IETF Logo Mail Archive

Re: [TLS] Curve25519 and TLS

Watson Ladd <watsonbladd@gmail.com> Mon, 23 June 2014 01:24 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3E3E1B27FC for <tls@ietfa.amsl.com>; Sun, 22 Jun 2014 18:24:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n5yAsoUQCD48 for <tls@ietfa.amsl.com>; Sun, 22 Jun 2014 18:24:21 -0700 (PDT)
Received: from mail-yh0-x232.google.com (mail-yh0-x232.google.com [IPv6:2607:f8b0:4002:c01::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C9C31B27FB for <tls@ietf.org>; Sun, 22 Jun 2014 18:24:21 -0700 (PDT)
Received: by mail-yh0-f50.google.com with SMTP id t59so4591900yho.9 for <tls@ietf.org>; Sun, 22 Jun 2014 18:24:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=FStjqwHPj0JwL/M3rEiaKkDUMd35NTdT0RomS3ewfEk=; b=kIG162UfEZx5tPwKcJDs9IWWevxXdNRwpe1mWZpJij0ty5w+fz6sFX9PSisWgqKIHg i2DrNkiAsP90csMT0RbX/QGBiY5vrlb1Wj5LCxzzbeCZHDzD5liMcCNDGXkNmapP8ROy QaCWwtv8ysJrrqJQA1UaITUhpb8SdG96n1Oa48xSZdvJEUEPuGgqs5MnCRqX9+dB6Lsg YXDboRpGrRkoYmGBKzP8wpxLkVsmNhK2BWdiW/ZbECcJp0mHHpqMuOOI72NEsV+6LDjq kTZIgMxQ0m3Om0cWuRozRJLYbGtHt7cFHcTvZWRYJdewO2BahvZAGPYCkIZHFTh/2rrX gxkw==
MIME-Version: 1.0
X-Received: by 10.236.28.133 with SMTP id g5mr31150847yha.46.1403486660664; Sun, 22 Jun 2014 18:24:20 -0700 (PDT)
Received: by 10.170.39.136 with HTTP; Sun, 22 Jun 2014 18:24:20 -0700 (PDT)
In-Reply-To: <CABcZeBOqVKMk8-BDzKnuLRbh+PeqscMRcXOYSBfxjaBn85Xb4w@mail.gmail.com>
References: <CACsn0cnm3wp6iN57fHAiY+=n=nSxOxvrZOj65bzXYTDy=Xyvkg@mail.gmail.com> <539B6F1B.4030407@mit.edu> <CACsn0c=VUakySUwAh-JGX4FTUwp4Y5kwaoT5=+RXuJnsKxmRTQ@mail.gmail.com> <CABcZeBPNa-q90H+D=jf7ceFVv6OQNb7_YZnD6QyTpTv6YSrPjQ@mail.gmail.com> <CACsn0ckaDuhgWhFRgMsmguwK460WBAFikG=Kqu0YBSNosU7+ng@mail.gmail.com> <CABcZeBOqVKMk8-BDzKnuLRbh+PeqscMRcXOYSBfxjaBn85Xb4w@mail.gmail.com>
Date: Sun, 22 Jun 2014 18:24:20 -0700
Message-ID: <CACsn0cneqxgZQQDp1UF+2f1b=ySA7T6sReh83NqPtG-PgDFBpg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/OVGxSAJ4JX-IrXoxdPk5-BxI0xg
Cc: "tls@ietf.org" <tls@ietf.org>, Andy Lutomirski <luto@amacapital.net>
Subject: Re: [TLS] Curve25519 and TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jun 2014 01:24:23 -0000

On Sun, Jun 22, 2014 at 5:56 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>
>
> On Fri, Jun 13, 2014 at 7:05 PM, Watson Ladd <watsonbladd@gmail.com> wrote:
>>
>> On Fri, Jun 13, 2014 at 8:02 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>> >
>> >
>> >
>> > On Fri, Jun 13, 2014 at 2:59 PM, Watson Ladd <watsonbladd@gmail.com>
>> > wrote:
>> >>
>> >> On Fri, Jun 13, 2014 at 6:37 PM, Andy Lutomirski <luto@amacapital.net>
>> >> wrote:
>> >> > On 06/13/2014 02:30 PM, Watson Ladd wrote:
>> >> >> For TLS 1.3 we should ensure contributory behaviour is not required
>> >> >> to
>> >> >> avoid these issues.
>> >> >
>> >> > What needs to change for this to be the case?  It would be even nicer
>> >> > if
>> >> > the result were provably correct in some reasonable model.
>> >>
>> >> Hash the entire exchange into the generated key, so that a key made by
>> >> someone cheating is only shared with them. I still don't understand
>> >> why this isn't done already: it's needed for the finished message, so
>> >> nothing is saved by not doing it. This is what the triple handshake
>> >> fix is supposed to do, but it does a strange variant that reuses the
>> >> oddball finished message.
>> >>
>> >> (And use a strong hash function: apparently the reason we haven't
>> >> finished fixing Triple Handshake is that some people want to use
>> >> SHA-1. On their heads be it!)
>> >
>> >
>> > Hmm... I don't believe that this isn't done strictly because of SHA-1.
>> > Looking back at what I wrote a while ago:
>> >
>> > http://www.ietf.org/mail-archive/web/tls/current/msg12574.html
>> >
>> > I believe the question is whether it is acceptable to have a *hash* of
>> > the handshake hashed into the generated key as opposed to having
>> > the handshake itself hashed into the generated key and whether it's
>> > acceptable to have that hash be the combined MD5/SHA1 variant
>> > in TLS < 1.2 and if not what recommendation we should make for
>> > those versions.
>>
>> Why wouldn't it be? If H(m)=H(m'), that's just as much a collision as
>> if H(m || stuff)=H(m' || stuff).
>
>
> Well, this isn't quite the two cases we are considering, since we are
> computing either:
>
> HMAC(Key, stuff)
>
> or:
>
> HMAC(Key, H(stuff))
>
> with:
> - stuff being under partial control of the attacker and
> - the Key being subject to the issue you raise in the message
> that started this thread.

HMAC is H(key || H(stuff)) right? So it turns into H(key || H(stuff))
vs H(key || H(H(stuff))). (Yes, there is padding: that's an injective
function, so doesn't matter for this analysis). Once again a collision
means stuff equals stuff both ways.

Of course, this presumes resistance to collisions. But if we don't
have that, there is a lot more going wrong.

Sincerely,
Watson Ladd

v2.23.0 | Report a Bug | By Email