IETF Logo Mail Archive

Re: [TLS] Curve25519 and TLS

"Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu> Mon, 23 June 2014 13:39 UTC

Return-Path: <prvs=12512c33d6=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C5811B2AE3 for <tls@ietfa.amsl.com>; Mon, 23 Jun 2014 06:39:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.15
X-Spam-Level:
X-Spam-Status: No, score=-2.15 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W-_5NoAk6Yla for <tls@ietfa.amsl.com>; Mon, 23 Jun 2014 06:39:43 -0700 (PDT)
Received: from mx2.ll.mit.edu (MX2.LL.MIT.EDU [129.55.12.46]) by ietfa.amsl.com (Postfix) with ESMTP id CD1171B2AE7 for <tls@ietf.org>; Mon, 23 Jun 2014 06:39:42 -0700 (PDT)
Received: from LLE2K10-HUB01.mitll.ad.local (LLE2K10-HUB01.mitll.ad.local) by mx2.ll.mit.edu (unknown) with ESMTP id s5NDdZBj004148; Mon, 23 Jun 2014 09:39:41 -0400
From: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
To: "'paul.hoffman@vpnc.org'" <paul.hoffman@vpnc.org>, "'tls@ietf.org'" <tls@ietf.org>
Thread-Topic: [TLS] Curve25519 and TLS
Thread-Index: AQHPh06/w7h17LYA/Eqm4mxt4/KM9Jtv08yAgAAGL4CAABFuAIAAM2OAgA4RkYCAAAfKAIAAV1GAgAAy/kc=
Date: Mon, 23 Jun 2014 13:39:21 +0000
Message-ID: <65D2FD736B6B2B48B2EAD2BD189DC9CC16668D@LLE2K10-MBX01.mitll.ad.local>
In-Reply-To: <8583B665-5964-4AD0-977B-D53620D465EE@vpnc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [155.34.14.22]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.12.52, 1.0.14, 0.0.0000 definitions=2014-06-23_07:2014-06-23,2014-06-23,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1406230146
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/707KwdBmGLaAOB9DS7S2sT3puEg
Subject: Re: [TLS] Curve25519 and TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jun 2014 13:39:45 -0000

You are correct. But the underlying hash must be a PRF for the proofs to hold.

--
Regards,
Uri Blumenthal                            Voice: (781) 981-1638
Cyber Systems and Technology   Fax:   (781) 981-0186
MIT Lincoln Laboratory                Cell:  (339) 223-5363
244 Wood Street                        Email: <uri@ll.mit.edu>
Lexington, MA  02420-9185       

Web:  http://www.ll.mit.edu/CST/

 

MIT LL Root CA: 

 <https://www.ll.mit.edu/labcertificateauthority.html>


DSN:   478-5980 ask Lincoln ext.1638

----- Original Message -----
From: Paul Hoffman [mailto:paul.hoffman@vpnc.org]
Sent: Monday, June 23, 2014 02:36 AM
To: tls@ietf.org <tls@ietf.org>
Subject: Re: [TLS] Curve25519 and TLS

On Jun 23, 2014, at 2:24 AM, Watson Ladd <watsonbladd@gmail.com> wrote:

>>> Why wouldn't it be? If H(m)=H(m'), that's just as much a collision as
>>> if H(m || stuff)=H(m' || stuff).
>> 
>> 
>> Well, this isn't quite the two cases we are considering, since we are
>> computing either:
>> 
>> HMAC(Key, stuff)
>> 
>> or:
>> 
>> HMAC(Key, H(stuff))
>> 
>> with:
>> - stuff being under partial control of the attacker and
>> - the Key being subject to the issue you raise in the message
>> that started this thread.
> 
> HMAC is H(key || H(stuff)) right? So it turns into H(key || H(stuff))
> vs H(key || H(H(stuff))). (Yes, there is padding: that's an injective
> function, so doesn't matter for this analysis). Once again a collision
> means stuff equals stuff both ways.

Bellare showed that weakening of the collision resistance in the underlying hash doesn't matter, right? <http://cseweb.ucsd.edu/~mihir/papers/hmac-new.html>? I haven't seen any refutation or weakening of that paper, but I could have missed it.

--Paul Hoffman
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email