[TLS] Yet more on digests and Cached-Info
Eric Rescorla <ekr@rtfm.com> Sun, 01 August 2010 14:45 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B9F2D3A6969 for <tls@core3.amsl.com>; Sun, 1 Aug 2010 07:45:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.914
X-Spam-Level:
X-Spam-Status: No, score=0.914 tagged_above=-999 required=5 tests=[AWL=0.290, BAYES_50=0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gEIHnBdiwKdL for <tls@core3.amsl.com>; Sun, 1 Aug 2010 07:45:11 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by core3.amsl.com (Postfix) with ESMTP id E32C83A6960 for <tls@ietf.org>; Sun, 1 Aug 2010 07:45:10 -0700 (PDT)
Received: by gxk1 with SMTP id 1so1244617gxk.31 for <tls@ietf.org>; Sun, 01 Aug 2010 07:45:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.90.91.17 with SMTP id o17mr3815088agb.99.1280673937385; Sun, 01 Aug 2010 07:45:37 -0700 (PDT)
Received: by 10.90.214.10 with HTTP; Sun, 1 Aug 2010 07:45:37 -0700 (PDT)
Date: Sun, 01 Aug 2010 16:45:37 +0200
Message-ID: <AANLkTinB3m5nM89BbJE6H98doJ6Q81ZnUFm_kHXYwr06@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="0016361e87ce1c67cc048cc4230e"
Subject: [TLS] Yet more on digests and Cached-Info
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Aug 2010 14:45:13 -0000
As promised at the TLS WG meeting in Maastricht, here are my comments from
the mic about the nature of the digest in CachedObject:
1. The primary security property we are interested in here is second
preimage
resistance. Any useful attack that I can think of requires the attacker to
produce a new
CachedObject that has the same digest as one the server will accept (we
assume he can retrieve the server's CachedObjects). Thus, this is second
preimage.
2. As I understand the discussion, there were some concerns about the use
of a pure digest being weaker than the Finished messages. I think this is
unfounded.
Remember that in most cases the security of the handshake depends on second
preimage anyway, since a failure of 2nd preimage resistance implicates
certificates,
which are a much richer target.
3. It's actually not clear to me that the PRF is even equally strong here: I
would
have to think about it a bit, but it's not clear to me that PRFs actually
need to
exhibit 2nd preimage resistance when the key is known.
4. Tying the digest to the PRF is a problem because that depends on the
handshake
results which might not be the same for each handshake.
Accordingly, I propose the following:
1. The client offers one or more CachedObjects with any digests of his
choice.
2. If SignatureAlgorithms is offered (as required for TLS 1.2), those
digests MUST
be in the associated HashAlgorithms (thus preserving the implicit
guarantee in
point #1 above).
How does this sound to people?
-Ekr
- [TLS] Yet more on digests and Cached-Info Eric Rescorla