IETF Logo Mail Archive

Re: [TLS] Kill Finished (and other tricks for hardware)

Andy Lutomirski <luto@amacapital.net> Fri, 18 April 2014 18:56 UTC

Return-Path: <luto@amacapital.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64A2E1A043F for <tls@ietfa.amsl.com>; Fri, 18 Apr 2014 11:56:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SbNgRpjv-DdV for <tls@ietfa.amsl.com>; Fri, 18 Apr 2014 11:56:34 -0700 (PDT)
Received: from mail-pb0-f49.google.com (mail-pb0-f49.google.com [209.85.160.49]) by ietfa.amsl.com (Postfix) with ESMTP id 070BB1A0401 for <tls@ietf.org>; Fri, 18 Apr 2014 11:56:33 -0700 (PDT)
Received: by mail-pb0-f49.google.com with SMTP id jt11so1708357pbb.22 for <tls@ietf.org>; Fri, 18 Apr 2014 11:56:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=UlVrZID5H2nsigpguF3F4p9FMhz0iPeopUr2oNuPAmo=; b=Sy8bAO2n0ma3Wz7GDGK9BskXNglHFTemL7M9qzQ5/QVPGgy6SDX3cUySgJPByH+ee8 7V5EP5R9OwzpD19av43HmFvWkfoNKjcXt9E9xO9SDQ2pcXWHdwGH2q14esDbsnfZdklQ 7PrseMbA3Rr883yUoA+UB5B6kr9pRUrHsVaUYpPvjPzmHMPsHzAv0nnG1AUhHs7BGxok 13wu0IBocWDcjZBA/RzmgjzLkVUaxG4cwnwaEw2cnHt6UPCHjGmU9KY8qfTwWt0J9LK+ Y6aEJz69NGSbKUyeQ3Dfk4mZW7KDTi9O+MOHRfGjIQMnwBegclIYMOlsduM4zIqhvM+G IgpA==
X-Gm-Message-State: ALoCoQnpimbRLLlWRRzrjkXO1eTC4bBYPGTcSRC53e3sb+YrEQuAgytPyHABfjZwMAbadNbeQ/t4
X-Received: by 10.68.212.10 with SMTP id ng10mr23593529pbc.95.1397847389300; Fri, 18 Apr 2014 11:56:29 -0700 (PDT)
Received: from amaluto.corp.amacapital.net (50-76-60-73-ip-static.hfc.comcastbusiness.net. [50.76.60.73]) by mx.google.com with ESMTPSA id ha11sm61436724pbd.17.2014.04.18.11.56.27 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 18 Apr 2014 11:56:28 -0700 (PDT)
Message-ID: <53517559.1060101@mit.edu>
Date: Fri, 18 Apr 2014 11:56:25 -0700
From: Andy Lutomirski <luto@amacapital.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Nico Williams <nico@cryptonector.com>, Watson Ladd <watsonbladd@gmail.com>
References: <CACsn0cm7CU3HBOY-m90+HwGBuw+nZ7vyqRdHZcfDjw7wiTmDMw@mail.gmail.com> <CAK3OfOiEAWto9qrrJbVzZRgk++6tR-im=RFk4bxjD52ZE5FMWg@mail.gmail.com> <CACsn0cmmtg4Q_hf2jccvwps1b67pVM+wDrraZFPX5fB1C5b=Eg@mail.gmail.com> <CAK3OfOgjcNXrLygba_GLTbV_A1bktFtT_qyee-HRLyL0DPs0ug@mail.gmail.com>
In-Reply-To: <CAK3OfOgjcNXrLygba_GLTbV_A1bktFtT_qyee-HRLyL0DPs0ug@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/6ZKOWCkYgMH-hKYy2h1O0QbfkgQ
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Kill Finished (and other tricks for hardware)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Apr 2014 18:56:38 -0000

On 04/17/2014 07:23 PM, Nico Williams wrote:
> On Thu, Apr 17, 2014 at 8:35 PM, Watson Ladd <watsonbladd@gmail.com> wrote:
>> On Thu, Apr 17, 2014 at 6:10 PM, Nico Williams <nico@cryptonector.com> wrote:
>>> This would require updating the tls-unique channel binding (which the
>>> resumption bug doesn't: just fix resumption).
>>
>> You have a master key: do another extraction from it. I don't see this
>> as unsolvable.
> 
> I was pointing out a fact.  Clearly it's solvable.
> 
>>> Also, are you proposing to have no message which demonstrates
>>> possession of the shared master secret immediately after being able to
>>> compute it?
>>
>> Yes. Key confirmations are useful in extremely limited circumstances.
> 
> Are key confirmations cargo cult?  It depends:
> 
> If one is doing channel binding then a channel binding confirmation
> -which might look much the same as key confirmation- is needed.  The
> reason is that the point of CB is to leave encryption to the
> lower-layer channel, but only if there was no MITM there.
> 
> If one is not doing channel binding then I believe no key confirmation
> is needed.

Playing the devil's advocate:

Suppose I'm using client certificates and I have a server that takes
some action as soon as an authenticated client connects.  Without some
kind of key confirmation, this stops being secure.

Fixing it may be as simple as having the client send an empty record
after the handshake.

I don't see this being a problem in the other direction.  Without key
confirmation, a MITM could trick a client into thinking it connected to
the server, and the client wouldn't notice until it sent some data and
never gets any response.  But even with key confirmation, a MITM can do
more or less the same thing, just by severing the connection after the
handshake.

--Andy

v2.23.0 | Report a Bug | By Email