Re: [TLS] TLS and KCI vulnerable handshakes
Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 12 August 2015 01:50 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6B371A1BE7 for <tls@ietfa.amsl.com>; Tue, 11 Aug 2015 18:50:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bLf9SavuFHoZ for <tls@ietfa.amsl.com>; Tue, 11 Aug 2015 18:50:26 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25E3B1A1BE6 for <tls@ietf.org>; Tue, 11 Aug 2015 18:50:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1439344226; x=1470880226; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=i6z5Hq3AYHjCl7v8g8kdIT4oDHlKRU6bAP023keeqZ4=; b=tN/owL5o8dC8OIVnzb7iLHx4oxe0It6DFT4L05vKly0kpclunWsGHeyT JK0ZaF5VlLsI3+rHCBbxUDHAUKFxlbXlGs0yeKWPbpdO8ZlvSj98XJoVG WJ+98Autd/Q/oaLmPVkGv0N1+UFs4zts9a6gqhXzsxouDdPJIyVtc/VR7 aY1oR66gZHIQ1rrnmHJN89wkYeWsJDRuoZpSi/Q9jtRNgxGr6vzfVox2Z jD2/SuAxnUMp9kHzvfYHRlswCR9mXZYCMsZf0IxZRY4wzPgvV01x7u1eG RBoLXQQCUt10reDUkEtPYKggoilLZGv3hnNZ6qqOhpnHdWeJmm7VLfqwk w==;
X-IronPort-AV: E=Sophos;i="5.15,657,1432555200"; d="scan'208";a="34532295"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.106 - Outgoing - Outgoing
Received: from uxchange10-fe2.uoa.auckland.ac.nz ([130.216.4.106]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 12 Aug 2015 13:50:24 +1200
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.48]) by uxchange10-fe2.UoA.auckland.ac.nz ([130.216.4.106]) with mapi id 14.03.0174.001; Wed, 12 Aug 2015 13:50:23 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Martin Thomson <martin.thomson@gmail.com>
Thread-Topic: [TLS] TLS and KCI vulnerable handshakes
Thread-Index: AQHQ1F5LrI8QBmnw8E6Q+G9ikduiz54HF7RI//88pwCAAAD7AIAACjUAgAE6A7A=
Date: Wed, 12 Aug 2015 01:50:23 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4AD858F@uxcn10-5.UoA.auckland.ac.nz>
References: <55C8CD7A.7030309@rise-world.com> <9A043F3CF02CD34C8E74AC1594475C73F4AD80F3@uxcn10-5.UoA.auckland.ac.nz> <9690882F-B794-4D1D-973F-DE7F90120CC3@gmail.com> <CABkgnnXruou6BbgZK8vWUeyb-gW5OTSZKPwPVPwZ826usNz9RA@mail.gmail.com>, <20150811190544.GA13734@LK-Perkele-VII>
In-Reply-To: <20150811190544.GA13734@LK-Perkele-VII>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/McxkDskKs92fjQCSOMqcPWxRkGw>
Cc: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, Clemens Hlauschek <clemens.hlauschek@rise-world.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS and KCI vulnerable handshakes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2015 01:50:31 -0000
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> writes: >a) ECDSA certs are usable for ECDH (modulo KeyUsage) because there is no >ECDSA-specific keytype in X.509. That's always concerned me about ECC certs, all you can say about a key is "ECC", not "signing key" or "key agreement key" (I'm sure this was seen as a great feature when the key format was designed, "ECC is so much more flexible than RSA, you can use it for anything!"). My code explicitly ACLs ECC keys coming from certs to be signing-only in order to deal with this problem. Peter.
- [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Peter Gutmann
- Re: [TLS] TLS and KCI vulnerable handshakes Karthikeyan Bhargavan
- Re: [TLS] TLS and KCI vulnerable handshakes Martin Thomson
- Re: [TLS] TLS and KCI vulnerable handshakes Ilari Liusvaara
- Re: [TLS] TLS and KCI vulnerable handshakes Martin Thomson
- Re: [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Martin Thomson
- Re: [TLS] TLS and KCI vulnerable handshakes Daniel Kahn Gillmor
- Re: [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Peter Gutmann
- Re: [TLS] TLS and KCI vulnerable handshakes Peter Gutmann
- Re: [TLS] TLS and KCI vulnerable handshakes Viktor Dukhovni
- Re: [TLS] TLS and KCI vulnerable handshakes Viktor Dukhovni
- Re: [TLS] TLS and KCI vulnerable handshakes Peter Gutmann
- Re: [TLS] TLS and KCI vulnerable handshakes Salz, Rich
- Re: [TLS] TLS and KCI vulnerable handshakes Viktor Dukhovni
- Re: [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Watson Ladd