Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.

Eric Rescorla <> Sat, 27 December 2014 18:07 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id BA53A1A8F50 for <>; Sat, 27 Dec 2014 10:07:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Kf_iIID2Ywxg for <>; Sat, 27 Dec 2014 10:07:06 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9DEFF1A8F49 for <>; Sat, 27 Dec 2014 10:07:05 -0800 (PST)
Received: by with SMTP id n3so18986679wiv.11 for <>; Sat, 27 Dec 2014 10:07:04 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=87jzx8QsMpaX68l89hlK0vzaBrydfM4hqlmCXrpbgQU=; b=lHawqLmcHam/KsTfiYVAJcrA7H6uMQpWJLIKWm48a/E/JeWhKxxLVvGZEJabBI1Yaa acRrDZVH6dCy3d9XTD7TbKa0VU2X4uu0uVMwlmmIz8YeDA9rMtk4R67Y/WDn49vi+Yo3 P2WgRFH4aE7FzjKDrqYuVDekhTld7ZwoWf4MD+B5x7G6OQv18hS4sgKm5pqkxjlPbJ8T z1B1V0XWAy9KMa03pxUFoTiBdPwUa/sh1Rplk6ogt0aF2+TwimT65G/mEp0g0OlOR4Dw XhgcbhqsVkbgAijROZJd1s1r54jdBHB5ZKH1jIB1mrtkOC24Ih9JR9KbfkGXvwfkhGT2 cC7A==
X-Gm-Message-State: ALoCoQlno7QeckVutlrrrjNxXNelkmM9H0Vx1hiNeXMn/qyfz2PFagMqkJB4hjE4E4k1WlFuhvnk
X-Received: by with SMTP id bd1mr79311991wib.10.1419703624303; Sat, 27 Dec 2014 10:07:04 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Sat, 27 Dec 2014 10:06:24 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <> <> <20141223143719.GB11149@LK-Perkele-VII> <> <20141224185031.GA4583@LK-Perkele-VII> <> <20141224193906.GB4583@LK-Perkele-VII> <> <> <> <>
From: Eric Rescorla <>
Date: Sat, 27 Dec 2014 10:06:24 -0800
Message-ID: <>
To: Michael StJohns <>
Content-Type: multipart/alternative; boundary="f46d0444e8fd3699a2050b36827a"
Cc: "" <>
Subject: Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 27 Dec 2014 18:07:09 -0000

On Sat, Dec 27, 2014 at 9:41 AM, Michael StJohns <>

>  On 12/27/2014 12:01 PM, Eric Rescorla wrote:
> On Sat, Dec 27, 2014 at 8:49 AM, Michael StJohns <>
> wrote:
>>  On 12/24/2014 4:01 PM, Eric Rescorla wrote:
>>  > >
>>> > > That is, it would be digital signature of:
>>> > >
>>> > > - 32 padding bytes (or ClientRandom)
>>> > > - 32 padding bytes (or ServerRandom)
>>> > > - Context string
>>> > > - Ciphersuite ID (to provode domain separation)
>>> > > - handshake_hash(transcript)
>>> > >
>>> >
>>> > So to be clear, you are proposing that we might (for instance) have
>>> > a signature with (say) SHA-1 over a handshake hash computed with
>>> > SHA-256?
>>> Yes.
>>> E.g ECDSA/SHA1 for signatures and TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
>>> for connection. That would result in SHA-1 signature over SHA-256 hash.
>>> The other way around can't happen with any current ciphersuite (because
>>> every current one has prf-hash of either SHA-256 or SHA-384).
>>  Thanks for the clarification. What do other people think about this
>> suggestion?
>>  -Ekr
>>  Three items -
>> Doing it this way means that SHA1 is a permanent part of TLS1.3 - every
>> implementation will need it.  It also means that the security of the
>> handshake transcript part is no better than that given by SHA1 so if
>> further attacks on SHA1 are discovered, the fix will be TLS1.4.
>  I don't believe that this is correct.
>  - In the current draft, you sign transcript using whatever
> signature/hash pair
>   you have selected. Call that hash H1. So, you sign H1(transcript).
>  - In AGL's existing PR, you sign H1(context || H1(transcript))
>  - In Ilari's proposal, you sign H1(context || H2(transcript)) where H2 is
>   that Hash used by the PRF, which is SHA-256 for the current cipher
>   suites.
>  So, in the case where you want to sign with RSA-SHA1, you would in the
> first case just sign with SHA1, in the second do SHA1(... || SHA1()),
> and in the third case do SHA1(...., || SHA256()).
> I admit to a lot of confusion then as to what you're trying to do here:
> 1) Client offers a number of cipher suites, with the result that there are
> multiple hash functions (PRF) possible.
> 2) Client uses which hash function to summarize the transcript?
> 3) Server knows which hash function the client is using so it can use the
> same one?  Assuming it implements that.
> My point here is that I don't see that you're gaining anything as mostly
> the client doesn't know what the server knows until after the server tells
> it.  The clients choice of which hash (or even which handshake signature
> algorithm) to use will be prone to error until it gets a response from the
> server confirming it.  I think a client  has to maintain parallel hash
> contexts for all offered hash functions until the server makes its choice
> known.

Yes, that's correct, but it's not the end of the analysis. Consider the
diagram of
the handshake from Figure 1:

      ClientKeyShare            -------->
                                <--------                Finished
      Finished                  -------->
      Application Data          <------->        Application Data

In the current design, the client does not know which digest algorithm the
will sign with until the receipt of the CertificateVerify message, so it
parallel hash the server's entire second flight. Similarly, the server does
know what the client will select so it must parallel hash its entire second
flight and the client's Certificate message. By contrast, with the approach
Ilari suggests, both sides only need to parallel hash up to the ServerHello.

It's also worth noting that the potential set of algorithms used in the PRF
currently much narrower than the set of algorithms that implementations
typically support for signature verification (consisting presently of just
SHA-256) and so this also reduces the burden on both sides.

 If the client is willing to negotiate to TLS1.2, the client will still
>> need to run multiple hashes in parallel until it gets the tls version
>> selection confirmation (and the cipher suite selection) from the server as
>> we're not changing how the TLS1.2 signature is calculated.
>  Yes. This is at least in principle also true with TLS 1.3 if we were to
> define
> (and the client were to support) a PRF based on some other hash, such
> as SHA-512.
> Yup - but AFAICT, the only restriction for what goes into the .prf slot in
> the cipher suite is that it must be a hash function useable with HMAC.  I
> would expect future suites to propose SHA3 based hashes for example as well
> as regional/national hash functions.  And I would expect those to work
> without changes to the underlying TLS protocol.

Yes, that might well happen (though to my knowledge, we have not yet
standardized any
regional/national digest functions and I don't see a lot of enthusiasm for
SHA-3). But
both sides are already required to handle these cases because that is the
hash used
for the session_hash computation, so Ilari's proposal will often reduce the
number of
parallel hashes you have to run and will not increase it.