Re: [TLS] New cipher suites for SRP

Jeffrey Walton <noloader@gmail.com> Mon, 29 June 2015 14:05 UTC

Return-Path: <noloader@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3F131ABC74 for <tls@ietfa.amsl.com>; Mon, 29 Jun 2015 07:05:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qeUSKiILMeaj for <tls@ietfa.amsl.com>; Mon, 29 Jun 2015 07:05:54 -0700 (PDT)
Received: from mail-ie0-x22d.google.com (mail-ie0-x22d.google.com [IPv6:2607:f8b0:4001:c03::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DEB61ABC0F for <tls@ietf.org>; Mon, 29 Jun 2015 07:05:54 -0700 (PDT)
Received: by iebmu5 with SMTP id mu5so115384654ieb.1 for <tls@ietf.org>; Mon, 29 Jun 2015 07:05:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=c1VeIvGPDZPF0NHgUQFUg9M5VIYaY81Gun2BtZrcIaQ=; b=q0B0v0rJaAEwM//qRz43wEHxWz5ZD1OcrdapSgQS1KFHAmvBIbS/gTbDHdeDvyCNnn UxPeEP2J2W6u5cK4nUih+b7ylHaJzAF7EEtK/j8W3TJshWu81e71ngtQNjMeJNne6Yo9 Qx734wrG3HmvYb89OHubH3rYOGrz1kviNj/RIVHSQVBjjAHlchM34r1n5Lu3GhAFhR6p 2tsukHL585XlJIkAXJubvGL+LACV+j97umk3Ejd82TWDVGCd5BRVVkWTUZWQm6f5r41X yNCPJeHHVmXj8lZoyICnwc+etFAmq8b+tNgmnG1iNkbPfeixjgP4JAFHo+RT9QrRq44l 70CQ==
MIME-Version: 1.0
X-Received: by 10.107.168.150 with SMTP id e22mr21081480ioj.9.1435586753803; Mon, 29 Jun 2015 07:05:53 -0700 (PDT)
Received: by 10.36.77.15 with HTTP; Mon, 29 Jun 2015 07:05:53 -0700 (PDT)
In-Reply-To: <1460843.VCt2HDe3YD@pintsize.usersys.redhat.com>
References: <20150626234801.ED7DDE04DA@smtp.hushmail.com> <36814552.ToKCXeCVxV@pintsize.usersys.redhat.com> <0607259810418348811F3A862D51E885A5A0EC4965@HQMAILSVR02.voltage.com> <1460843.VCt2HDe3YD@pintsize.usersys.redhat.com>
Date: Mon, 29 Jun 2015 10:05:53 -0400
Message-ID: <CAH8yC8kO1c7zLNOvWAk1LpY6dicF4oSOFWRpxgedTsKAs3_V5Q@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: Hubert Kario <hkario@redhat.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/InhFTB5lmm-mvQKUSS9ezmMz3jo>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New cipher suites for SRP
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: noloader@gmail.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2015 14:05:55 -0000

On Mon, Jun 29, 2015 at 9:57 AM, Hubert Kario <hkario@redhat.com> wrote:
> On Monday 29 June 2015 06:55:59 Tom Wu wrote:
>> > +1, provided we do two more things:
>> >
>> >
>> >  - Change the negotiation so that user name is not exchanged in the clear
>> >  - Change key exchange to do PFS
>>
>>
>> SRP already provides PFS automatically.
>
> I'm rather fuzzy about the details (I've read the RFC quite a bit ago), but
> isn't the server key share static in SRP?
>
No.

Here's the step that calls out its a random key (from RFC 5054):

    2.5.3.  Server Key Exchange

   The server key exchange message contains the prime (N), the generator
   (g), and the salt value (s) read from the SRP password file based on
   the user name (I) received in the client hello extension.

   The server key exchange message also contains the server's public
   value (B).  The server calculates this value as B = k*v + g^b % N,
   where b is a random number that SHOULD be at least 256 bits in length
   and k = SHA1(N | PAD(g)).

Things like resumption can affect the forward secrecy, though. But all
cipher suites suffer it equally.

Jeff