[TLS] draft-tls-tls13 - comments on section 4.8.1 Digital Signature
Daniel Migault <daniel.migault@ericsson.com> Fri, 27 May 2016 20:18 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FEAC12D127 for <tls@ietfa.amsl.com>; Fri, 27 May 2016 13:18:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.198, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hmlfpwzTHyTM for <tls@ietfa.amsl.com>; Fri, 27 May 2016 13:17:59 -0700 (PDT)
Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA53C12D0AB for <tls@ietf.org>; Fri, 27 May 2016 13:17:58 -0700 (PDT)
Received: by mail-wm0-x22f.google.com with SMTP id a136so6515966wme.0 for <tls@ietf.org>; Fri, 27 May 2016 13:17:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to; bh=bfrxBJA6VNs78fODl81AN2CBnND8+v1lvHYZvEMJlwg=; b=hEukkx9wtIF1gBLdNHrMGlKHsy91fYOIY9Ge2wkHmLgZw5s0usvu8+gai3cvjRoSgK PAR/Hs8Oo1CARt/TI9jIR5XReSbfImmuyvDpDf/QkyYNYNbh1+HJ+irv8citd5PfHYQt aw8OVpcsmOaFHpM03bJEkR8aeoWJtzCjn4/ZOloHsPpZjl6H6f8a5Wgn349O93A5gn/F l3T/f++u+J+mlpCfsLflG3O4klGyjPm/GIX6xbPoPCJSTubAhtdihYrHq8lPteTm9bZe ViZyqPAHadt/u3M7MajMg5jSTFvBs87apV+P4OeH1fRq9hXj5pugATGcmVEYNRp1CoK4 zqYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:date:message-id:subject:from :to; bh=bfrxBJA6VNs78fODl81AN2CBnND8+v1lvHYZvEMJlwg=; b=bea4RNvUGaPoCofnTMq6PLBZuyjjxSX7R2MphIyopexlxmmL2lGxW11IvgRmTjIH0l HPHrhk+2USf/c9o6YeJowHPnVa6LJd8s/wtfGJSBgBo+w3H1QA2w40J/qH7GoXfcMRu+ QkBKhQlIRarkDcOU7u2JGpJP4GtWbi7RmJtY4g9QAMjubugIqApvpFCRK2MiwRw5c9mt wr1dNG6CK38WS/7T8mEMTNz480ylyN+qNfma/llzMskTEkuj9LLQLokHi5tC+lwgwEAe qeAxc4QMa7NabBEMof7wC/EsbvEY3E8DMWi/rctxhoMj7KL2uueT2k/PnXQIS19CXTo9 Q8zA==
X-Gm-Message-State: ALyK8tJaYs07MP/iMV9DEWdVvCIM4/habZiWPFnXOJHY2vAt+nrNOllHRkumvK7rl1r7ei8PloGsjAWCs5rf6A==
MIME-Version: 1.0
X-Received: by 10.28.103.2 with SMTP id b2mr424515wmc.28.1464380277092; Fri, 27 May 2016 13:17:57 -0700 (PDT)
Sender: mglt.ietf@gmail.com
Received: by 10.194.236.1 with HTTP; Fri, 27 May 2016 13:17:57 -0700 (PDT)
Date: Fri, 27 May 2016 16:17:57 -0400
X-Google-Sender-Auth: zYOgcwSBEP82HcOWBAWEebJwWYk
Message-ID: <CADZyTk=WDQ3yxvqY5vuczsoTtXb6LUPJk0T6fWDYOFCJXPeJAw@mail.gmail.com>
From: Daniel Migault <daniel.migault@ericsson.com>
To: tls <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a114af9083b7cae0533d89a11"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/AYSDPvSRV8bvwis8HTGTzwLh1IM>
Subject: [TLS] draft-tls-tls13 - comments on section 4.8.1 Digital Signature
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 May 2016 20:18:00 -0000
Hi,
I have a few comments while reading 4.8.1 Digital Signature of
draft-tls-tls13.Hope it helps.
BR,
Daniel
Comment a)
"In previous versions of TLS, the ServerKeyExchange format meant that
attackers can obtain a signature of a message with a chosen, 32-byte prefix.
"
My understanding is that the ServeKeyExchange format defines the bits
exchanged between the TLS Client and the TLS Server. I think the attack
vector is more coming from how the signatures are computed. I would rather
propose something like:
"In previous version of TLS, the signature of the ECDH or EDH public key is
performed by concatenating the client random, the server random to the
public keys. The concatenation is hash and then signed. As the client
random is chosen by the TLS CLient, such design allows an attacker to
obtain a signature of a message with a chosen 32-byte prefix."
Comment b)
"Because TLS 1.3 servers are likely to also implement prior versions, the
contents of the element always start with 64 bytes of octet 32 in order to
clear that chosen-prefix.
I think some additional steps need to be explicitly specified. I am not
completely sure of what is being signed.
a) padding + context + H(client.random + server + random + ECDHE/DHE
Params)
OR
b) padding + context + client.random + server + random + ECDHE/DHE
Params
OR
c) padding + context + ECDHE/DHE Params
OR
d) something else
I assume that is a) in which case, the reason for choosing this format is
to constraint changes between TLS versions at the signing module. In
addition, if the correct scheme is a) maybe some additional text or
reference could explain why the padding and context solves this problem. By
prepending a fixed padding and some context, to the output of the hash
function, the TLS Client does not control the input that is signed as
cryptographic hash function are expected to be non-invertible.
Comment c)
"A single 0 byte is appended to the context to act as a separator."
When describing how the input to be signed is built, it may be clearer to
emphasize that string ends with 0, whihc leads to a "00" separator. I would
propose to add something like: "As the string ends with a "0" byte, the
binary representation will results in two zero bytes."
Comment d)
It would help the reader to add that “Example” is represented in hexa
by 4578616d706c650
with the end of string character.
- [TLS] draft-tls-tls13 - comments on section 4.8.1… Daniel Migault
- Re: [TLS] draft-tls-tls13 - comments on section 4… Eric Rescorla
- Re: [TLS] draft-tls-tls13 - comments on section 4… Daniel Migault