IETF Logo Mail Archive

Re: [TLS] WGLC: draft-ietf-tls-session-hash

Yoav Nir <ynir.ietf@gmail.com> Mon, 24 November 2014 08:44 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4C4D1A1BFA for <tls@ietfa.amsl.com>; Mon, 24 Nov 2014 00:44:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TuspCnTaes9V for <tls@ietfa.amsl.com>; Mon, 24 Nov 2014 00:44:42 -0800 (PST)
Received: from mail-wg0-x230.google.com (mail-wg0-x230.google.com [IPv6:2a00:1450:400c:c00::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 603B01A1BF2 for <tls@ietf.org>; Mon, 24 Nov 2014 00:44:42 -0800 (PST)
Received: by mail-wg0-f48.google.com with SMTP id y19so11818696wgg.35 for <tls@ietf.org>; Mon, 24 Nov 2014 00:44:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=oXDPINe88iUQSOfalrvu0lABtDNMSx+PRnh651L2dL0=; b=gh0usslA6xhgk3aTQpXwODYJCJBAIn4mI1yLK1RkGsHpWtm+iUQgXNL4M3NZv98zbg fUGPVPlSkxRdE6eXJNv/O0sj4HJqvDh6QijARMx+/+knWNETcna0+mc9qurMNRDU6/GI D51hB1bH9OM67KOrPuuBN7EMSVn3QQkL7GawyNbSnAF+DjiqSi9ztMeatDdf63yrQjj4 1X+WLrhZRKgfeZJK1QTiSsNAY7RpnbJPvAbEBzbMfa6YC3EVwPbbcQHISQThsy2nPD4B tCarl9OID9ikQ5KZfrIsU4jpNVotCCc1gnKfZkbgHueWg5cH9Si0AgHiW9ItuN/+LoAQ fv6w==
X-Received: by 10.194.121.167 with SMTP id ll7mr25395469wjb.26.1416818681123; Mon, 24 Nov 2014 00:44:41 -0800 (PST)
Received: from [172.24.251.68] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id mc10sm11001602wic.24.2014.11.24.00.44.40 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 24 Nov 2014 00:44:40 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <E3E12F78-101D-4BA8-9EFB-53C24362066E@ieca.com>
Date: Mon, 24 Nov 2014 10:44:37 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <62165FC2-540D-48A5-A7AC-3D6D9087FDD2@gmail.com>
References: <E3E12F78-101D-4BA8-9EFB-53C24362066E@ieca.com>
To: Sean Turner <TurnerS@ieca.com>
X-Mailer: Apple Mail (2.1993)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/NloS3ANl-F7mp_ucJkSelIF9ReA
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] WGLC: draft-ietf-tls-session-hash
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Nov 2014 08:44:44 -0000

Hi.

I hadn’t read this before, so these issues may have been discussed before. Sorry if I’m wasting time like this.

The following paragraph from the Introduction is weird:

   Similar scenarios can be achieved when the handshake uses a DHE
   ciphersuite, or an ECDHE ciphersuite with an arbitrary explicit
   curve.  Even if the client or server does not prefer using RSA or
   DHE, the attacker can force them to use it by offering only RSA or
   DHE in its hello messages.  Other key exchanges may also be
   vulnerable.

The first sentence says that (EC)DHE ciphersuites are also vulnerable with explicit params. The last sentence talks of "other key exchanges", which in practice means DHE or ECDHE with named groups or curves. But that lower case “may” is content-free. Suppose a new server supports only ECDHE ciphersuites with named curves (there are some popular web sites that do this today), does it also need the session hash extension? This is not covered in either the introduction or the security considerations.

Second issue: The draft does not say whether a server should include the extension in a resumed session. The extension has no effect (as section 5.1 says), but it should be specified one way or the other. I would go for the less meaningless bytes option.

Third issue: Why can’t an attacker disable this protection by simply omitting the extension from both its ClientHello and ServerHello?  At least in the short term it won’t be practical to fail a handshake because the other side doesn’t support this extension. I guess the answer is that the ruse will work, but the other attacks mentioned in TRIPLE-HS will fail, but it’s not clear to me why. A can still proxy unchanged records from C to S if the connections are resumptions. Perhaps servers should be prohibited from resuming a session set up without this extension if the ClientHello does include the extension.

Yoav


> On Nov 23, 2014, at 9:49 PM, Sean Turner <TurnerS@ieca.com> wrote:
> 
> This is the working group last call for http://datatracker.ietf.org/doc/draft-ietf-tls-session-hash/.  Please review the document and send your comments to the list by Friday, December 12, 2014.  
> 
> Thanks,
> J&S
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email