IETF Logo Mail Archive

Re: [TLS] Curve25519 and TLS

Eric Rescorla <ekr@rtfm.com> Mon, 23 June 2014 00:57 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EF8F1B27DB for <tls@ietfa.amsl.com>; Sun, 22 Jun 2014 17:57:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.078
X-Spam-Level:
X-Spam-Status: No, score=-0.078 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oe4z1Lw5oJ_I for <tls@ietfa.amsl.com>; Sun, 22 Jun 2014 17:57:09 -0700 (PDT)
Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com [209.85.212.182]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1015D1B27DA for <tls@ietf.org>; Sun, 22 Jun 2014 17:57:08 -0700 (PDT)
Received: by mail-wi0-f182.google.com with SMTP id bs8so3259212wib.9 for <tls@ietf.org>; Sun, 22 Jun 2014 17:57:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=vNWS0mQFTKAb7Mj36xGK/z4BIl82OM4OAWbNx8JFYys=; b=NzxwXn34psXu+IuNsfTMaUvj8ESa3/dsS5lo8mrfLPFAKT3M0EifBZs+VE/7Ij6Y15 XNfwv3gCKF+z0ItipcnDoKz0UW8Lb92CNnB9M3xXtpPonhaVutMZUOuVYNxMQoZWhjaY l45l8OR2A11rxlpLClR2K/tIbl99PN0ajwg339dD70nCJILcdFmwRl9Z48RSqTQcQR69 EKZ/eplCTcAyzaUlYL2KHu6O+chJZDdKZZ7RLKJpnx1f6yyi2AszEyzFOENDET1oSQyc plHnP3eDRGlQPFDMZFcLsDvwRhf5XM8zlkX2+DYM/KcwxT/+6AWqX4C9EbPPEbe4k10u 3VHA==
X-Gm-Message-State: ALoCoQmpdVaaJORZCg8O1FVBFHEPd2DD1bqkDhwvIQbMgq8i0pKZMtjEyrYGgS7UuvVE+TetboiV
X-Received: by 10.180.186.97 with SMTP id fj1mr21633129wic.18.1403485027610; Sun, 22 Jun 2014 17:57:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.218.198 with HTTP; Sun, 22 Jun 2014 17:56:27 -0700 (PDT)
X-Originating-IP: [74.95.2.168]
In-Reply-To: <CACsn0ckaDuhgWhFRgMsmguwK460WBAFikG=Kqu0YBSNosU7+ng@mail.gmail.com>
References: <CACsn0cnm3wp6iN57fHAiY+=n=nSxOxvrZOj65bzXYTDy=Xyvkg@mail.gmail.com> <539B6F1B.4030407@mit.edu> <CACsn0c=VUakySUwAh-JGX4FTUwp4Y5kwaoT5=+RXuJnsKxmRTQ@mail.gmail.com> <CABcZeBPNa-q90H+D=jf7ceFVv6OQNb7_YZnD6QyTpTv6YSrPjQ@mail.gmail.com> <CACsn0ckaDuhgWhFRgMsmguwK460WBAFikG=Kqu0YBSNosU7+ng@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 22 Jun 2014 17:56:27 -0700
Message-ID: <CABcZeBOqVKMk8-BDzKnuLRbh+PeqscMRcXOYSBfxjaBn85Xb4w@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="001a11c2584e84cf7c04fc7652df"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/9ifkfgchYhQ2ljAfeq5K5S5JM0k
Cc: "tls@ietf.org" <tls@ietf.org>, Andy Lutomirski <luto@amacapital.net>
Subject: Re: [TLS] Curve25519 and TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jun 2014 00:57:12 -0000

On Fri, Jun 13, 2014 at 7:05 PM, Watson Ladd <watsonbladd@gmail.com> wrote:

> On Fri, Jun 13, 2014 at 8:02 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> >
> >
> >
> > On Fri, Jun 13, 2014 at 2:59 PM, Watson Ladd <watsonbladd@gmail.com>
> wrote:
> >>
> >> On Fri, Jun 13, 2014 at 6:37 PM, Andy Lutomirski <luto@amacapital.net>
> >> wrote:
> >> > On 06/13/2014 02:30 PM, Watson Ladd wrote:
> >> >> For TLS 1.3 we should ensure contributory behaviour is not required
> to
> >> >> avoid these issues.
> >> >
> >> > What needs to change for this to be the case?  It would be even nicer
> if
> >> > the result were provably correct in some reasonable model.
> >>
> >> Hash the entire exchange into the generated key, so that a key made by
> >> someone cheating is only shared with them. I still don't understand
> >> why this isn't done already: it's needed for the finished message, so
> >> nothing is saved by not doing it. This is what the triple handshake
> >> fix is supposed to do, but it does a strange variant that reuses the
> >> oddball finished message.
> >>
> >> (And use a strong hash function: apparently the reason we haven't
> >> finished fixing Triple Handshake is that some people want to use
> >> SHA-1. On their heads be it!)
> >
> >
> > Hmm... I don't believe that this isn't done strictly because of SHA-1.
> > Looking back at what I wrote a while ago:
> >
> > http://www.ietf.org/mail-archive/web/tls/current/msg12574.html
> >
> > I believe the question is whether it is acceptable to have a *hash* of
> > the handshake hashed into the generated key as opposed to having
> > the handshake itself hashed into the generated key and whether it's
> > acceptable to have that hash be the combined MD5/SHA1 variant
> > in TLS < 1.2 and if not what recommendation we should make for
> > those versions.
>
> Why wouldn't it be? If H(m)=H(m'), that's just as much a collision as
> if H(m || stuff)=H(m' || stuff).
>

Well, this isn't quite the two cases we are considering, since we are
computing either:

HMAC(Key, stuff)

or:

HMAC(Key, H(stuff))

with:
- stuff being under partial control of the attacker and
- the Key being subject to the issue you raise in the message
that started this thread.

It may well be that these are equally secure, and if you have an analysis
that demonstrates that, then it would be useful in assessing how to
move forward with this draft.

Thanks
-Ekr

v2.23.0 | Report a Bug | By Email