IETF Logo Mail Archive

Re: [TLS] Draft status and updates

Eric Rescorla <ekr@rtfm.com> Fri, 04 December 2015 04:21 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81A631B2A1D for <tls@ietfa.amsl.com>; Thu, 3 Dec 2015 20:21:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l6gxoAdD8jKN for <tls@ietfa.amsl.com>; Thu, 3 Dec 2015 20:21:00 -0800 (PST)
Received: from mail-yk0-x230.google.com (mail-yk0-x230.google.com [IPv6:2607:f8b0:4002:c07::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A6A91B2A19 for <tls@ietf.org>; Thu, 3 Dec 2015 20:21:00 -0800 (PST)
Received: by ykdr82 with SMTP id r82so111257904ykd.3 for <tls@ietf.org>; Thu, 03 Dec 2015 20:20:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=cjaV9i8qbwQLpWxd5fkdL7VNV37N5h54etsNJE058Ww=; b=BQsY6xzuDhKikn4hX7wFlFQZB1Js6XXJM0z9fLemhu+tiZTNjJNS0p67k49P707tMv HfphtTi4gZqOCpwc3FbN7fQz6Vgzi2ThX4K4il4uSgMTHfCCuigf//PXwsmjOmD5BcsP D90PShE3IhFkBVAtH0Lj5RbD88eOA+jdFtbr0/ZtY8NteRARgDePotdRrAqGbU7wq+ht 78vrenjvP7sImG8/NtbZtzPLoCP9FxOAPFjmYoDHT4cWr9fyJskm+B9B49yh9PFMOpLt bFj1l9QOn1dXpW9rZoLWZT7iuB6QovpvH7zuDv4InTV/ANXDULBGGLtD/MQ675f4QYix KkVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=cjaV9i8qbwQLpWxd5fkdL7VNV37N5h54etsNJE058Ww=; b=kozxO0NrfgGj+hRKm5WR+g29ZzhPOPV0jdpAbSV1vuXvzJY4bvUc+U6bENJre8CIke EHUJuXwRlGvfS3hEN562i1BMHtwt+p1+pCD/yqrbB5d4tPiHD0DElqXppX6EFYQBK5ev fU3NzBt7MM9WB8BS25q9pBKROHEcg7HyTlcGdPBKFBa9DP2JE845Btf2dSd8Pid5eNW6 KQxAdiyP+8nfLWJ+0Lp4ju3xdAMtUdSZzXT4+pXCyEogJZe8bCOgWFlXcWBxlGQb+xTz AEfATm/faE8HErq0SurFrIEcfeQnArC+uwIpC9MOpyQjL59nMm6X2uTSPzkNM0WK+kFW d4VA==
X-Gm-Message-State: ALoCoQnxXlwuLPVPnSfd8cmIwKCYwNQnqdhfOBLegaIIgPtSvOrvem/somHPF39lsOr0HjAc4AHt
X-Received: by 10.129.34.4 with SMTP id i4mr9478516ywi.155.1449202859320; Thu, 03 Dec 2015 20:20:59 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.249.197 with HTTP; Thu, 3 Dec 2015 20:20:19 -0800 (PST)
In-Reply-To: <20151202192308.GA25802@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABcZeBNxxC=uOg3bKtJP2bpMa9Z7En_RR2q3zn-qduse+Oh8-g@mail.gmail.com> <20151201185733.GB15222@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBNS1r2vjKhioOQdyHh9dgFhFmZL+-6qJQpn01Tqfw2a-g@mail.gmail.com> <20151202170845.GA25111@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBOy=Ank_Pdx05=gwXvku7EaCsi0cUpUP2m3aVYdwHN2MQ@mail.gmail.com> <20151202192308.GA25802@LK-Perkele-V2.elisa-laajakaista.fi>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 03 Dec 2015 20:20:19 -0800
Message-ID: <CABcZeBNdXLZ_7Fkcbj10m7xaRjryP2a-LK95V93uo2JBSyt8Rw@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="001a11408678a3572105260ad552"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/K_ndTRT3kF-AqqygVcgKYCMm47o>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Draft status and updates
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 04:21:01 -0000

On Wed, Dec 2, 2015 at 11:23 AM, Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

>
> > > > Trying to read between the lines, is your concern that the server is
> > > > now no longer explicitly signing over the ServerConfiguration in
> > > > its CertificateVerify [Note that the client continues to do so]? The
> idea
> > > > behind removing that was to make the 1-RTT part of the handshake
> > > > more uniform regardless of whether 0-RTT data was used.
> > > > I'm certainly open to putting that back in if it's needed, but can
> you
> > > > explain your concern in more detail?
> > >
> > > The concern is that attacker that has managed to inject g^s for
> > > known s is able to impersonate the server even through server
> certificate
> > > validation on subsequent connections (under some conditions).
> > >
> >
> > I'm sorry, I'm still not following. All the data that the server sends is
> > tied to
> > g^y which is signed with the server's certificate, so even if s were
> > published,
> > the attacker should not be able to inject data which the client would
> > accept.
>
> I would certainly expect the signature check, if it is there at all, to
> be proper nonce over SS.
>
> IIRC, the key exchange is explicitly intended to be secure (but forward
> security is lost) if ES is revealed.
>
> Config-authenticated ciphersuites are different matter (the main
> challenge there seems to be deciding when those are to be enabled[1],
> not so much designing the key exchange[2]).
>

I may be being stupid, but I think I'm still not following. Do you think
you could provide a ladder diagram showing the messages that
demonstrate the attack you are concerned about.

Best,
-Ekr

v2.14.0 | Report a Bug | By Email