Re: [TLS] Another IRINA bug in TLS

Karthikeyan Bhargavan <karthikeyan.bhargavan@inria.fr> Sun, 24 May 2015 07:24 UTC

Return-Path: <karthikeyan.bhargavan@inria.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76EE81A87E7 for <tls@ietfa.amsl.com>; Sun, 24 May 2015 00:24:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.56
X-Spam-Level:
X-Spam-Status: No, score=-6.56 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8LMDvOQzilIB for <tls@ietfa.amsl.com>; Sun, 24 May 2015 00:24:00 -0700 (PDT)
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E61EF1A8758 for <tls@ietf.org>; Sun, 24 May 2015 00:23:59 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.13,485,1427752800"; d="asc'?scan'208";a="126136892"
Received: from 178.92.69.86.rev.sfr.net (HELO [192.168.1.44]) ([86.69.92.178]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/AES128-SHA; 24 May 2015 09:23:53 +0200
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_363A8CCD-3549-41D0-A0D3-6FCF2912A78E"; protocol="application/pgp-signature"; micalg=pgp-sha512
X-Pgp-Agent: GPGMail 2.5b6
From: Karthikeyan Bhargavan <karthikeyan.bhargavan@inria.fr>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73AB02AA8F@uxcn10-tdc05.UoA.auckland.ac.nz>
Date: Sun, 24 May 2015 09:23:52 +0200
Message-Id: <A7A39FBA-E705-433C-98DD-1FB29AF4E865@inria.fr>
References: <9A043F3CF02CD34C8E74AC1594475C73AB029727@uxcn10-tdc05.UoA.auckland.ac.nz>, <CAH8yC8=F3jJgEzFQSN=ZMvoC4zunAsfHPs1k2km9dvFJ0bvg2g@mail.gmail.com> <9A043F3CF02CD34C8E74AC1594475C73AB02AA8F@uxcn10-tdc05.UoA.auckland.ac.nz>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/JcLkeddG1WFYRHNfw1rokW1izcI>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Another IRINA bug in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 May 2015 07:24:04 -0000

The confusion between DSA and PKCS#3 has other unexpected consequences.
As we describe in 3.5 of our Imperfect Forward Secrecy paper, some server
implementations take a DSA group (p,q,g) and, when fitting it to TLS, confuse
the “q” with the generator “g”. This bug leads to a rather nasty attack.

(Yeah, you’d probably want to add this to the WTF category.)


On 24 May 2015, at 09:12, Peter Gutmann <pgut001@cs.auckland.ac.nz>; wrote:

> Jeffrey Walton <noloader@gmail.com>; writes:
> 
>> GnuTLS with its Lim-Lee primes causes me a lot of problems because they
>> cannot be validated.
> 
> Actually the problem isn't GnuTLS (hey, I use Lim-Lee primes as well!), it's
> the fact that TLS uses the PKCS #3 format rather than the DSA format, so
> you've got nice verifiable values for which you have to throw away the
> parameter used to verify them and send them in an unverifiable format.  Having
> said that, there's a pretty simple fix, define an extension that acts like the
> existing propose/accept extensions that signals a change in DH values to the
> DSA form (p, q, g) rather than PKCS #3 form (p, g).  And for TLS 1.3, use the
> DSA form by default, not the PKCS #3 form.
> 
> Peter.
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls