[TLS] Yet more on digests and Cached-Info
Eric Rescorla <ekr@rtfm.com> Sun, 01 August 2010 14:45 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B9F2D3A6969 for <tls@core3.amsl.com>; Sun, 1 Aug 2010 07:45:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.914
X-Spam-Level:
X-Spam-Status: No, score=0.914 tagged_above=-999 required=5 tests=[AWL=0.290, BAYES_50=0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gEIHnBdiwKdL for <tls@core3.amsl.com>; Sun, 1 Aug 2010 07:45:11 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by core3.amsl.com (Postfix) with ESMTP id E32C83A6960 for <tls@ietf.org>; Sun, 1 Aug 2010 07:45:10 -0700 (PDT)
Received: by gxk1 with SMTP id 1so1244617gxk.31 for <tls@ietf.org>; Sun, 01 Aug 2010 07:45:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.90.91.17 with SMTP id o17mr3815088agb.99.1280673937385; Sun, 01 Aug 2010 07:45:37 -0700 (PDT)
Received: by 10.90.214.10 with HTTP; Sun, 1 Aug 2010 07:45:37 -0700 (PDT)
Date: Sun, 01 Aug 2010 16:45:37 +0200
Message-ID: <AANLkTinB3m5nM89BbJE6H98doJ6Q81ZnUFm_kHXYwr06@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="0016361e87ce1c67cc048cc4230e"
Subject: [TLS] Yet more on digests and Cached-Info
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Aug 2010 14:45:13 -0000
As promised at the TLS WG meeting in Maastricht, here are my comments from the mic about the nature of the digest in CachedObject: 1. The primary security property we are interested in here is second preimage resistance. Any useful attack that I can think of requires the attacker to produce a new CachedObject that has the same digest as one the server will accept (we assume he can retrieve the server's CachedObjects). Thus, this is second preimage. 2. As I understand the discussion, there were some concerns about the use of a pure digest being weaker than the Finished messages. I think this is unfounded. Remember that in most cases the security of the handshake depends on second preimage anyway, since a failure of 2nd preimage resistance implicates certificates, which are a much richer target. 3. It's actually not clear to me that the PRF is even equally strong here: I would have to think about it a bit, but it's not clear to me that PRFs actually need to exhibit 2nd preimage resistance when the key is known. 4. Tying the digest to the PRF is a problem because that depends on the handshake results which might not be the same for each handshake. Accordingly, I propose the following: 1. The client offers one or more CachedObjects with any digests of his choice. 2. If SignatureAlgorithms is offered (as required for TLS 1.2), those digests MUST be in the associated HashAlgorithms (thus preserving the implicit guarantee in point #1 above). How does this sound to people? -Ekr
- [TLS] Yet more on digests and Cached-Info Eric Rescorla