > > ilari.liusvaara@elisanet.fi>; wrote:
> > > > > 4) Why is finished independent of ES (IIRC, it did depend on it
> > > > > in earlier version)?
> > > >
> > > > i'm going to refer these to Hugo, as they were his suggestion.
> > >
> > > Also, TLS 1.2 had tls-unique also be secret (but one would have to
> > > really misuse it for that to matter). With finished just depending on
> > > SS, secrecy might fail.
> >
> > As I understand it, there are cryptographic logic reasons for this
> (again,
> > I'll defer to Hugo here). Maybe we should just define a new value
> > for TLS-Unique based on the exporter secrets?
>
> tls-unique depends on the Finished message strongly binding the entire
> transcript up to that point.  I find this elegant (despite the
> resumption problem, which anyways, should be fixed by the session hash)
> and easy to understand and analyze.
>
> If the Finished message no longer has this property in 1.3 then that's a
> problem for tls-unique, and we'd have to fix one or the other.  Surely
> 1.3 will have some handshake message that binds the transcript, and why
> that wouldn't be the Finished message is beyond me (but I am missing a
> lot of the 1.3 context, so please forgive and inform me).
>

In general TLS 1.3 tries to derive keys from as much of the transcript
as is available. The issue with Finished is that for the cryptographic
logic reasons I indicated earlier [0], it is computes using only SS
which means that for some handshake modes it isn't tied to the
ephemeral keys. However, the exporter secret is.


It would be better though to move the responsibility for defining
> tls-unique to the TLS 1.3 spec even if tls-unique remains unchanged.
> That way 1.3 and/or future versions of TLS can specify different
> constructions of tls-unique.
>

This seems like a good idea.

-Ekr

[0] Hugo can explain this better than I, but as I understand it, the point
is
that SS is being used to authenticate ES via the Finished and if you
compute the Finished based on ES, then it creates a circular logic.



> o
> --
>