IETF Logo Mail Archive

Re: [TLS] draft-turner-ssl-must-not

Marsh Ray <marsh@xs01.extendedsubset.com> Tue, 06 July 2010 05:00 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8E16B3A6895 for <tls@core3.amsl.com>; Mon, 5 Jul 2010 22:00:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ohWbeX5gPwNp for <tls@core3.amsl.com>; Mon, 5 Jul 2010 22:00:02 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id D87BA3A685F for <tls@ietf.org>; Mon, 5 Jul 2010 22:00:01 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OW0GH-000C06-Jw; Tue, 06 Jul 2010 05:00:01 +0000
Received: by xs01.extendedsubset.com (Postfix, from userid 2000) id 129CE6334; Tue, 6 Jul 2010 05:00:00 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX19h7RGPEOv7VOZmpI43rJGCG8USweMaJ7s=
Date: Tue, 06 Jul 2010 05:00:00 +0000
From: Marsh Ray <marsh@xs01.extendedsubset.com>
To: Bodo Moeller <bmoeller@acm.org>
Message-ID: <20100706050000.GB31051@xs01.extendedsubset.com>
References: <E1OUwPG-0002HY-Cw@wintermute02.cs.auckland.ac.nz> <4C2F906F.4030709@extendedsubset.com> <AANLkTiliMrjFjL11uzDVJU4m9KOFoQaVphKIgHed0D8u@mail.gmail.com> <4C2FB9DC.2040700@extendedsubset.com> <1278203103.4200.14.camel@beta> <4C2FEF99.6020501@extendedsubset.com> <65E00AB9-2F19-4B24-81AB-D6C72D593D32@acm.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <65E00AB9-2F19-4B24-81AB-D6C72D593D32@acm.org>
User-Agent: Mutt/1.5.18 (2008-05-17)
Cc: tls@ietf.org
Subject: Re: [TLS] draft-turner-ssl-must-not
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jul 2010 05:00:04 -0000

On Sun, Jul 04, 2010 at 01:31:44PM +0200, Bodo Moeller wrote:
>
> MD5 and SHA-1, of course, *do* use a small state, but let's be 
> clear what the scope of the theoretical result actually is.

Well, I thought it was pretty cool. :-)

Last I heard SHA-1 was down to 2^69 and MD5 2^24.
http://people.csail.mit.edu/yiqun/SHA1AttackProceedingVersion.pdf
http://www.win.tue.nl/hashclash/On%20Collisions%20for%20MD5%20-%20M.M.J.%20Stevens.pdf

> Also, don't forget that the use of these hash functions in TLS 1.0  
> doesn't actually have the ambitious goal of collision resistance

It would be really great if this kind of thing had been documented as
part of the design process. The Glossary section of RFC 4346 talks
about collision resistance as a property of MD5 and SHA-1.

Recently there have been some proposals for extensions to TLS which
loosen up some ordering dependencies or even change the crypto quite
dramatically. It would be unfortunate if some under-documented
assumptions were accidentally violated because they weren't well
understood.

> -- it's 
> just that it uses ingredients that were meant to deliver this (but
> which,  even if failing at this, don't completely break apart: 
> http://cseweb.ucsd.edu/~mihir/papers/hmac-new.html).

Again, RFC 4346:
------------------
   When this message will be sent:

      This message is used to provide explicit verification of a client
      certificate. 
	.....
      struct {
           Signature signature;
      } CertificateVerify;

      struct {
          select (SignatureAlgorithm) {
              case anonymous: struct { };
              case rsa:
                  digitally-signed struct {
                      opaque md5_hash[16];  <----- Note concatenated
                      opaque sha_hash[20];  <----- non-HMAC hashes here.
                  };
              case dsa: ...
              };
          };
      } Signature;

      CertificateVerify.signature.md5_hash
          MD5(handshake_messages);

      CertificateVerify.signature.sha_hash
          SHA(handshake_messages);

   Here handshake_messages refers to all handshake messages sent or
   received starting at client hello up to but not including this
   message, ....
------------------

So we definitely have some red flags going up here:
   * Raw hashes used without HMAC for signing important stuff
   * Concatenated iterated hash functions
   * Mitm can manipulate variable-length data under the hash in both
     directions

These suggest the possibility of a client cert credential stealing attack
(for the purely theoretical attcker who can collide SHA-1s within the
handshake timeout).  There are any number of reasons this might not
translate into a practical attack, but I think it supports a couple of
points:

   * Some aspects of TLS security have excessively subtle dependencies.

   * The Joux attack on concatenated iterated hashes is relevant to TLS.

   * TLS 1.0 and 1.1 are quite possibly pwned with the first published
     collision of SHA-1 and should be deprecated along with other uses
     of SHA-1.

   * Client certificates are not the solution to everything ;-)
 
- Marsh

v2.23.0 | Report a Bug | By Email