Re: [TLS] cryptanalysis vs. encrypted parts of the TLS handshake [was: Re: Simplifying the proof]
Michael Sweet <msweet@apple.com> Thu, 18 September 2014 14:52 UTC
Return-Path: <msweet@apple.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2247C1A8821 for <tls@ietfa.amsl.com>; Thu, 18 Sep 2014 07:52:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.953
X-Spam-Level:
X-Spam-Status: No, score=-5.953 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8qH6ssbmgQfd for <tls@ietfa.amsl.com>; Thu, 18 Sep 2014 07:52:35 -0700 (PDT)
Received: from mail-in7.apple.com (mail-out7.apple.com [17.151.62.29]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B6921A87F1 for <tls@ietf.org>; Thu, 18 Sep 2014 07:52:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1411051954; x=2274965554; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=nu7zb1EI/nlzg2zOvrsvDKGtrdX44w8ho0UCVtLcwgg=; b=XhoLENpHeAtEQPvk5m1EheEKEkLAQCCmP8meqQVtmZFyrCLzQjjFc/V0asHnrTVp B9I58YHPiJzdeBEk1NdTsM/luOlFPDf3hqXTRY0LBpEBXqqq37kfBuXVKcU08Pgy 9tmnES8MJQvNlGovO5I9AejArZ+kcrSGMdssNx1laGHqynBAxh4d69jWsWTrzGy+ BLTHn+MGJUnfToEJwEC6dzE1JfuNbZiWBBwFOpqxGw7c5n55GcALF8qzjHd0WQlm 0+q3Eer40kvn9PLldnH61xcs+nUVzBCM5ySvmr+3SVCKhQd9u2BwhmiDaiEx5QjF UUFHTnmAFvbCKUwBEYp7bg==;
Received: from mail-out.apple.com (mail-out.apple.com [17.151.62.50]) (using TLS with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by mail-in7.apple.com (Apple Secure Mail Relay) with SMTP id 2D.F3.31401.2B1FA145; Thu, 18 Sep 2014 07:52:34 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; CHARSET="US-ASCII"
Received: from relay6.apple.com ([17.128.113.90]) by local.mail-out.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) with ESMTP id <0NC3005ECQNMAPA0@local.mail-out.apple.com> for tls@ietf.org; Thu, 18 Sep 2014 07:52:34 -0700 (PDT)
X-AuditID: 11973e16-f793b6d000007aa9-c0-541af1b2de7b
Received: from chive.apple.com (chive.apple.com [17.128.115.15]) (using TLS with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by relay6.apple.com (Apple SCV relay) with SMTP id 4E.1B.30921.2A1FA145; Thu, 18 Sep 2014 07:52:18 -0700 (PDT)
Received: from [17.153.50.154] by chive.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) with ESMTPSA id <0NC300E8TQNKZ080@chive.apple.com> for tls@ietf.org; Thu, 18 Sep 2014 07:52:34 -0700 (PDT)
From: Michael Sweet <msweet@apple.com>
In-reply-to: <1411050264.18523.35.camel@dhcp-2-127.brq.redhat.com>
Date: Thu, 18 Sep 2014 10:52:32 -0400
Message-id: <ECF11BA6-C40D-4300-874B-3104B7196045@apple.com>
References: <20140912200607.GE16660@localhost> <20140918011622.CB9391AE4C@ld9781.wdf.sap.corp> <CACsn0cmUAeof0o7b2RG=RzqpBrezYihyu-ggS7qX5M8dd5BSQA@mail.gmail.com> <58A06E37-B0FB-4D53-87AD-288CF2278B42@apple.com> <1411050264.18523.35.camel@dhcp-2-127.brq.redhat.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
X-Mailer: Apple Mail (2.1878.6)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrLLMWRmVeSWpSXmKPExsUiON3OSHfTR6kQgyf/9C0+ne9idGD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxu4tJxkLngpUvF+1nq2B8QRvFyMnh4SAicSaFTeYIWwxiQv3 1rN1MXJxCAnMYpL4vL6DESTBKyAo8WPyPZYuRg4OZgF5iYPnZUHCzAJaEt8ftbKA2EICk5kk lk4zh5n5tvUd1JxuJomLk5ZAOR8YJZbeWsoEUiUskCPx8u4fdhCbTUBN4vekPlYQm1PASWJt 60ywZSwCqhJ/71hBLFOUOLBzFjPEPTYSszu6mSFmTmKSOPN9BRtIQkRAV+JS81N2iCvkJT58 OM4OUiQh8J5V4t7enSwTGEVmIXloFsJDs5A8tICReRWjUG5iZo5uZp65XmJBQU6qXnJ+7iZG SHiL7WB8uMrqEKMAB6MSD6+EgFSIEGtiWXFl7iFGaQ4WJXHe2QxAIYH0xJLU7NTUgtSi+KLS nNTiQ4xMHJxSDYwKb46969yUW/z69d4JWrZFaSsuSc7ImylyyGjfrGdhH6a5Hev6vjq6fF7q 5NNnAtjbdH1afU60Oe+c/onZxParll3FFqPQo0lLOLYLOHY/cUre/eHekvtRRha37ym2+8zi 19TUVcvdO9FOM3vDpR7bd08Wtr+vKz0xY8qdP6sm1xauYfW+9bJNiaU4I9FQi7moOBEAVatv GFACAAA=
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrGLMWRmVeSWpSXmKPExsUi2FDMr7voo1SIQds3botP57sYHRg9liz5 yRTAGMVlk5Kak1mWWqRvl8CVcX/dCcaCJYIVJ2ctYWpgfM3bxcjJISFgIvG29R0bhC0mceHe eiCbi0NIoJtJ4vji+6wQzgdGiaW3ljKBVAkL5Ei8vPuHHcTmFTCQePXzMTOIzSygJbF+53Gw GjYBNYnfk/pYQWxOASeJta0zWboYOThYBFQl/t6xgihXlDiwcxZUq7bEk3cXWCFG2kjM7uhm htg7iUnizPcVYNeJCOhKXGp+yg5xqbzEhw/H2ScwCsxCcsYsJGfMQjJ3ASPzKkaBotScxEoz vcSCgpxUveT83E2M4NArjNrB2LDc6hCjAAejEg+vhIBUiBBrYllxZe4hRgkOZiURXo+3QCHe lMTKqtSi/Pii0pzU4kOM0hwsSuK8e+4DpQTSE0tSs1NTC1KLYLJMHJxSDYyC5133ctqfadJ9 uiJg3RHOjbHnrPOjdwcv4k/te3Vy45vyW55yM+2cMpe6suyctS3lDKuQx4ZZWz5s2FDofmsh S9Lzg6FTe+qDVtX58Rm0/rS8OtF8rmZd21m/k9Y/rSY/UxdyfWRwT05Jd0rNS888tn+1sXd0 ziw0TfVwMLCtLSr+cDe19aMSS3FGoqEWc1FxIgBj56iqOQIAAA==
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/7E0z546nty2ELazCr2qjedmL6Xc
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] cryptanalysis vs. encrypted parts of the TLS handshake [was: Re: Simplifying the proof]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Sep 2014 14:52:37 -0000
Nikos, The claim was made that TLS + some combination of extensions will produce a non-secure result. I.e., TLS + Extension Foo is secure, TLS + Extension Bar is secure, but TLS + Foo + Bar is not secure (or cannot be proven to be secure). Thus, my comment was just a question: if we can't ensure that all combinations of TLS extensions are secure, does it make sense to negotiate sets of extensions instead of the individual extensions? Obviously a single extension should be secure on its own (otherwise, why is it being approved for use in TLS?), but if a combination of extensions can cause interactions that are not secure then it would make sense to have a way to lock those combinations out (blacklist) or negotiate known good combinations (whitelist). And having worked with enough security people over the years, I know what the usual preference is for such things (whitelists)... (I am not a TLS or security expert, just somebody that uses TLS and knows that I don't know everything about it, so I ask questions even if the answers are obvious to those that can claim to be experts...) On Sep 18, 2014, at 10:24 AM, Nikos Mavrogiannopoulos <nmav@redhat.com> wrote: > On Thu, 2014-09-18 at 07:29 -0400, Michael Sweet wrote: >> My $0.02: Would it make sense to stop treating extensions as an a la >> carte mechanism, and instead define "extension suites", much as TLS >> already groups specific combinations of cryptographic primitives that >> can be selected in cipher suites? > > Well, I think we need more than your 2 cents for that. Could you > elaborate what you mean here? The extensions were put in place to > overcome the limitation of the ciphersuites that you just mentioned. > >> Seems like that would limit the allowed combinations of extensions to >> those that have gone through the necessary analysis and are considered >> "safe" to use together? > > Isn't that the set of all extensions that are published by this working > group? > > regards, > Nikos > > _________________________________________________________ Michael Sweet, Senior Printing System Engineer, PWG Chair
- [TLS] Simplifying the proof Watson Ladd
- Re: [TLS] Simplifying the proof Nigel Smart
- Re: [TLS] Simplifying the proof Watson Ladd
- Re: [TLS] Simplifying the proof Markulf Kohlweiss
- [TLS] cryptanalysis vs. encrypted parts of the TL… Daniel Kahn Gillmor
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Watson Ladd
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Markulf Kohlweiss
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Fabrice
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Markulf Kohlweiss
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Michael StJohns
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Martin Rex
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Watson Ladd
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Martin Rex
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Watson Ladd
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Nico Williams
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Watson Ladd
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Eric Rescorla
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Douglas Stebila
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Eric Rescorla
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Hugo Krawczyk
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Eric Rescorla
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Alfredo Pironti
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Watson Ladd
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Martin Rex
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Michael StJohns
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Nico Williams
- [TLS] CB cryptanalysis (Re: cryptanalysis vs. enc… Nico Williams
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Nico Williams
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Nico Williams
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Nico Williams
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Martin Rex
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Watson Ladd
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Markulf Kohlweiss
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Markulf Kohlweiss
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Manuel Pégourié-Gonnard
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Nico Williams
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Nico Williams
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Markulf Kohlweiss
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Martin Rex
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Hugo Krawczyk
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Watson Ladd
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Nico Williams
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Nico Williams
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Watson Ladd
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Michael Sweet
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Nikos Mavrogiannopoulos
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Michael Sweet
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Ilari Liusvaara
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Ilari Liusvaara
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Watson Ladd
- Re: [TLS] cryptanalysis vs. encrypted parts of th… Ilari Liusvaara