Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd

Bodo Moeller <bmoeller@acm.org> Thu, 28 November 2013 09:00 UTC

Return-Path: <SRS0=uCA0=VF=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CB0E1ACCFF for <tls@ietfa.amsl.com>; Thu, 28 Nov 2013 01:00:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.93
X-Spam-Level:
X-Spam-Status: No, score=-0.93 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bkK2UYEfGk3b for <tls@ietfa.amsl.com>; Thu, 28 Nov 2013 01:00:06 -0800 (PST)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.9]) by ietfa.amsl.com (Postfix) with ESMTP id E82331AC49D for <tls@ietf.org>; Thu, 28 Nov 2013 01:00:05 -0800 (PST)
Received: from mail-oa0-f54.google.com (mail-oa0-f54.google.com [209.85.219.54]) by mrelayeu.kundenserver.de (node=mreu4) with ESMTP (Nemesis) id 0MIkdY-1VoANY0gDw-002DWK; Thu, 28 Nov 2013 10:00:04 +0100
Received: by mail-oa0-f54.google.com with SMTP id h16so8797792oag.41 for <tls@ietf.org>; Thu, 28 Nov 2013 01:00:02 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=IJkigmF4QpZv73p7b8ItprBJ9GMpwTPRRukj24t9HAw=; b=ExLWUdoMyYYB1nNn4A4c76UGoPWCsUS+2MWCXa5BrPm7dsm84eGbdFGvU9l9+1D4/c f4g0ZkyCh1+GUXHkzJCxyQSXTBRWUrDl18AtC8nkryBNls0hhOJtRIJPnTjW8VkJ0Zf1 QS70WJBucmdr2MUZKwV5PEKqriiNBCQe+UIaMr+mkcvAfeiojpiEK6Qr+MwG9gwcPzNL zKEGxjKViyR/KcgFCwvU+qGPSqU1raMme4zu0jXQ/nGV4BusnojxfynB2fTE6ZYqbVMw j09gT1ncsPac58DZn3heXYzIXiI2BgdJ8iOlZAkD86NJ/oSVdtKDcVqaVYY4Rpi2WrTw YUBQ==
MIME-Version: 1.0
X-Received: by 10.60.103.106 with SMTP id fv10mr18087460oeb.44.1385629202978; Thu, 28 Nov 2013 01:00:02 -0800 (PST)
Received: by 10.60.137.194 with HTTP; Thu, 28 Nov 2013 01:00:02 -0800 (PST)
In-Reply-To: <3f9cc03f542291ac17e0d173c09d0177.squirrel@www.trepanning.net>
References: <3065D910-832C-47B6-9E0B-2F8DCD2657D2@cisco.com> <9CD5611C-2742-435D-8832-9F85448591BA@qut.edu.au> <CADMpkcJ3wO_GMsSH33B8fQKnnr=nAUdU58bwSkks4ERF9ccAJw@mail.gmail.com> <CADMpkc+YAhDNwTk-6XsnUAscPnb7byStTE09e86L-gYhqn6L9Q@mail.gmail.com> <e2d8d4a17842e828a3325665a2e5e348.squirrel@www.trepanning.net> <CADMpkc+ArvpCA5rpqhSGH8WmV3AsPMsL6ZMf0r2-UeHR=jOjug@mail.gmail.com> <3f9cc03f542291ac17e0d173c09d0177.squirrel@www.trepanning.net>
Date: Thu, 28 Nov 2013 10:00:02 +0100
Message-ID: <CADMpkcLgke+p+vx51BxTPnwMzxQmJR9wv9WgF1SKRR8C_zRPWw@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="089e012277b46f1e6d04ec38f01b"
X-Provags-ID: V02:K0:i2/d2rYbwF4A1JWEG5ynepxNT42uWHxmvBf6abQfENC PKizeqGYNSOnO/LRD2mn7wHv77sQyR8a2ZMNyUZDtnysaR/Ato DvhSEnhnYhF6FEt2u5p5RnpSLs1H6e9l7CBOduu694PlYDD7Ar KINiCloQjfLnaOqRFmABrNnZ4ZNlN3djOKtZIdriL0PauuHMz5 7uKSjkrD1Vao6Cw1Mr8RMngQi84TjdIaJPC7eD5iEY2cRDrdv8 Nql3gyPJpzQw6ennLqORFjkb+eXl5gzzM0PL8kU0pXdvm/wKZk ZRNNuda8dF1UV6tSZDP10WRoXQUey/kHjZ7WrPZreHExHlFiwJ ETbgHZ0iZH04aXMNmaSFxgkEOdo1LGz7rfQqAEiorbn+0+tRzy OK+rwhnqCBlV0F8CJ1yD3gIJDXWOY7vnPxkwx9mQvHtnfRNCOp Q0SAf
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Nov 2013 09:16:12 -0000

2013/11/28 Dan Harkins <dharkins@lounge.org>

  I'm not sure how using a cipher suite with an anonymous (i.e.
> unauthenticated) server is "very different from relying on initially
> unauthenticated parameters" since with an unauthenticated server
> the parameters will not only be initially unauthenticated but always
> unauthenticated.
>

Right; in that case you have no hopes of defending against an active
adversay anyway.



> And that is not possible with TLS-pwd because the client presents the
> set of domain parameter sets and the server picks one.


What I got from draft-ietf-tls-pwd-02 is that (in the non-EC case) the
server proposes a group in ServerFFPWDParams in the ServerKeyExchange
message, and "Upon receipt of the ServerKeyExchange, the client decides
whether to support the indicated group or not."  Before the server chooses
the group for the ServerKeyExchange, all the client sends is the
ClientHello, which does not seem to allow the client to present a set of
domain parameters.  I may have missed something.

In any case, if the client presents the domain parameters and the server
accepts or rejects, we should have a similar attack the other way around.



  It's interesting that the fix you suggest for this problem-- "The proper
> fix is to allow just a certain fixed (standardized) set of parameters" --
> is what TLS-pwd already does.
>

It doesn't seem that FFC primes are standardized in draft-ietf-tls-pwd-02.
 Am I missing something?

Bodo