Re: [TLS] Curve25519 and TLS
Watson Ladd <watsonbladd@gmail.com> Mon, 23 June 2014 01:24 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3E3E1B27FC for <tls@ietfa.amsl.com>; Sun, 22 Jun 2014 18:24:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n5yAsoUQCD48 for <tls@ietfa.amsl.com>; Sun, 22 Jun 2014 18:24:21 -0700 (PDT)
Received: from mail-yh0-x232.google.com (mail-yh0-x232.google.com [IPv6:2607:f8b0:4002:c01::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C9C31B27FB for <tls@ietf.org>; Sun, 22 Jun 2014 18:24:21 -0700 (PDT)
Received: by mail-yh0-f50.google.com with SMTP id t59so4591900yho.9 for <tls@ietf.org>; Sun, 22 Jun 2014 18:24:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=FStjqwHPj0JwL/M3rEiaKkDUMd35NTdT0RomS3ewfEk=; b=kIG162UfEZx5tPwKcJDs9IWWevxXdNRwpe1mWZpJij0ty5w+fz6sFX9PSisWgqKIHg i2DrNkiAsP90csMT0RbX/QGBiY5vrlb1Wj5LCxzzbeCZHDzD5liMcCNDGXkNmapP8ROy QaCWwtv8ysJrrqJQA1UaITUhpb8SdG96n1Oa48xSZdvJEUEPuGgqs5MnCRqX9+dB6Lsg YXDboRpGrRkoYmGBKzP8wpxLkVsmNhK2BWdiW/ZbECcJp0mHHpqMuOOI72NEsV+6LDjq kTZIgMxQ0m3Om0cWuRozRJLYbGtHt7cFHcTvZWRYJdewO2BahvZAGPYCkIZHFTh/2rrX gxkw==
MIME-Version: 1.0
X-Received: by 10.236.28.133 with SMTP id g5mr31150847yha.46.1403486660664; Sun, 22 Jun 2014 18:24:20 -0700 (PDT)
Received: by 10.170.39.136 with HTTP; Sun, 22 Jun 2014 18:24:20 -0700 (PDT)
In-Reply-To: <CABcZeBOqVKMk8-BDzKnuLRbh+PeqscMRcXOYSBfxjaBn85Xb4w@mail.gmail.com>
References: <CACsn0cnm3wp6iN57fHAiY+=n=nSxOxvrZOj65bzXYTDy=Xyvkg@mail.gmail.com> <539B6F1B.4030407@mit.edu> <CACsn0c=VUakySUwAh-JGX4FTUwp4Y5kwaoT5=+RXuJnsKxmRTQ@mail.gmail.com> <CABcZeBPNa-q90H+D=jf7ceFVv6OQNb7_YZnD6QyTpTv6YSrPjQ@mail.gmail.com> <CACsn0ckaDuhgWhFRgMsmguwK460WBAFikG=Kqu0YBSNosU7+ng@mail.gmail.com> <CABcZeBOqVKMk8-BDzKnuLRbh+PeqscMRcXOYSBfxjaBn85Xb4w@mail.gmail.com>
Date: Sun, 22 Jun 2014 18:24:20 -0700
Message-ID: <CACsn0cneqxgZQQDp1UF+2f1b=ySA7T6sReh83NqPtG-PgDFBpg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/OVGxSAJ4JX-IrXoxdPk5-BxI0xg
Cc: "tls@ietf.org" <tls@ietf.org>, Andy Lutomirski <luto@amacapital.net>
Subject: Re: [TLS] Curve25519 and TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jun 2014 01:24:23 -0000
On Sun, Jun 22, 2014 at 5:56 PM, Eric Rescorla <ekr@rtfm.com> wrote: > > > > On Fri, Jun 13, 2014 at 7:05 PM, Watson Ladd <watsonbladd@gmail.com> wrote: >> >> On Fri, Jun 13, 2014 at 8:02 PM, Eric Rescorla <ekr@rtfm.com> wrote: >> > >> > >> > >> > On Fri, Jun 13, 2014 at 2:59 PM, Watson Ladd <watsonbladd@gmail.com> >> > wrote: >> >> >> >> On Fri, Jun 13, 2014 at 6:37 PM, Andy Lutomirski <luto@amacapital.net> >> >> wrote: >> >> > On 06/13/2014 02:30 PM, Watson Ladd wrote: >> >> >> For TLS 1.3 we should ensure contributory behaviour is not required >> >> >> to >> >> >> avoid these issues. >> >> > >> >> > What needs to change for this to be the case? It would be even nicer >> >> > if >> >> > the result were provably correct in some reasonable model. >> >> >> >> Hash the entire exchange into the generated key, so that a key made by >> >> someone cheating is only shared with them. I still don't understand >> >> why this isn't done already: it's needed for the finished message, so >> >> nothing is saved by not doing it. This is what the triple handshake >> >> fix is supposed to do, but it does a strange variant that reuses the >> >> oddball finished message. >> >> >> >> (And use a strong hash function: apparently the reason we haven't >> >> finished fixing Triple Handshake is that some people want to use >> >> SHA-1. On their heads be it!) >> > >> > >> > Hmm... I don't believe that this isn't done strictly because of SHA-1. >> > Looking back at what I wrote a while ago: >> > >> > http://www.ietf.org/mail-archive/web/tls/current/msg12574.html >> > >> > I believe the question is whether it is acceptable to have a *hash* of >> > the handshake hashed into the generated key as opposed to having >> > the handshake itself hashed into the generated key and whether it's >> > acceptable to have that hash be the combined MD5/SHA1 variant >> > in TLS < 1.2 and if not what recommendation we should make for >> > those versions. >> >> Why wouldn't it be? If H(m)=H(m'), that's just as much a collision as >> if H(m || stuff)=H(m' || stuff). > > > Well, this isn't quite the two cases we are considering, since we are > computing either: > > HMAC(Key, stuff) > > or: > > HMAC(Key, H(stuff)) > > with: > - stuff being under partial control of the attacker and > - the Key being subject to the issue you raise in the message > that started this thread. HMAC is H(key || H(stuff)) right? So it turns into H(key || H(stuff)) vs H(key || H(H(stuff))). (Yes, there is padding: that's an injective function, so doesn't matter for this analysis). Once again a collision means stuff equals stuff both ways. Of course, this presumes resistance to collisions. But if we don't have that, there is a lot more going wrong. Sincerely, Watson Ladd
- [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Andy Lutomirski
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Eric Rescorla
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Karthikeyan Bhargavan
- Re: [TLS] Curve25519 and TLS Viktor Dukhovni
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Viktor Dukhovni
- Re: [TLS] Curve25519 and TLS Eric Rescorla
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Eric Rescorla
- Re: [TLS] Curve25519 and TLS Paul Hoffman
- Re: [TLS] Curve25519 and TLS Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Bodo Moeller
- Re: [TLS] Curve25519 and TLS Bodo Moeller