IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Sat, 25 October 2014 18:14 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C0621A1B13 for <tls@ietfa.amsl.com>; Sat, 25 Oct 2014 11:14:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.601
X-Spam-Level:
X-Spam-Status: No, score=-1.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rm7XOyAyneWj for <tls@ietfa.amsl.com>; Sat, 25 Oct 2014 11:14:36 -0700 (PDT)
Received: from emh06.mail.saunalahti.fi (emh06.mail.saunalahti.fi [62.142.5.116]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5F031A1B12 for <tls@ietf.org>; Sat, 25 Oct 2014 11:14:35 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh06.mail.saunalahti.fi (Postfix) with ESMTP id 8F77869964; Sat, 25 Oct 2014 21:14:33 +0300 (EEST)
Date: Sat, 25 Oct 2014 21:14:33 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Henrick Hellström <henrick@streamsec.se>
Message-ID: <20141025181433.GA5567@LK-Perkele-VII>
References: <20141011044948.27553.93984.idtracker@ietfa.amsl.com> <5438B82B.6090600@fifthhorseman.net> <544BD3BF.9030702@streamsec.se> <20141025172504.GA2714@LK-Perkele-VII> <544BE68A.1010801@streamsec.se>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <544BE68A.1010801@streamsec.se>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/O5kiC3qLTIg1nTKnCIshbNpyKcA
Cc: tls@ietf.org
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Oct 2014 18:14:37 -0000

On Sat, Oct 25, 2014 at 08:06:02PM +0200, Henrick Hellström wrote:
> On 2014-10-25 19:25, Ilari Liusvaara wrote:
> >I see two problematic cases:
> >1) NG SKE gets presented as EC(!) SKE.
> >2) NG SKE gets presented to non-NG client.
> >
> >
> >1) The message is:
> >
> >00 02 01 xx 00 01 00 <length of ge> <ge>
> >
> >When interpretted as elliptic curve, this has curve type of 0, which is
> >not valid, so handshake can't work.
> 
> I think this should be of no consequence. A client that interprets a DHE SKE
> as an ECDHE SKE, despite having negotiated a DHE cipher suite, is broken
> beyond repair and would be pointless to try to be compatible with.

Unfortunately, attacker can make client interpret DHE SKE as ECDHE SKE
(or vice versa). TLS key exchange is just screwed up.

Oh, I also missed interpretting ECDHE SKE as posibly-NG DHE. This always
results in prime of length 256 or above. So if prime length is restricted for
NG DHE, these can't be confused with NG DHE.


-Ilari

v2.39.1 | Report a Bug | By Email | System Status