Re: [TLS] TLS and KCI vulnerable handshakes
Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Tue, 11 August 2015 18:25 UTC
Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0E001AD06F for <tls@ietfa.amsl.com>; Tue, 11 Aug 2015 11:25:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kHl3zf39i0Qj for <tls@ietfa.amsl.com>; Tue, 11 Aug 2015 11:25:47 -0700 (PDT)
Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 724D91AD06E for <tls@ietf.org>; Tue, 11 Aug 2015 11:25:47 -0700 (PDT)
Received: by qkfj126 with SMTP id j126so20867131qkf.0 for <tls@ietf.org>; Tue, 11 Aug 2015 11:25:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=AhoWC2c4sBryWfWLKUkE8sUA90Ic6s3hvKa51rT0t6A=; b=R1C2SVb+UAiH8OQ6UaQVVvB2kM91JgNh//ATD+Ylz6Hr6Xh0/RkHIvxYDWOeYwpYG3 o16acKmSl5EjY5O3Ets3ziYiSDvG/s8VittagzjRr7xq/zCCRl7g3dvl50NKmS23yTCI egr74EItq+YORy3wskm0f+OMnLq5KE7jCAfJj0keWWkkmJ83N7V8HcguA7ht2fLrG6r3 kTS683cRPuiByG/zqzDLYRXfzJArKbISwUBNHdwBN3b9IqHDHf7/O3YT+ffrb3PA0Bhh RxlSGHPuEpuklHFVmaGdNP8Le9irOQHUBoGXaGrf8myo1HlKHBropFuebADou1R54VBK H1HA==
X-Received: by 10.55.31.225 with SMTP id n94mr51703924qkh.17.1439317546766; Tue, 11 Aug 2015 11:25:46 -0700 (PDT)
Received: from [10.59.3.68] ([65.205.30.226]) by smtp.gmail.com with ESMTPSA id f101sm1666993qkf.22.2015.08.11.11.25.44 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 11 Aug 2015 11:25:46 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\))
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4AD80F3@uxcn10-5.UoA.auckland.ac.nz>
Date: Tue, 11 Aug 2015 14:25:42 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <9690882F-B794-4D1D-973F-DE7F90120CC3@gmail.com>
References: <55C8CD7A.7030309@rise-world.com> <9A043F3CF02CD34C8E74AC1594475C73F4AD80F3@uxcn10-5.UoA.auckland.ac.nz>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
X-Mailer: Apple Mail (2.2102)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/M3mrP9mM8Oupy4lr3uMg2wVqx4o>
Cc: Clemens Hlauschek <clemens.hlauschek@rise-world.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS and KCI vulnerable handshakes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2015 18:25:49 -0000
>> https://www.usenix.org/conference/woot15/workshop-program/presentation/hlauschek > > Some comments on this, it looks like it requires a "cert with static (EC)DH > key" in order to work, which would mean an X9.42 cert. Since no (public) CA > that I know of can handle or issue such certs, this probably provides a > reasonable amount of defence against this attackā¦ No, a regular ECDSA certificate would do. That is, the attack would work as long as - a client has an ECDSA certificate, and - it enables any static TLS_ECDH_* cipher suite, and - its ECDSA private key has been stolen (or chosen) by an attacker. Best, Karthik > > In terms of the suggested countermeasures: > >> Set appropriate X509 Key Usage extension for ECDSA and DSS certificates, and >> disable specifically the KeyAgreement flag > > Since the keyUsage flags are widely ignored by implementations, this won't > provide the protection that the text implies. > > Peter. > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Peter Gutmann
- Re: [TLS] TLS and KCI vulnerable handshakes Karthikeyan Bhargavan
- Re: [TLS] TLS and KCI vulnerable handshakes Martin Thomson
- Re: [TLS] TLS and KCI vulnerable handshakes Ilari Liusvaara
- Re: [TLS] TLS and KCI vulnerable handshakes Martin Thomson
- Re: [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Martin Thomson
- Re: [TLS] TLS and KCI vulnerable handshakes Daniel Kahn Gillmor
- Re: [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Peter Gutmann
- Re: [TLS] TLS and KCI vulnerable handshakes Peter Gutmann
- Re: [TLS] TLS and KCI vulnerable handshakes Viktor Dukhovni
- Re: [TLS] TLS and KCI vulnerable handshakes Viktor Dukhovni
- Re: [TLS] TLS and KCI vulnerable handshakes Peter Gutmann
- Re: [TLS] TLS and KCI vulnerable handshakes Salz, Rich
- Re: [TLS] TLS and KCI vulnerable handshakes Viktor Dukhovni
- Re: [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Watson Ladd