Re: [TLS] Computation of static secret in anonymous DH

[Eric Rescorla <ekr@rtfm.com>]

On Fri, Jun 26, 2015 at 11:41 AM, Nico Williams <nico@cryptonector.com>
wrote:

> On Fri, Jun 26, 2015 at 10:08:55AM -0700, Eric Rescorla wrote:
> > On Fri, Jun 26, 2015 at 9:54 AM, Ilari Liusvaara <
> > ilari.liusvaara@elisanet.fi> wrote:
> > > On Fri, Jun 26, 2015 at 05:55:21AM -0700, Eric Rescorla wrote:
> > > > On Fri, Jun 26, 2015 at 1:50 AM, Ilari Liusvaara <
> > > > ilari.liusvaara@elisanet.fi> wrote:
> > > > > 4) Why is finished independent of ES (IIRC, it did depend on it
> > > > > in earlier version)?
> > > >
> > > > i'm going to refer these to Hugo, as they were his suggestion.
> > >
> > > Also, TLS 1.2 had tls-unique also be secret (but one would have to
> > > really misuse it for that to matter). With finished just depending on
> > > SS, secrecy might fail.
> >
> > As I understand it, there are cryptographic logic reasons for this
> (again,
> > I'll defer to Hugo here). Maybe we should just define a new value
> > for TLS-Unique based on the exporter secrets?
>
> tls-unique depends on the Finished message strongly binding the entire
> transcript up to that point.  I find this elegant (despite the
> resumption problem, which anyways, should be fixed by the session hash)
> and easy to understand and analyze.
>
> If the Finished message no longer has this property in 1.3 then that's a
> problem for tls-unique, and we'd have to fix one or the other.  Surely
> 1.3 will have some handshake message that binds the transcript, and why
> that wouldn't be the Finished message is beyond me (but I am missing a
> lot of the 1.3 context, so please forgive and inform me).
>

In general TLS 1.3 tries to derive keys from as much of the transcript
as is available. The issue with Finished is that for the cryptographic
logic reasons I indicated earlier [0], it is computes using only SS
which means that for some handshake modes it isn't tied to the
ephemeral keys. However, the exporter secret is.


It would be better though to move the responsibility for defining
> tls-unique to the TLS 1.3 spec even if tls-unique remains unchanged.
> That way 1.3 and/or future versions of TLS can specify different
> constructions of tls-unique.
>

This seems like a good idea.

-Ekr

[0] Hugo can explain this better than I, but as I understand it, the point
is
that SS is being used to authenticate ES via the Finished and if you
compute the Finished based on ES, then it creates a circular logic.



> o
> --
>