Re: [TLS] draft-turner-ssl-must-not
Marsh Ray <marsh@xs01.extendedsubset.com> Tue, 06 July 2010 05:00 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8E16B3A6895 for <tls@core3.amsl.com>; Mon, 5 Jul 2010 22:00:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ohWbeX5gPwNp for <tls@core3.amsl.com>; Mon, 5 Jul 2010 22:00:02 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id D87BA3A685F for <tls@ietf.org>; Mon, 5 Jul 2010 22:00:01 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OW0GH-000C06-Jw; Tue, 06 Jul 2010 05:00:01 +0000
Received: by xs01.extendedsubset.com (Postfix, from userid 2000) id 129CE6334; Tue, 6 Jul 2010 05:00:00 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX19h7RGPEOv7VOZmpI43rJGCG8USweMaJ7s=
Date: Tue, 06 Jul 2010 05:00:00 +0000
From: Marsh Ray <marsh@xs01.extendedsubset.com>
To: Bodo Moeller <bmoeller@acm.org>
Message-ID: <20100706050000.GB31051@xs01.extendedsubset.com>
References: <E1OUwPG-0002HY-Cw@wintermute02.cs.auckland.ac.nz> <4C2F906F.4030709@extendedsubset.com> <AANLkTiliMrjFjL11uzDVJU4m9KOFoQaVphKIgHed0D8u@mail.gmail.com> <4C2FB9DC.2040700@extendedsubset.com> <1278203103.4200.14.camel@beta> <4C2FEF99.6020501@extendedsubset.com> <65E00AB9-2F19-4B24-81AB-D6C72D593D32@acm.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <65E00AB9-2F19-4B24-81AB-D6C72D593D32@acm.org>
User-Agent: Mutt/1.5.18 (2008-05-17)
Cc: tls@ietf.org
Subject: Re: [TLS] draft-turner-ssl-must-not
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jul 2010 05:00:04 -0000
On Sun, Jul 04, 2010 at 01:31:44PM +0200, Bodo Moeller wrote: > > MD5 and SHA-1, of course, *do* use a small state, but let's be > clear what the scope of the theoretical result actually is. Well, I thought it was pretty cool. :-) Last I heard SHA-1 was down to 2^69 and MD5 2^24. http://people.csail.mit.edu/yiqun/SHA1AttackProceedingVersion.pdf http://www.win.tue.nl/hashclash/On%20Collisions%20for%20MD5%20-%20M.M.J.%20Stevens.pdf > Also, don't forget that the use of these hash functions in TLS 1.0 > doesn't actually have the ambitious goal of collision resistance It would be really great if this kind of thing had been documented as part of the design process. The Glossary section of RFC 4346 talks about collision resistance as a property of MD5 and SHA-1. Recently there have been some proposals for extensions to TLS which loosen up some ordering dependencies or even change the crypto quite dramatically. It would be unfortunate if some under-documented assumptions were accidentally violated because they weren't well understood. > -- it's > just that it uses ingredients that were meant to deliver this (but > which, even if failing at this, don't completely break apart: > http://cseweb.ucsd.edu/~mihir/papers/hmac-new.html). Again, RFC 4346: ------------------ When this message will be sent: This message is used to provide explicit verification of a client certificate. ..... struct { Signature signature; } CertificateVerify; struct { select (SignatureAlgorithm) { case anonymous: struct { }; case rsa: digitally-signed struct { opaque md5_hash[16]; <----- Note concatenated opaque sha_hash[20]; <----- non-HMAC hashes here. }; case dsa: ... }; }; } Signature; CertificateVerify.signature.md5_hash MD5(handshake_messages); CertificateVerify.signature.sha_hash SHA(handshake_messages); Here handshake_messages refers to all handshake messages sent or received starting at client hello up to but not including this message, .... ------------------ So we definitely have some red flags going up here: * Raw hashes used without HMAC for signing important stuff * Concatenated iterated hash functions * Mitm can manipulate variable-length data under the hash in both directions These suggest the possibility of a client cert credential stealing attack (for the purely theoretical attcker who can collide SHA-1s within the handshake timeout). There are any number of reasons this might not translate into a practical attack, but I think it supports a couple of points: * Some aspects of TLS security have excessively subtle dependencies. * The Joux attack on concatenated iterated hashes is relevant to TLS. * TLS 1.0 and 1.1 are quite possibly pwned with the first published collision of SHA-1 and should be deprecated along with other uses of SHA-1. * Client certificates are not the solution to everything ;-) - Marsh
- [TLS] draft-turner-ssl-must-not Nikos Mavrogiannopoulos
- Re: [TLS] draft-turner-ssl-must-not Sean Turner
- Re: [TLS] draft-turner-ssl-must-not Nikos Mavrogiannopoulos
- Re: [TLS] draft-turner-ssl-must-not Juho Vähä-Herttua
- Re: [TLS] draft-turner-ssl-must-not Ivan Ristic
- Re: [TLS] draft-turner-ssl-must-not Martin Rex
- Re: [TLS] draft-turner-ssl-must-not Sean Turner
- Re: [TLS] draft-turner-ssl-must-not Yngve Nysaeter Pettersen
- Re: [TLS] draft-turner-ssl-must-not Martin Rex
- Re: [TLS] draft-turner-ssl-must-not Peter Gutmann
- Re: [TLS] draft-turner-ssl-must-not Peter Gutmann
- Re: [TLS] draft-turner-ssl-must-not Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] draft-turner-ssl-must-not Nikos Mavrogiannopoulos
- Re: [TLS] draft-turner-ssl-must-not Juho Vähä-Herttua
- Re: [TLS] draft-turner-ssl-must-not Nikos Mavrogiannopoulos
- Re: [TLS] draft-turner-ssl-must-not Yngve Nysaeter Pettersen
- Re: [TLS] draft-turner-ssl-must-not Yngve Nysaeter Pettersen
- Re: [TLS] draft-turner-ssl-must-not Yngve Nysaeter Pettersen
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Juho Vähä-Herttua
- Re: [TLS] draft-turner-ssl-must-not Nasko Oskov
- Re: [TLS] draft-turner-ssl-must-not Peter Gutmann
- Re: [TLS] draft-turner-ssl-must-not Nelson B Bolyard
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Ben Laurie
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Bodo Moeller
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Bodo Moeller
- Re: [TLS] draft-turner-ssl-must-not Martin Rex
- Re: [TLS] draft-turner-ssl-must-not Martin Rex
- Re: [TLS] draft-turner-ssl-must-not Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] draft-turner-ssl-must-not Martin Rex
- Re: [TLS] draft-turner-ssl-must-not Peter Gutmann
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Peter Gutmann
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Peter Gutmann
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Yoav Nir
- Re: [TLS] draft-turner-ssl-must-not Martin Rex
- Re: [TLS] draft-turner-ssl-must-not Nikos Mavrogiannopoulos
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Simon Josefsson
- [TLS] Finished verify_data collision (Was Re: dra… Marsh Ray
- Re: [TLS] Finished verify_data collision (Was Re:… Nikos Mavrogiannopoulos
- Re: [TLS] Finished verify_data collision (Was Re:… Marsh Ray