Re: [TLS] raising ceiling vs. floor (was: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt)

David Benjamin <davidben@chromium.org> Tue, 10 July 2018 16:10 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1C7E130E23 for <tls@ietfa.amsl.com>; Tue, 10 Jul 2018 09:10:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.249
X-Spam-Level:
X-Spam-Status: No, score=-9.249 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3_GT4CEsPLsy for <tls@ietfa.amsl.com>; Tue, 10 Jul 2018 09:10:22 -0700 (PDT)
Received: from mail-qt0-x22c.google.com (mail-qt0-x22c.google.com [IPv6:2607:f8b0:400d:c0d::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8966D130FFE for <tls@ietf.org>; Tue, 10 Jul 2018 09:10:22 -0700 (PDT)
Received: by mail-qt0-x22c.google.com with SMTP id q12-v6so18774555qtp.6 for <tls@ietf.org>; Tue, 10 Jul 2018 09:10:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SITAVgfcQh8SPNGNds6CGmRoHdBphrvhwTR+bkBTv6I=; b=TYbA18PRHy3ZaJjwwaYZfeVW5yPkqQd/jMttCZ/8kUVnx5yuJfnzv4NCT2+ADZ4stM 58jak/v7r2hhjYVI8ph6MM3LSa/tNTrEH1QD3zrZhk2zbT/6499ymTSDsiQOHSgZyBW+ YzxpHyQPPmx5f/fucV4ikbbB4Q6ERvwC/I1fE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SITAVgfcQh8SPNGNds6CGmRoHdBphrvhwTR+bkBTv6I=; b=p+I1yhjS7V/T50GJp8Dc/HUBiBBex5HfaAlmDV+0F0hoi+Ng/C1OmdCW0Q+zkvm7bn O6tMamM+ej7XK7fmbsD24Gl378XB6CYFwol3RNCJmbSBdiXdnwkGkY9sxn02GvGlgOXT Bl+DciinV3nrgHtmZucPdWctxRUu1tDNKCN0l5eUt8Rs2yglgfSz0Z7MZSGnq12BUwlX fnRWkaHoKhqv3N+S0eIvlHHEbo+cgHqy7zkfI0TJW2zukF1lHihUTFmxcZbwPF2LHYFL rxAbIB3J7pklpTcz/cjw8rS6dGG4p2zvAGOelBAKqAQNNX9HyJSTdFS5ap1MRq/Lnocj 2DDQ==
X-Gm-Message-State: APt69E0pk5Gv+pTofs6xv65rKdA7b60onQ/FScvu1plrwIG7mL9MTYP8 tkW4Or5uvVCQYET8ybRM3ndh3IpHlZGAKW1iF2u3
X-Google-Smtp-Source: AAOMgpd0O6r203L8tPfpgcIYrIk9fnnH7l5WnXVoXo6vy3zH0MWgtT8gmqHTxlSzp+vjZj7WAQCa0aQP+toYU3hK6F8=
X-Received: by 2002:ac8:302e:: with SMTP id f43-v6mr24005833qte.217.1531239021489; Tue, 10 Jul 2018 09:10:21 -0700 (PDT)
MIME-Version: 1.0
References: <152934875755.3094.4484881874912460528.idtracker@ietfa.amsl.com> <3161014.mNqxEOqjoE@pintsize.usersys.redhat.com> <CABcZeBP2tZRe96dj6BvCyHZkSyNh+RBt7H2dzO8vsXkQUb+inw@mail.gmail.com> <2926046.DTQ3PP0lUg@pintsize.usersys.redhat.com> <1531237487290.30133@cs.auckland.ac.nz>
In-Reply-To: <1531237487290.30133@cs.auckland.ac.nz>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 10 Jul 2018 12:10:08 -0400
Message-ID: <CAF8qwaCAaVzKKccLQKOvgSpPQe+2M8+jDdtJVy5oQM1+56G_2A@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: Hubert Kario <hkario@redhat.com>, Eric Rescorla <ekr@rtfm.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f1ab470570a75d53"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9-NYJbnwlh0l-5eWJprlpIoQ8WM>
Subject: Re: [TLS] raising ceiling vs. floor (was: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 16:10:24 -0000

On Tue, Jul 10, 2018 at 11:46 AM Peter Gutmann <pgut001@cs.auckland.ac.nz>;
wrote:

> Hubert Kario <hkario@redhat.com>; writes:
>
> >but randoms in TLS 1.0 and TLS 1.1 are signed (effectively) with SHA-1...
>
> .... but with EMS or LTS in effect, with a lot more than that.
>

EMS does not fix the ServerKeyExchange signature payload. It's still just
the randoms and not the full transcript.

But, fixed or not, it is still signed with SHA-1. Ironically, while signing
the full transcript is indeed preferable, the SLOTH paper (see sections
V.A. and V.B.) shows how it actually then becomes *easier* to exploit a
weak hash function:
https://www.mitls.org/pages/attacks/SLOTH

David