Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.

Adam Langley <agl@imperialviolet.org> Sat, 27 December 2014 17:01 UTC

Return-Path: <alangley@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11CA81A8970 for <tls@ietfa.amsl.com>; Sat, 27 Dec 2014 09:01:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g036eSMAdz-3 for <tls@ietfa.amsl.com>; Sat, 27 Dec 2014 09:01:35 -0800 (PST)
Received: from mail-la0-x22e.google.com (mail-la0-x22e.google.com [IPv6:2a00:1450:4010:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2346C1A896B for <tls@ietf.org>; Sat, 27 Dec 2014 09:01:34 -0800 (PST)
Received: by mail-la0-f46.google.com with SMTP id q1so9635346lam.5 for <tls@ietf.org>; Sat, 27 Dec 2014 09:01:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=UPJGz8RBH+1UEDpM8OSoeBS55R8PYczMly06QxrsoKQ=; b=f2sWmFduWi/lgHHGntHp3N77oK94SEIS7K8oA5hst9nnV7sMzNqx8RAodSSHrl8Nbd EqjDOTtJFEtfXTfV8bN08S16OD3zVDTo8yzVFUSwmQf/52hzG9V1s5BPs8db1kX9T5+8 Hjh4sRefrNfQlqfzFVEKxTEM5qQ7qR1e/ogzyfITCj/3yevjnRQmdpOhpqtlR0ycoYN0 0BlVpVZRyBUyEtaZOvjMH5VubaqQyfGF5tUlUkv9DxW4rt8qudMAs8vQOT6m5X/cAHcD q7hr+04QfjnyJ3LIk0mniYP3o8u1A5SJ/eRwfm7176NnlwuMomCsYUm56IhLlgAcbfRR 5HsA==
MIME-Version: 1.0
X-Received: by 10.112.119.201 with SMTP id kw9mr47882560lbb.99.1419699692526; Sat, 27 Dec 2014 09:01:32 -0800 (PST)
Sender: alangley@gmail.com
Received: by 10.112.114.225 with HTTP; Sat, 27 Dec 2014 09:01:32 -0800 (PST)
In-Reply-To: <549EE32B.7050703@nthpermutation.com>
References: <CAMfhd9XgR-N6BZVLojfyf6E2+0fhYVHopp5FKALoup_GjTji5A@mail.gmail.com> <CABcZeBMmFWOoh6Av=eAaMi6AA1Kb7X41Efie-0PuRZWwPPVz_A@mail.gmail.com> <860778484.3559563.1416987612674.JavaMail.zimbra@redhat.com> <CABcZeBPHQGMNYU1QbG=oeuVZYG71BqVaJU9E9e2Kh+rEWq=RXA@mail.gmail.com> <CAL9PXLwrZCgDUqd8ugqhcpYEBwLOcQXSLg8Kx8fgCq6tzLvO4A@mail.gmail.com> <CABcZeBPY8Jrg_ou_=frs9O2-0nrfL+V-H-jBCxDgQ4Ora55kvQ@mail.gmail.com> <20141223143719.GB11149@LK-Perkele-VII> <CABcZeBOb9tL5UO94Qrdn7AuamkPvs=+7aU0EF78p3Lac=JEh9w@mail.gmail.com> <20141224185031.GA4583@LK-Perkele-VII> <CABcZeBO2D+DBW+XAzNv9BgXqXzmy8GgwbX24iGZDYXN=aqZ9fg@mail.gmail.com> <20141224193906.GB4583@LK-Perkele-VII> <CABcZeBOD_6Uan73ntOBKb3JwhYB2xzhrz+xGue_sy-B4-1VA4A@mail.gmail.com> <549EE32B.7050703@nthpermutation.com>
Date: Sat, 27 Dec 2014 18:01:32 +0100
X-Google-Sender-Auth: WBVK0xbcv1Cul9uPrqStm_X9sQM
Message-ID: <CAMfhd9VArCKPNhuEVNbksc2=HkSsCvDO81=qUj1-teoNYqJ7XQ@mail.gmail.com>
From: Adam Langley <agl@imperialviolet.org>
To: Michael StJohns <msj@nthpermutation.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/NpDw4pd5JJzKBj4PLVeL8g0J1LE
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Dec 2014 17:01:36 -0000

On Sat, Dec 27, 2014 at 5:49 PM, Michael StJohns <msj@nthpermutation.com>; wrote:
> Doing it this way means that SHA1 is a permanent part of TLS1.3

The signature hash is negotiated, not fixed to SHA-1. TLS 1.2 (and,
currently, 1.3) depend on SHA-256 fundamentally as it's the weakest
handshake hash allowed.

> at least make extension attacks a bit more difficult.

Length extension attacks allow hashes of some other input messages to
be calculated. Since the input to the signature hashes is already
public, that's not a problem.


Cheers

AGL