Re: [TLS] Results of interim meeting
Eric Rescorla <ekr@rtfm.com> Mon, 26 May 2014 21:50 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C40991A02AA for <tls@ietfa.amsl.com>; Mon, 26 May 2014 14:50:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xo0fNBm6-J46 for <tls@ietfa.amsl.com>; Mon, 26 May 2014 14:50:32 -0700 (PDT)
Received: from mail-wi0-f169.google.com (mail-wi0-f169.google.com [209.85.212.169]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 663461A02A1 for <tls@ietf.org>; Mon, 26 May 2014 14:50:32 -0700 (PDT)
Received: by mail-wi0-f169.google.com with SMTP id hi2so663993wib.4 for <tls@ietf.org>; Mon, 26 May 2014 14:50:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=l3Xcgxzijfmm5dKG1RvpTTYFu7t7+b1Q9OMJn5HzSnI=; b=cqzzvhn2ZpDtiwFwNj59q8NTFHNTTrruaL7CsBhGOoT0/1an5PyjU+e+a7t0dufY9s D9EPEyHFv8MaHSK1gSsEZ3OagANo4by5EgyUNgiFuue/03qFjucBRlDEOTPGidLo4i5H A7ujjkh3JV3TSOt4iKjy3VTgVeAfVX4ncscyt72tWux2yXnjn8O+4CKd6iqz4Aj7ihtG nx7SOHq/QfTOi79mrO6an4D256nWhpOi3LyVlM0P21i7P38E/md2Y7MTvWPWh4waCerx oTxeNaGoLAGeCpDII5+it/PZH7iDYLqoB+GiUwVDyMz4KBs55qbcd+caUdkX6vM65Lc/ 8gEw==
X-Gm-Message-State: ALoCoQlGlXFAToFy5mdjRKOwUEc2pDyoT+PuNjZb2MVOX5KThYryYivv6E8k7HTNsGqTyrw4rjV4
X-Received: by 10.194.62.176 with SMTP id z16mr32482960wjr.76.1401141027333; Mon, 26 May 2014 14:50:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.218.198 with HTTP; Mon, 26 May 2014 14:49:47 -0700 (PDT)
X-Originating-IP: [74.95.2.168]
In-Reply-To: <CACsn0cnp2cCSVY5S9DB3BZxUCFckjmnq0eMfb+XyvFPdWyoFxg@mail.gmail.com>
References: <CACsn0cmHwo6E2tGZu64q0RxTdzvxGgh8Jonzj4rr1zZxehswLg@mail.gmail.com> <53839895.5000508@mit.edu> <CACsn0cnp2cCSVY5S9DB3BZxUCFckjmnq0eMfb+XyvFPdWyoFxg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 26 May 2014 14:49:47 -0700
Message-ID: <CABcZeBNZy+cqN-+9058TS_hLfECJ0V2tKmJe_OHeN2oq86HTWg@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="047d7ba979c237037304fa549188"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/TC3o2L7DHgGsQ-UfzkWNBsoTvFM
Cc: "tls@ietf.org" <tls@ietf.org>, Andy Lutomirski <luto@amacapital.net>
Subject: Re: [TLS] Results of interim meeting
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 May 2014 21:50:34 -0000
On Mon, May 26, 2014 at 1:38 PM, Watson Ladd <watsonbladd@gmail.com> wrote: > On Mon, May 26, 2014 at 12:40 PM, Andy Lutomirski <luto@amacapital.net> > wrote: > > On 05/26/2014 09:34 AM, Watson Ladd wrote: > >> Dear all, > >> > >> It looks like most of the slides were devoted to SNI, and it is not > >> clear what was actually decided. > >> > >> I haven't seen any slides about Triple Handshake, despite being on the > >> interim agenda. Is this a sign that the proposed fix for TLS 1.2 is > >> acceptable? > > > > There was a concern that the proposed fix might allow the client to > > construct two different ClientHellos that would nonetheless result in > > the same tls-unique value using the pre-TLS-1.2 PRFs. The issue is > > that, if you could find a SHA-1 collision, then MD5 is short enough that > > it could be possible to do a length-extension attack and brute-force it > > to be an MD5 collision as well. > > Yes, this is a problem. Basically the session hash needs to be > computed with a secure hash, and TLS 1.1 and before don't use secure > hashes. > I don't think the proposed fix makes this issue worse: from my reading > of TLS 1.1 and the tls-unique (should be renamed sometime) the > Finished message is computed with the concatenation of a SHA1 and MD5 > hash of the messages. > To clarify, I believe the concern here was not directly about the Finished messages (though they are perhaps implicated as well) but about the key computation. Specifically, in current TLS, the MS [0] and subsequently the session keys [1] are computed as a PRF of the PMS/MS and random values, specifically: master_secret = PRF(pre_master_secret, "master secret", ClientHello.random + ServerHello.random) [0..47]; As the triple handshake paper observes, this allows an attacker to force two handshakes to produce the same MS by duplicating the PMS and the randoms. The current proposal is to replace the random values with a hash of the handshake transcript, i.e., master_secret = PRF(pre_master_secret, "extended master secret", session_hash) [0..47]; However if there is a collision in the function used to compute the session hash, then this might allow an attacker to produce a session_hash collision which might potentially reenable the attack (and note that the attacker can potentially inject a lot of data here through extensions). -Ekr [0] http://tools.ietf.org/html/rfc4346#section-8.1 [1] http://tools.ietf.org/html/rfc4346#section-6.3 How we fix it I don't know yet. > > > > No one present knew whether this mattered. > > It seems to me that this would be a problem, and is also a problem for > the TLS 1.1 finished message for the same reason. The core issue is > this: http://www.iacr.org/cryptodb/archive/2004/CRYPTO/1472/1472.pdf. > > In short, with 64 invocations of the hypothetical SHA-1 break, then > 2^64 MD5 calculations, you find a collision for the TLS 1.1 finished > message. So the composite construction in TLS 1.0 and TLS 1.1 is no > more secure than SHA-1. And yes, the dates of TLS 1.1 authorship and > the authorship of the paper explaining this flaw are 2006 and 2004 > respectively. > > Sincerely, > Watson Ladd > > > > --Andy > > > > -- > "Those who would give up Essential Liberty to purchase a little > Temporary Safety deserve neither Liberty nor Safety." > -- Benjamin Franklin > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Results of interim meeting Watson Ladd
- Re: [TLS] Results of interim meeting Andy Lutomirski
- Re: [TLS] Results of interim meeting Watson Ladd
- Re: [TLS] Results of interim meeting Eric Rescorla
- Re: [TLS] Results of interim meeting Andy Lutomirski
- Re: [TLS] Results of interim meeting Blumenthal, Uri - 0558 - MITLL