Re: [TLS] Draft status and updates
Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 02 December 2015 17:08 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BA1B1A1A25 for <tls@ietfa.amsl.com>; Wed, 2 Dec 2015 09:08:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_12=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0-tfS3qwO00o for <tls@ietfa.amsl.com>; Wed, 2 Dec 2015 09:08:49 -0800 (PST)
Received: from filtteri1.pp.htv.fi (filtteri1.pp.htv.fi [213.243.153.184]) by ietfa.amsl.com (Postfix) with ESMTP id AB9B31A0367 for <tls@ietf.org>; Wed, 2 Dec 2015 09:08:49 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by filtteri1.pp.htv.fi (Postfix) with ESMTP id 2183B21B804; Wed, 2 Dec 2015 19:08:48 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from smtp5.welho.com ([213.243.153.39]) by localhost (filtteri1.pp.htv.fi [213.243.153.184]) (amavisd-new, port 10024) with ESMTP id O54olU5GpaJ1; Wed, 2 Dec 2015 19:08:48 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-35-116.bb.dnainternet.fi [87.92.35.116]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp5.welho.com (Postfix) with ESMTPSA id EF8EA5BC002; Wed, 2 Dec 2015 19:08:47 +0200 (EET)
Date: Wed, 02 Dec 2015 19:08:45 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20151202170845.GA25111@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABcZeBNxxC=uOg3bKtJP2bpMa9Z7En_RR2q3zn-qduse+Oh8-g@mail.gmail.com> <20151201185733.GB15222@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBNS1r2vjKhioOQdyHh9dgFhFmZL+-6qJQpn01Tqfw2a-g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBNS1r2vjKhioOQdyHh9dgFhFmZL+-6qJQpn01Tqfw2a-g@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/GemYMoKZeJ5ynJrbR4AkdIznthI>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Draft status and updates
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 17:08:52 -0000
On Tue, Dec 01, 2015 at 11:19:15AM -0800, Eric Rescorla wrote: > > 3. The server provides g^y in his ServerHello and then g^xy and g^xs > are jointly used to produce the traffic keys and also to form a MAC over > the handshake. As Hugo pointed out originally, this alone should > be sufficient to authenticate the server's side of the connection and > you could omit the server CertificateVerify (Hugo, please correct > me if I have misunderstood). Is it guaranteed that the groups are the same? Even if it is, due to implementation bugs, bad idea to rely upon that. > Trying to read between the lines, is your concern that the server is > now no longer explicitly signing over the ServerConfiguration in > its CertificateVerify [Note that the client continues to do so]? The idea > behind removing that was to make the 1-RTT part of the handshake > more uniform regardless of whether 0-RTT data was used. > I'm certainly open to putting that back in if it's needed, but can you > explain your concern in more detail? The concern is that attacker that has managed to inject g^s for known s is able to impersonate the server even through server certificate validation on subsequent connections (under some conditions). (Indirectly) signing g^s would prevent this. ... Funkily enough, this attack doesn't work against either tls-unique nor tls-extractor (however, those still fail nonce check with respect to SS)... -Ilari
- [TLS] Draft status and updates Eric Rescorla
- Re: [TLS] Draft status and updates Ilari Liusvaara
- Re: [TLS] Draft status and updates Eric Rescorla
- Re: [TLS] Draft status and updates Eric Rescorla
- Re: [TLS] Draft status and updates Eric Rescorla
- Re: [TLS] Draft status and updates Ilari Liusvaara
- Re: [TLS] Draft status and updates Ilari Liusvaara
- Re: [TLS] Draft status and updates Eric Rescorla