Re: [TLS] Curve25519 and TLS
Eric Rescorla <ekr@rtfm.com> Mon, 23 June 2014 01:43 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 037331B281A for <tls@ietfa.amsl.com>; Sun, 22 Jun 2014 18:43:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vNfNt7Kqltsr for <tls@ietfa.amsl.com>; Sun, 22 Jun 2014 18:43:31 -0700 (PDT)
Received: from mail-wi0-f175.google.com (mail-wi0-f175.google.com [209.85.212.175]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68CF11B2816 for <tls@ietf.org>; Sun, 22 Jun 2014 18:43:31 -0700 (PDT)
Received: by mail-wi0-f175.google.com with SMTP id r20so3286893wiv.14 for <tls@ietf.org>; Sun, 22 Jun 2014 18:43:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=5Tnx3rDd4BUVY0YETvCrNov+vdC8NFBN/vVyb0PH3UM=; b=US9HseWUsjCUTKBU7575DxzgcdK4daVT3TqGBjjbqShgchdKs6CUTqMxWThJNbJEAk OtzF2AXbKdJruej86UwRYNXVSCifEtF2IPjtGj/+6h0LgG2R8ihMiLCOg2tbm0IaC2RC 8xAHiny1tvQqDcIbpLu3yLFQ5wx7aidB2b6QBg0qrsJohJrTbS5ySExj2q+hH22yCCW1 8WyB13IEKaAyoORV9QvDPv2BU0ClAD+tZlZyl4j9aARE1x4jKvHsbsK/8kRFuBlF/edB vmvgdUSKr2PLiNjCPVSl03LEoaGgxaX/ur1tlC5EmxxkTbnl8Jn0Mi8GsblQq8DM4eM/ 802Q==
X-Gm-Message-State: ALoCoQlLnQuXDxgg9N6fMPzNjK8Qw6I5ZJqmWqjCtSbnM0Y39DGGkaLnpe8ZVG27GOBXxp8d1W12
X-Received: by 10.180.76.132 with SMTP id k4mr21834857wiw.1.1403487809896; Sun, 22 Jun 2014 18:43:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.218.198 with HTTP; Sun, 22 Jun 2014 18:42:49 -0700 (PDT)
X-Originating-IP: [74.95.2.168]
In-Reply-To: <CACsn0cneqxgZQQDp1UF+2f1b=ySA7T6sReh83NqPtG-PgDFBpg@mail.gmail.com>
References: <CACsn0cnm3wp6iN57fHAiY+=n=nSxOxvrZOj65bzXYTDy=Xyvkg@mail.gmail.com> <539B6F1B.4030407@mit.edu> <CACsn0c=VUakySUwAh-JGX4FTUwp4Y5kwaoT5=+RXuJnsKxmRTQ@mail.gmail.com> <CABcZeBPNa-q90H+D=jf7ceFVv6OQNb7_YZnD6QyTpTv6YSrPjQ@mail.gmail.com> <CACsn0ckaDuhgWhFRgMsmguwK460WBAFikG=Kqu0YBSNosU7+ng@mail.gmail.com> <CABcZeBOqVKMk8-BDzKnuLRbh+PeqscMRcXOYSBfxjaBn85Xb4w@mail.gmail.com> <CACsn0cneqxgZQQDp1UF+2f1b=ySA7T6sReh83NqPtG-PgDFBpg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 22 Jun 2014 18:42:49 -0700
Message-ID: <CABcZeBNPaxzWUX1wqdFZVia-ko-KAKFh7SVV42c2x6Q4dqWt=w@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="f46d0435c0225b1c0e04fc76f8d1"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Pj45wOSoUNF1Ds6oVLl5yGFvPHQ
Cc: "tls@ietf.org" <tls@ietf.org>, Andy Lutomirski <luto@amacapital.net>
Subject: Re: [TLS] Curve25519 and TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jun 2014 01:43:36 -0000
On Sun, Jun 22, 2014 at 6:24 PM, Watson Ladd <watsonbladd@gmail.com> wrote: > On Sun, Jun 22, 2014 at 5:56 PM, Eric Rescorla <ekr@rtfm.com> wrote: > > > > > > > > On Fri, Jun 13, 2014 at 7:05 PM, Watson Ladd <watsonbladd@gmail.com> > wrote: > >> > >> On Fri, Jun 13, 2014 at 8:02 PM, Eric Rescorla <ekr@rtfm.com> wrote: > >> > > >> > > >> > > >> > On Fri, Jun 13, 2014 at 2:59 PM, Watson Ladd <watsonbladd@gmail.com> > >> > wrote: > >> >> > >> >> On Fri, Jun 13, 2014 at 6:37 PM, Andy Lutomirski < > luto@amacapital.net> > >> >> wrote: > >> >> > On 06/13/2014 02:30 PM, Watson Ladd wrote: > >> >> >> For TLS 1.3 we should ensure contributory behaviour is not > required > >> >> >> to > >> >> >> avoid these issues. > >> >> > > >> >> > What needs to change for this to be the case? It would be even > nicer > >> >> > if > >> >> > the result were provably correct in some reasonable model. > >> >> > >> >> Hash the entire exchange into the generated key, so that a key made > by > >> >> someone cheating is only shared with them. I still don't understand > >> >> why this isn't done already: it's needed for the finished message, so > >> >> nothing is saved by not doing it. This is what the triple handshake > >> >> fix is supposed to do, but it does a strange variant that reuses the > >> >> oddball finished message. > >> >> > >> >> (And use a strong hash function: apparently the reason we haven't > >> >> finished fixing Triple Handshake is that some people want to use > >> >> SHA-1. On their heads be it!) > >> > > >> > > >> > Hmm... I don't believe that this isn't done strictly because of SHA-1. > >> > Looking back at what I wrote a while ago: > >> > > >> > http://www.ietf.org/mail-archive/web/tls/current/msg12574.html > >> > > >> > I believe the question is whether it is acceptable to have a *hash* of > >> > the handshake hashed into the generated key as opposed to having > >> > the handshake itself hashed into the generated key and whether it's > >> > acceptable to have that hash be the combined MD5/SHA1 variant > >> > in TLS < 1.2 and if not what recommendation we should make for > >> > those versions. > >> > >> Why wouldn't it be? If H(m)=H(m'), that's just as much a collision as > >> if H(m || stuff)=H(m' || stuff). > > > > > > Well, this isn't quite the two cases we are considering, since we are > > computing either: > > > > HMAC(Key, stuff) > > > > or: > > > > HMAC(Key, H(stuff)) > > > > with: > > - stuff being under partial control of the attacker and > > - the Key being subject to the issue you raise in the message > > that started this thread. > > HMAC is H(key || H(stuff)) right? Actually: H(key^mask1 || H(key^mask2 || stuff)) where mask1 and mask2 are fixed. > So it turns into H(key || H(stuff)) > vs H(key || H(H(stuff))). (Yes, there is padding: that's an injective > function, so doesn't matter for this analysis). Once again a collision > means stuff equals stuff both ways. > > Of course, this presumes resistance to collisions. But if we don't > have that, there is a lot more going wrong. Sorry, my mistake for not being clearer: I was assuming that there was at least some partial failure of collision resistance in the hash function. As you suggest, that means that a lot of other stuff is going wrong, so maybe it's not worth worrying about. -Ekr
- [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Andy Lutomirski
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Eric Rescorla
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Karthikeyan Bhargavan
- Re: [TLS] Curve25519 and TLS Viktor Dukhovni
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Viktor Dukhovni
- Re: [TLS] Curve25519 and TLS Eric Rescorla
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Eric Rescorla
- Re: [TLS] Curve25519 and TLS Paul Hoffman
- Re: [TLS] Curve25519 and TLS Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Watson Ladd
- Re: [TLS] Curve25519 and TLS Bodo Moeller
- Re: [TLS] Curve25519 and TLS Bodo Moeller