Re: [TLS] Key Control Vulnerability in SRP (Triple Handshake Variant)

Trevor Perrin <trevp@trevp.net> Fri, 08 August 2014 20:55 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02DAF1A017A for <tls@ietfa.amsl.com>; Fri, 8 Aug 2014 13:55:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uIz9mme6gCPG for <tls@ietfa.amsl.com>; Fri, 8 Aug 2014 13:55:45 -0700 (PDT)
Received: from mail-ig0-f175.google.com (mail-ig0-f175.google.com [209.85.213.175]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B8EB1A0158 for <tls@ietf.org>; Fri, 8 Aug 2014 13:55:45 -0700 (PDT)
Received: by mail-ig0-f175.google.com with SMTP id uq10so1650903igb.14 for <tls@ietf.org>; Fri, 08 Aug 2014 13:55:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=AtcZCzWvlt9/bfK4bBElofN4Vmm0yNmLicvXw+0CXc8=; b=k55LwilFbzXimhs+gw14Tnd7kiLCNtRU0AUUuNCrqJnbR9qf1abByDYpxqSXnom0Oy pSOe8nHftyAnbck+VFuc8Bip+3bkoHe21TRS4vyz6dPu6NlkpW5qvoD6aApQxNVbzHeu jaz18wI65xQ6z53vaWg+So6pDYobYFke8Z+ctk8G+9yGp8KNc6+druMz3eWZv5fulwV3 VPqOmKf25je1mD6c+L09/yf0HDX8/U+gi+0ISQMyXcb5F75XKY61Ljn2+TkaQ+/LvICr LtLmDTn8aXFLUTy0DjbgmT60OjCUJLE4nElh61wmD1hj1XsMusqzRPJ0S/QuHpsa2tgF snNw==
X-Gm-Message-State: ALoCoQm1EooAeZ1kSr0WzZLSNGLg6ISz3JQIc7579F6K2fgWIOCK4ANoxSbbVHf/4QuXCoRwFcDF
MIME-Version: 1.0
X-Received: by 10.50.142.99 with SMTP id rv3mr8817197igb.48.1407531344495; Fri, 08 Aug 2014 13:55:44 -0700 (PDT)
Received: by 10.107.133.154 with HTTP; Fri, 8 Aug 2014 13:55:44 -0700 (PDT)
X-Originating-IP: [70.36.227.134]
In-Reply-To: <DB3BE984-3839-4681-97B2-C874C5154DC1@inria.fr>
References: <79E82046-616E-4179-8CF6-12126DDE4640@inria.fr> <DB3BE984-3839-4681-97B2-C874C5154DC1@inria.fr>
Date: Fri, 8 Aug 2014 13:55:44 -0700
Message-ID: <CAGZ8ZG3=xE5xv1oVAaL1Yxc-sm4ZuA+N++E5xt_QrMLYqR+Edw@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Karthikeyan Bhargavan <karthikeyan.bhargavan@inria.fr>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/M0MfXNyCvFKsXb7jchqOn_9PhXo
Cc: "TLS@ietf.org \(tls@ietf.org\)" <tls@ietf.org>
Subject: Re: [TLS] Key Control Vulnerability in SRP (Triple Handshake Variant)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Aug 2014 20:55:49 -0000

On Fri, Aug 8, 2014 at 1:01 PM, Karthikeyan Bhargavan
<karthikeyan.bhargavan@inria.fr> wrote:
> Hi,
>
> The following is specific to SRP, but perhaps of interest to those working
> with TLS-SRP.
[...]
>
> While investigating the triple handshake attack on various TLS cipher
> suites, we came upon two scenarios in which one of the participants of the
> SRP protocol can unilaterally control the generated session key.

Hi Karthikeyan,

Thanks for the observation.

I haven't followed the triple-handshake discussion closely.  My
impression is that it's a TLS issue - not an SRP issue - which should
be fixed by something like [1].

Is that correct?

Trevor

[1] http://datatracker.ietf.org/doc/draft-bhargavan-tls-session-hash/