IETF Logo Mail Archive

Re: [TLS] Curve25519 and TLS

Eric Rescorla <ekr@rtfm.com> Fri, 13 June 2014 23:02 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68A271A025A for <tls@ietfa.amsl.com>; Fri, 13 Jun 2014 16:02:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0oZeyDHm0ZA6 for <tls@ietfa.amsl.com>; Fri, 13 Jun 2014 16:02:45 -0700 (PDT)
Received: from mail-wg0-f52.google.com (mail-wg0-f52.google.com [74.125.82.52]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92A711B2A8B for <tls@ietf.org>; Fri, 13 Jun 2014 16:02:44 -0700 (PDT)
Received: by mail-wg0-f52.google.com with SMTP id b13so3365915wgh.35 for <tls@ietf.org>; Fri, 13 Jun 2014 16:02:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=RBvK5/xqAyOzKFZTGpj87NrMDVr6JxhrLp8to6EEwi0=; b=bmfOJ/IZKU9WXoTV3hBEmFT341zZD5bqMv2uGo8WJUWU5ZDncWXuwf7k3CgsSAEzRL mZ9ByOcHdLZf+y/YfsnGK01kbkHAFtt+wuErfPFt9AlxbJELQDzTjedMiKqD5e6niHMM d3IFDnd8w9XurIFVb7uEx4uKvdHEin55sYC+w/92X8rHtpNOQOSjAjz23Z2NnIXId+Sh U7JSE65WyZ6s2CPlmLkjXRL5mfbqJ/N/niPZozicWDzftVDmchJbY+vbR7mswlS6h4Ys wUgpj5YKsglXv+fBWlJQd/FhLqOtuMSBSBtSz719GhOyD9XJkhSBB2mWisIn7w7p/Pza KlBw==
X-Gm-Message-State: ALoCoQm9hmvFBKTllV2XylA1lKfeeUSvEmcfQzjxMjPNn068PJeGrO63F4LwUa48GTWxYgAkN2r3
X-Received: by 10.180.99.71 with SMTP id eo7mr7844681wib.49.1402700562922; Fri, 13 Jun 2014 16:02:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.218.198 with HTTP; Fri, 13 Jun 2014 16:02:02 -0700 (PDT)
X-Originating-IP: [2620:101:80fc:232:74a6:4746:3f43:9e51]
In-Reply-To: <CACsn0c=VUakySUwAh-JGX4FTUwp4Y5kwaoT5=+RXuJnsKxmRTQ@mail.gmail.com>
References: <CACsn0cnm3wp6iN57fHAiY+=n=nSxOxvrZOj65bzXYTDy=Xyvkg@mail.gmail.com> <539B6F1B.4030407@mit.edu> <CACsn0c=VUakySUwAh-JGX4FTUwp4Y5kwaoT5=+RXuJnsKxmRTQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 13 Jun 2014 16:02:02 -0700
Message-ID: <CABcZeBPNa-q90H+D=jf7ceFVv6OQNb7_YZnD6QyTpTv6YSrPjQ@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="f46d044283a8c7b88a04fbbfac68"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/LD83pPSuijWgDZUb_GyOQ_Wdx_o
Cc: "tls@ietf.org" <tls@ietf.org>, Andy Lutomirski <luto@amacapital.net>
Subject: Re: [TLS] Curve25519 and TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jun 2014 23:02:46 -0000

On Fri, Jun 13, 2014 at 2:59 PM, Watson Ladd <watsonbladd@gmail.com> wrote:

> On Fri, Jun 13, 2014 at 6:37 PM, Andy Lutomirski <luto@amacapital.net>
> wrote:
> > On 06/13/2014 02:30 PM, Watson Ladd wrote:
> >> For TLS 1.3 we should ensure contributory behaviour is not required to
> >> avoid these issues.
> >
> > What needs to change for this to be the case?  It would be even nicer if
> > the result were provably correct in some reasonable model.
>
> Hash the entire exchange into the generated key, so that a key made by
> someone cheating is only shared with them. I still don't understand
> why this isn't done already: it's needed for the finished message, so
> nothing is saved by not doing it. This is what the triple handshake
> fix is supposed to do, but it does a strange variant that reuses the
> oddball finished message.
>
> (And use a strong hash function: apparently the reason we haven't
> finished fixing Triple Handshake is that some people want to use
> SHA-1. On their heads be it!)
>

Hmm... I don't believe that this isn't done strictly because of SHA-1.
Looking back at what I wrote a while ago:

http://www.ietf.org/mail-archive/web/tls/current/msg12574.html

I believe the question is whether it is acceptable to have a *hash* of
the handshake hashed into the generated key as opposed to having
the handshake itself hashed into the generated key and whether it's
acceptable to have that hash be the combined MD5/SHA1 variant
in TLS < 1.2 and if not what recommendation we should make for
those versions.

-Ekr


> If the protocol is simple enough CryptoVerif can do the proofs with
> some prodding: proving shouldn't really be the issue. Hashing helps
> here by enabling the formation of a concept of "matching exchange",
> and thus significantly constraining an attacker.
>
> Sincerely,
> Watson Ladd
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email