From nobody Mon Sep  6 10:07:32 2021
Return-Path: <nimrod.aviram@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 14B3C3A169D
 for <tls@ietfa.amsl.com>; Mon,  6 Sep 2021 10:07:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level: 
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
 header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id GSkIuXXWSRee for <tls@ietfa.amsl.com>;
 Mon,  6 Sep 2021 10:07:24 -0700 (PDT)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com
 [IPv6:2607:f8b0:4864:20::72c])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 67B143A169B
 for <tls@ietf.org>; Mon,  6 Sep 2021 10:07:24 -0700 (PDT)
Received: by mail-qk1-x72c.google.com with SMTP id a10so7444620qka.12
 for <tls@ietf.org>; Mon, 06 Sep 2021 10:07:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; 
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=0E3aNoNebj0iommSXRx/4YEmUfvNWZyC821obb1/9TQ=;
 b=Xn3htjDagz7EwyrwkeZc7VWPuC7phDecvUUqpl/4FsHtZowJWDJijGfYpkjCBibUQc
 vWfNAj1VnkOhW1Bqc1oGlQGjwH8YnBfPxi5SV7YRhmhu2FJircuFNilDYOHTcS3r2qly
 6ycPJmkGvBL1aMuMxXygwdWSbp9MfXstqJsN0D/ZNVAFoInUSS+qVO/gOJWYbXozuWAZ
 fRwjHs998IpbLm9RK2wEn6Pyp1rdHXAvf+VHbmQF1uD0s6JEu1ScIAdQyTY73rw51DOo
 1UopUl8JqJvte88HXgYcp/7F4fTToBDJrIZNNuVrhFngxVjDSOvoXoTU7to+c6rxaTL8
 AfnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=0E3aNoNebj0iommSXRx/4YEmUfvNWZyC821obb1/9TQ=;
 b=Aie+C6oLYTrH3ZQbvxVhpqKPC64C8C1UcGtxWv+FusfYfnbRjRKHuciUwkTeoQPvYM
 pKbFoUrWGRe2386kbncN1yO0Y/OlPFCZ39eSJPHFpWQnplSSiLzaq7JyJrnCP0bYKN9R
 THm2PAytRPIq76jw7eOxAyxlXvpM9U9GDVIrTjLVqbKwR1yd+Iglf3DD9tOVnhIxe+22
 FnTV+Mto3/eLTQxot1EiHdRj/xjIe13+w6CTcp5PdhgwBLKkotwyhSjcJf3Vnj7sq4UN
 ahRu16Q4i5nAjGa2ny6bGSBv3movzrkTjo2oydhqadv9d6hBWiTkKHOqUgOiAGo3wyUK
 dkeA==
X-Gm-Message-State: AOAM530OXdn9eqNaWag1zbPmZpLCU7Gq4wZ7aGJtMgEiqGp4yjOqNKLr
 BPiURXtOE4/AK+6qrLSiCXGDQFGrcHmBi+dKzkU=
X-Google-Smtp-Source: ABdhPJygdBRbNMo4C/clKY+b3kr9+qwejQV8rxUUj78fPcD+COXMxpe9zRw3kO0HeLEgMSPFWA/RNbpPFOJWaRD0uh0=
X-Received: by 2002:a05:620a:11a6:: with SMTP id
 c6mr11394728qkk.458.1630948042210; 
 Mon, 06 Sep 2021 10:07:22 -0700 (PDT)
MIME-Version: 1.0
References: <CABiKAoTOVqDucNuyJeH6VzJQdygpT7yAiA-V=+jLBCpfw+Ru4w@mail.gmail.com>
 <27861041-A7D9-401F-8790-4BD76ED3CB9D@ll.mit.edu>
 <CABiKAoSd6Fj3y2Ht=wjXCuuKS_9SwX2-eYg_YdQkAY0Dv-ZwVQ@mail.gmail.com>
 <6AB0509D-EBD2-479E-B2D9-E61023A2019A@ll.mit.edu>
In-Reply-To: <6AB0509D-EBD2-479E-B2D9-E61023A2019A@ll.mit.edu>
From: Nimrod Aviram <nimrod.aviram@gmail.com>
Date: Mon, 6 Sep 2021 20:07:10 +0300
Message-ID: <CABiKAoSi6KmF=Lk96sCZQEnC9bGuzhNccCCLScgjdSWeoAU-VA@mail.gmail.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b4004405cb56ae07"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TDPylWxKIGAWe3_cwxnWGUnLpgk>
Subject: Re: [TLS] Combining Secrets in Hybrid Key Exchange in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working
 group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>,
 <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>,
 <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Sep 2021 17:07:30 -0000

--000000000000b4004405cb56ae07
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

I'd like to understand your position better.

> Since (if memory serves me) KDF is HMAC-based, rather than merely
SHA-based =E2=80=93 it won=E2=80=99t matter from the security point of view=
 whether SHA256
will or will not show collisions.
So, if I understand correctly, you argue that the text David Benjamin
quoted from Appendix E.1 is wrong?
The second paragraph in Appendix E.1.1:
https://datatracker.ietf.org/doc/html/rfc8446#appendix-E.1.1
"This requires the underlying hash function to be collision resistant..."

Moreover, if it won=E2=80=99t matter from the security point of view whethe=
r SHA256
will or will not show collisions, then this implies that (hypothetically)
switching from SHA256 to e.g. MD5 will not degrade security.
Is this your position? If so, could you please provide references that
support this position, e.g. prove security under a non-CR hash function?

> I don=E2=80=99t think so.
If I understand correctly, you wrote this in response to me saying "an
attacker that can establish multiple PSKs of their choice with another
party can cause two sessions with two different PSKs to share the same
early_secret... This likely violates the security proof for TLS 1.3, in and
of itself."
Is this what you're referring to? And I understand that you claim that an
attacker achieving this would not violate any proven security property of
TLS 1.3?

best,
Nimrod


On Thu, 2 Sept 2021 at 23:32, Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.ed=
u>
wrote:

> The APOP attack demonstrates that concatenating secrets may be dangerous,
> as a general cryptographic practice.
>
>
>
> I disagree with the word =E2=80=9Cgeneral=E2=80=9D here.
>
>
>
> As to the TLS KDF, if future SHA256 cryptanalysis results in collisions,
>
>
>
> Since (if memory serves me) KDF is HMAC-based, rather than merely
> SHA-based =E2=80=93 it won=E2=80=99t matter from the security point of vi=
ew whether SHA256
> will or will not show collisions.
>
>
>
> This likely violates the security proof for TLS 1.3, in and of itself.
>
>
>
> I don=E2=80=99t think so.
>
>
>
> A similar violation of the security guarantee seems to arise when using
> hybrid key exchange with a PQ KEM.
>
>
>
> I absolutely don=E2=80=99t think so.
>
>
>
> Or if that's what you're asking: As we write, we are unaware of a way to
> apply the APOP attack to the TLS KDF.
>
>
>
> Excellent, thanks! I concur here.
>
>
>
> We view this as an opportunity to defend-in-depth against such issues,
> while the document is not yet finalized.
>
>
>
> I think we=E2=80=99re OK as-is.
>
>
>
>
>
> On Wed, 1 Sept 2021 at 23:34, Blumenthal, Uri - 0553 - MITLL <
> uri@ll.mit.edu> wrote:
>
> How does the described AOAP attack apply to TLS KDF?
>
>
>
> --
>
> Regards,
>
> Uri
>
>
>
> *There are two ways to design a system. One is to make is so simple there
> are obviously no deficiencies.*
>
> *The other is to make it so complex there are no obvious deficiencies.*
>
> *
>                                                                          =
                                          -
> C. A. R. Hoare*
>
>
>
>
>
> *From: *TLS <tls-bounces@ietf.org> on behalf of Nimrod Aviram <
> nimrod.aviram@gmail.com>
> *Date: *Wednesday, September 1, 2021 at 15:58
> *To: *"<tls@ietf.org>" <tls@ietf.org>
> *Cc: *Eylon Yogev <eylony@gmail.com>, Ilan Komargodski <
> ilankom10@gmail.com>, Benjamin Dowling <b.dowling@sheffield.ac.uk>, Eyal
> Ronen <er@eyalro.net>
> *Subject: *[TLS] Combining Secrets in Hybrid Key Exchange in TLS 1.3
>
>
>
> (This note is also available on Github
> <https://github.com/nimia/kdf_public#readme> for ease of reading.)
>
>
>
> This note identifies a possible security problem in the "Hybrid key
> exchange in
> TLS 1.3" document, stemming from how cryptographic secrets are combined. =
In
> short: constructions that concatenate secrets are vulnerable when the
> underlying
> hash function is not collision-resistant. We are unaware of a full attack
> that leverages the underlying problem. However, we view this as an
> opportunity
> to defend-in-depth against such issues, while the document is not yet
> finalized.
> We propose a new construction that seems robust to this potential issue,
> and we
> are in the process of writing a technical report that includes a full
> security
> proof.
>
> # Concatenating Secrets May Be Dangerous
>
> The APOP attack (see appendix for a brief description) demonstrates that
> concatenating secrets to potentially attacker-controlled input might be
> dangerous. Currently, the "Hybrid key exchange in TLS 1.3" document uses
> secret
> concatenation as the preferred way to combine secrets. (This was an
> understandable design choice given how little this issue has been studied=
.)
>
> We recommend a defense-in-depth approach against this potential issue. We
> should
> not concede to an attacker even the ability to cause a collision in an
> internal
> state of the key schedule. Moreover, this part of TLS is likely
> particularly
> amenable to ossification: Whatever we standardize will likely persist for
> 5-10
> years. (We do note that TLS mixes in the client and server nonces, so
> additional
> offensive techniques would be required to exploit this for a full attack.=
)
>
> We note that concatenation is also used in the "TLS 1.3 Extended Key
> Schedule"
> document.
>
> # Our proposed construction
>
> We have identified an alternative construction that we believe could
> provide
> defense-in-depth against this issue. We are in the process of writing a
> technical report that includes a full security proof.
> The required assumptions on the hash function appear to be much milder th=
an
> collision resistance; instead, we likely only need
> multi-preimage-resistance:
> Essentially, requiring only that computing preimages for multiple images =
is
> hard.
>
> The construction is:
> combined_key =3D H(HMAC(key=3DH1(k1), data=3D2||F(k2)) xor HMAC(key=3DH2(=
k2),
> data=3D1||F(k1)))
> where || denotes concatenation, H denotes the underlying hash function,
> and:
> H1(k) =3D H('derive1' || k)
> H2(k) =3D H('derive2' || k)
> F is defined as follows:
> Let m denote the input to F. We split m into blocks, according to the
> block size
> of H:
> m =3D m1||m2||...||mn
> Let j~=3D3 denote an =E2=80=9Cexpanding factor=E2=80=9D (the value chosen=
 for j in practice
> depends on how strong an assumption we want to rely on; we expect 3 to be
> enough).
> Then
> F(m) =3D
> H(0||m1)||H(1||m1)||...||H(j-1||m1)||H(0||m2)||H(1||m2)||...||H(j-1||m2)|=
|H(0||mn)||H(1||mn)||...||H(j-1||mn)
>
> This construction is cheap to calculate and would be used only in the key
> schedule, which is not a bottleneck for TLS performance.
>
> # Adding another layer to the TLS key schedule may also be problematic
>
> Another strategy for mixing secrets is to add the second secret to anothe=
r
> layer
> of the TLS key schedule. This strategy is already used to mix a PSK and a=
n
> ECDHE
> secret in TLS 1.3, as well as in AuthKEM, and it was also considered for
> the
> Hybrid key exchange document. This strategy is vulnerable as well to
> collisions
> in the underlying hash function, and we propose using one secure
> construction
> for mixing secrets.
>
> Consider a standard PSK+ECDHE TLS 1.3 handshake. Then
> handshake_secret =3D HKDF_Extract(IKM=3DECDHE_secret,
> salt=3DDerive_Secret(early_secret))
> early_secret =3D HKDF_Extract(IKM=3DPSK, salt=3D000)
> HKDF_Extract(IKM, salt) =3D HMAC(k=3Dsalt, data=3DIKM)
>
> Therefore, early_secret =3D HMAC(k=3D000, data=3DPSK).
> Assume a non-collision-resistant hash function. Then an attacker that can
> establish multiple PSKs of their choice with another party can cause two
> sessions with two different PSKs to share the same early_secret. If the
> other
> party reuses ECDH(E) values, the attacker can also cause the
> handshake_secret to
> be identical.
>
> Furthermore,
> Client_Handshake_Traffic_Secret =3D
>   HMAC(k=3DHandshake_Secret, data=3DLabel||H(ClientHello...ServerHello))
> If the attacker is the server, and the hash function allows for
> chosen-prefix
> collisions, the attacker can choose two ServerHello messages such that fo=
r
> two
> different ClientHello messages, H(ClientHello...ServerHello) is identical=
.
> This leads to identical values for an actual key output of the key
> schedule,
> Client-Handshake-Traffic-Secret (if the client reuses an ECDH(E) value, o=
r
> in a
> hypothetical PQ TLS, which uses a KEM and the server chooses the
> encapsulated
> key).
>
> We note that the full version of the HKDF paper explicitly disclaims
> security in
> the presence of attacker-controlled entropy. Also, note that by
> definition, a
> KEM allows one party to control the secret.
>
> # Appendix: The APOP Attack
>
> APOP is an old challenge-response protocol used in email, relevant here
> because
> it demonstrates the attack well. Broadly, in APOP the challenger sends a
> challenge, and the responder needs to respond with:
> MD5(challenge || password)
> where || denotes concatenation.
>
> The attacker wants to e.g. test whether the password starts with 'a'. The=
y
> pick an MD5 collision x, y such that MD5(x) =3D MD5(y) and both x and y e=
nd
> with
> 'a'. They wait for the client to connect in two different sessions, and
> send
> x[:-1] and y[:-1] as the challenges, where [:-1] denotes removing the las=
t
> byte
> from a string. If the password starts with 'a', and the MD5 blocks align,
> then
> the response will be the same for both challenges. The attacker can
> therefore
> test a single guess for the starting byte with two sessions, and learn
> that byte
> after at most 512 sessions. See [1], [2].
>
> best wishes,
> Nimrod Aviram, Benjamin Dowling, Ilan Komargodski, Kenny Paterson, Eyal
> Ronen, Eylon Yogev
>
> References:
> [1] Practical key-recovery attack against APOP, an MD5-based
> challenge-response authentication. Leurent, Gaetan.
>
> [2] Practical Password Recovery on an MD5 Challenge and Response.
> Sasaki, Yu and Yamamoto, Go and Aoki, Kazumaro.
>
>
>
>

--000000000000b4004405cb56ae07
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-size:small">I&#=
39;d like to understand your position better.<br><br>&gt; Since (if memory =
serves me) KDF is HMAC-based, rather than merely SHA-based =E2=80=93 it won=
=E2=80=99t matter from the security point of view whether SHA256 will or wi=
ll not show collisions.<br>So, if I understand correctly, you argue that th=
e text David Benjamin quoted from Appendix E.1 is wrong?<br>The second para=
graph in Appendix E.1.1:<br><a href=3D"https://datatracker.ietf.org/doc/htm=
l/rfc8446#appendix-E.1.1">https://datatracker.ietf.org/doc/html/rfc8446#app=
endix-E.1.1</a><br>&quot;This requires the underlying hash function to be c=
ollision resistant...&quot;<br><br>Moreover, if it won=E2=80=99t matter fro=
m the security point of view whether SHA256 will or will not show collision=
s, then this implies that (hypothetically) switching from SHA256 to e.g. MD=
5 will not degrade security.<br>Is this your position? If so, could you ple=
ase provide references that support this position, e.g. prove security unde=
r a non-CR hash function?<br><br>&gt; I don=E2=80=99t think so.<br>If I und=
erstand correctly, you wrote this in response to me saying &quot;an attacke=
r that can establish multiple PSKs of their choice with another party can c=
ause two sessions with two different PSKs to share the same early_secret...=
 This likely violates the security proof for TLS 1.3, in and of itself.&quo=
t;<br>Is this what you&#39;re referring to? And I understand that you claim=
 that an attacker achieving this would not violate any proven security prop=
erty of TLS 1.3?<br><br>best,<br>Nimrod</div><div class=3D"gmail_default" s=
tyle=3D"font-size:small"><br></div></div><br><div class=3D"gmail_quote"><di=
v dir=3D"ltr" class=3D"gmail_attr">On Thu, 2 Sept 2021 at 23:32, Blumenthal=
, Uri - 0553 - MITLL &lt;<a href=3D"mailto:uri@ll.mit.edu">uri@ll.mit.edu</=
a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0p=
x 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><d=
iv style=3D"overflow-wrap: break-word;" lang=3D"EN-US"><div class=3D"gmail-=
m_5389154092724665302WordSection1"><div><div><p class=3D"MsoNormal" style=
=3D"margin-left:0.5in"><span style=3D"font-size:12pt">The APOP attack demon=
strates that concatenating secrets may be dangerous, as a general cryptogra=
phic practice.<u></u><u></u></span></p><p class=3D"MsoNormal"><span style=
=3D"font-size:12pt"><u></u>=C2=A0<u></u></span></p><p class=3D"MsoNormal"><=
span style=3D"font-size:12pt;color:rgb(0,112,192)">I disagree with the word=
 =E2=80=9Cgeneral=E2=80=9D here.</span><span style=3D"font-size:12pt"><u></=
u><u></u></span></p><p class=3D"MsoNormal"><span style=3D"font-size:12pt"><=
u></u>=C2=A0<u></u></span></p></div><div><p class=3D"MsoNormal" style=3D"ma=
rgin-left:0.5in"><span style=3D"font-size:12pt">As to the TLS KDF, if futur=
e SHA256 cryptanalysis results in collisions,<u></u><u></u></span></p><p cl=
ass=3D"MsoNormal"><span style=3D"font-size:12pt"><u></u>=C2=A0<u></u></span=
></p><p class=3D"MsoNormal"><span style=3D"font-size:12pt;color:rgb(0,112,1=
92)">Since (if memory serves me) KDF is HMAC-based, rather than merely SHA-=
based =E2=80=93 it won=E2=80=99t matter from the security point of view whe=
ther SHA256 will or will not show collisions.<u></u><u></u></span></p><p cl=
ass=3D"MsoNormal"><span style=3D"font-size:12pt"><u></u>=C2=A0<u></u></span=
></p></div><div><p class=3D"MsoNormal" style=3D"margin-left:0.5in"><span st=
yle=3D"font-size:12pt">This likely violates the security proof for TLS 1.3,=
 in and of itself.<u></u><u></u></span></p><p class=3D"MsoNormal"><span sty=
le=3D"font-size:12pt"><u></u>=C2=A0<u></u></span></p><p class=3D"MsoNormal"=
><span style=3D"font-size:12pt;color:rgb(0,112,192)">I don=E2=80=99t think =
so.<u></u><u></u></span></p><p class=3D"MsoNormal"><span style=3D"font-size=
:12pt;color:rgb(0,112,192)"><u></u>=C2=A0<u></u></span></p></div><div><p cl=
ass=3D"MsoNormal" style=3D"margin-left:0.5in"><span style=3D"font-size:12pt=
">A similar violation of the security guarantee seems to arise when using h=
ybrid key exchange with a PQ KEM.<u></u><u></u></span></p><p class=3D"MsoNo=
rmal"><span style=3D"font-size:12pt"><u></u>=C2=A0<u></u></span></p><p clas=
s=3D"MsoNormal"><span style=3D"font-size:12pt;color:rgb(0,112,192)">I absol=
utely don=E2=80=99t think so.</span><span style=3D"font-size:12pt"><u></u><=
u></u></span></p></div><div><p class=3D"MsoNormal" style=3D"margin-left:0.5=
in"><span style=3D"font-size:12pt"><u></u>=C2=A0<u></u></span></p></div><di=
v><p class=3D"MsoNormal" style=3D"margin-left:0.5in"><span style=3D"font-si=
ze:12pt">Or if that&#39;s what you&#39;re asking: As we write, we are unawa=
re of a way to apply the APOP attack to the TLS KDF.<u></u><u></u></span></=
p><p class=3D"MsoNormal"><span style=3D"font-size:12pt"><u></u>=C2=A0<u></u=
></span></p></div><p class=3D"MsoNormal"><span style=3D"font-size:12pt;colo=
r:rgb(0,112,192)">Excellent, thanks! I concur here.<u></u><u></u></span></p=
><p class=3D"MsoNormal"><span style=3D"font-size:12pt"><u></u>=C2=A0<u></u>=
</span></p><div><p class=3D"MsoNormal" style=3D"margin-left:0.5in"><span st=
yle=3D"font-size:12pt">We view this as an opportunity to defend-in-depth ag=
ainst such issues, while the document is not yet finalized.<u></u><u></u></=
span></p><p class=3D"MsoNormal"><span style=3D"font-size:12pt"><u></u>=C2=
=A0<u></u></span></p><p class=3D"MsoNormal"><span style=3D"font-size:12pt;c=
olor:rgb(0,112,192)">I think we=E2=80=99re OK as-is.<u></u><u></u></span></=
p></div><div><p class=3D"MsoNormal" style=3D"margin-left:0.5in"><span style=
=3D"font-size:12pt"><u></u>=C2=A0<u></u></span></p></div></div><p class=3D"=
MsoNormal" style=3D"margin-left:0.5in"><u></u>=C2=A0<u></u></p><div><div><p=
 class=3D"MsoNormal" style=3D"margin-left:0.5in">On Wed, 1 Sept 2021 at 23:=
34, Blumenthal, Uri - 0553 - MITLL &lt;<a href=3D"mailto:uri@ll.mit.edu" ta=
rget=3D"_blank">uri@ll.mit.edu</a>&gt; wrote:<u></u><u></u></p></div><block=
quote style=3D"border-color:currentcolor currentcolor currentcolor rgb(204,=
204,204);border-style:none none none solid;border-width:medium medium mediu=
m 1pt;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><div=
><p class=3D"MsoNormal" style=3D"margin-left:0.5in"><span style=3D"font-siz=
e:12pt">How does the described AOAP attack apply to TLS KDF?</span><u></u><=
u></u></p><p class=3D"MsoNormal" style=3D"margin-left:0.5in"><span style=3D=
"font-size:12pt">=C2=A0</span><u></u><u></u></p><div><div><p class=3D"MsoNo=
rmal" style=3D"margin-left:0.5in"><span style=3D"color:black">--</span><u><=
/u><u></u></p><p class=3D"MsoNormal" style=3D"margin-left:0.5in"><span styl=
e=3D"color:black">Regards,</span><u></u><u></u></p><p class=3D"MsoNormal" s=
tyle=3D"margin-left:0.5in"><span style=3D"color:black">Uri</span><u></u><u>=
</u></p><p class=3D"MsoNormal" style=3D"margin-left:1in"><i>=C2=A0</i><u></=
u><u></u></p><p class=3D"MsoNormal" style=3D"margin-left:0.5in"><i><span st=
yle=3D"color:black">There are two ways to design a system. One is to make i=
s so simple there are obviously no deficiencies.</span></i><u></u><u></u></=
p><p class=3D"MsoNormal" style=3D"margin-left:0.5in"><i><span style=3D"colo=
r:black">The other is to make it so complex there are no obvious deficienci=
es.</span></i><u></u><u></u></p><p class=3D"MsoNormal" style=3D"margin-left=
:0.5in"><i><span style=3D"color:black">=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0 =C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0-=C2=A0 C. A. R. Hoare</span></i><u></u><u></u></p></div></div><p class=
=3D"MsoNormal" style=3D"margin-left:0.5in"><span style=3D"font-size:12pt">=
=C2=A0</span><u></u><u></u></p><p class=3D"MsoNormal" style=3D"margin-left:=
0.5in"><span style=3D"font-size:12pt">=C2=A0</span><u></u><u></u></p><div s=
tyle=3D"border-style:solid none none;border-width:1pt medium medium;padding=
:3pt 0in 0in;border-color:currentcolor"><p class=3D"MsoNormal" style=3D"mar=
gin-left:1in"><b><span style=3D"font-size:12pt;color:black">From: </span></=
b><span style=3D"font-size:12pt;color:black">TLS &lt;<a href=3D"mailto:tls-=
bounces@ietf.org" target=3D"_blank">tls-bounces@ietf.org</a>&gt; on behalf =
of Nimrod Aviram &lt;<a href=3D"mailto:nimrod.aviram@gmail.com" target=3D"_=
blank">nimrod.aviram@gmail.com</a>&gt;<br><b>Date: </b>Wednesday, September=
 1, 2021 at 15:58<br><b>To: </b>&quot;&lt;<a href=3D"mailto:tls@ietf.org" t=
arget=3D"_blank">tls@ietf.org</a>&gt;&quot; &lt;<a href=3D"mailto:tls@ietf.=
org" target=3D"_blank">tls@ietf.org</a>&gt;<br><b>Cc: </b>Eylon Yogev &lt;<=
a href=3D"mailto:eylony@gmail.com" target=3D"_blank">eylony@gmail.com</a>&g=
t;, Ilan Komargodski &lt;<a href=3D"mailto:ilankom10@gmail.com" target=3D"_=
blank">ilankom10@gmail.com</a>&gt;, Benjamin Dowling &lt;<a href=3D"mailto:=
b.dowling@sheffield.ac.uk" target=3D"_blank">b.dowling@sheffield.ac.uk</a>&=
gt;, Eyal Ronen &lt;<a href=3D"mailto:er@eyalro.net" target=3D"_blank">er@e=
yalro.net</a>&gt;<br><b>Subject: </b>[TLS] Combining Secrets in Hybrid Key =
Exchange in TLS 1.3</span><u></u><u></u></p></div><div><p class=3D"MsoNorma=
l" style=3D"margin-left:1in">=C2=A0<u></u><u></u></p></div><div><div><p cla=
ss=3D"MsoNormal" style=3D"margin-left:1in"><span style=3D"font-size:12pt">(=
This note is also available on <a href=3D"https://github.com/nimia/kdf_publ=
ic#readme" target=3D"_blank">Github</a> for ease of reading.)</span><u></u>=
<u></u></p></div><div><p class=3D"MsoNormal" style=3D"margin-left:1in"><spa=
n style=3D"font-size:12pt">=C2=A0</span><u></u><u></u></p></div><div><p cla=
ss=3D"MsoNormal" style=3D"margin-left:1in"><span style=3D"font-size:12pt">T=
his note identifies a possible security problem in the &quot;Hybrid key exc=
hange in<br>TLS 1.3&quot; document, stemming from how cryptographic secrets=
 are combined. In<br>short: constructions that concatenate secrets are vuln=
erable when the underlying<br>hash function is not collision-resistant. We =
are unaware of a full attack<br>that leverages the underlying problem. Howe=
ver, we view this as an opportunity<br>to defend-in-depth against such issu=
es, while the document is not yet finalized.<br>We propose a new constructi=
on that seems robust to this potential issue, and we<br>are in the process =
of writing a technical report that includes a full security<br>proof.<br><b=
r># Concatenating Secrets May Be Dangerous<br><br>The APOP attack (see appe=
ndix for a brief description) demonstrates that<br>concatenating secrets to=
 potentially attacker-controlled input might be<br>dangerous. Currently, th=
e &quot;Hybrid key exchange in TLS 1.3&quot; document uses secret<br>concat=
enation as the preferred way to combine secrets. (This was an<br>understand=
able design choice given how little this issue has been studied.)<br><br>We=
 recommend a defense-in-depth approach against this potential issue. We sho=
uld<br>not concede to an attacker even the ability to cause a collision in =
an internal<br>state of the key schedule. Moreover, this part of TLS is lik=
ely particularly<br>amenable to ossification: Whatever we standardize will =
likely persist for 5-10<br>years. (We do note that TLS mixes in the client =
and server nonces, so additional<br>offensive techniques would be required =
to exploit this for a full attack.)<br><br>We note that concatenation is al=
so used in the &quot;TLS 1.3 Extended Key Schedule&quot;<br>document.<br><b=
r># Our proposed construction<br><br>We have identified an alternative cons=
truction that we believe could provide<br>defense-in-depth against this iss=
ue. We are in the process of writing a<br>technical report that includes a =
full security proof.<br>The required assumptions on the hash function appea=
r to be much milder than<br>collision resistance; instead, we likely only n=
eed multi-preimage-resistance:<br>Essentially, requiring only that computin=
g preimages for multiple images is<br>hard.<br><br>The construction is: <br=
>combined_key =3D H(HMAC(key=3DH1(k1), data=3D2||F(k2)) xor HMAC(key=3DH2(k=
2), data=3D1||F(k1))) <br>where || denotes concatenation, H denotes the und=
erlying hash function, and: <br>H1(k) =3D H(&#39;derive1&#39; || k) <br>H2(=
k) =3D H(&#39;derive2&#39; || k) <br>F is defined as follows:<br>Let m deno=
te the input to F. We split m into blocks, according to the block size<br>o=
f H: <br>m =3D m1||m2||...||mn <br>Let j~=3D3 denote an =E2=80=9Cexpanding =
factor=E2=80=9D (the value chosen for j in practice<br>depends on how stron=
g an assumption we want to rely on; we expect 3 to be enough).<br>Then <br>=
F(m) =3D H(0||m1)||H(1||m1)||...||H(j-1||m1)||H(0||m2)||H(1||m2)||...||H(j-=
1||m2)||H(0||mn)||H(1||mn)||...||H(j-1||mn)<br><br>This construction is che=
ap to calculate and would be used only in the key<br>schedule, which is not=
 a bottleneck for TLS performance.<br><br># Adding another layer to the TLS=
 key schedule may also be problematic<br><br>Another strategy for mixing se=
crets is to add the second secret to another layer<br>of the TLS key schedu=
le. This strategy is already used to mix a PSK and an ECDHE<br>secret in TL=
S 1.3, as well as in AuthKEM, and it was also considered for the<br>Hybrid =
key exchange document. This strategy is vulnerable as well to collisions<br=
>in the underlying hash function, and we propose using one secure construct=
ion<br>for mixing secrets.<br><br>Consider a standard PSK+ECDHE TLS 1.3 han=
dshake. Then <br>handshake_secret =3D HKDF_Extract(IKM=3DECDHE_secret, salt=
=3DDerive_Secret(early_secret)) <br>early_secret =3D HKDF_Extract(IKM=3DPSK=
, salt=3D000) <br>HKDF_Extract(IKM, salt) =3D HMAC(k=3Dsalt, data=3DIKM)<br=
><br>Therefore, early_secret =3D HMAC(k=3D000, data=3DPSK). <br>Assume a no=
n-collision-resistant hash function. Then an attacker that can<br>establish=
 multiple PSKs of their choice with another party can cause two<br>sessions=
 with two different PSKs to share the same early_secret. If the other<br>pa=
rty reuses ECDH(E) values, the attacker can also cause the handshake_secret=
 to<br>be identical.<br><br>Furthermore, <br>Client_Handshake_Traffic_Secre=
t =3D <br>=C2=A0 HMAC(k=3DHandshake_Secret, data=3DLabel||H(ClientHello...S=
erverHello)) <br>If the attacker is the server, and the hash function allow=
s for chosen-prefix<br>collisions, the attacker can choose two ServerHello =
messages such that for two<br>different ClientHello messages, H(ClientHello=
...ServerHello) is identical.<br>This leads to identical values for an actu=
al key output of the key schedule,<br>Client-Handshake-Traffic-Secret (if t=
he client reuses an ECDH(E) value, or in a<br>hypothetical PQ TLS, which us=
es a KEM and the server chooses the encapsulated<br>key).<br><br>We note th=
at the full version of the HKDF paper explicitly disclaims security in<br>t=
he presence of attacker-controlled entropy. Also, note that by definition, =
a<br>KEM allows one party to control the secret.<br><br># Appendix: The APO=
P Attack<br><br>APOP is an old challenge-response protocol used in email, r=
elevant here because<br>it demonstrates the attack well. Broadly, in APOP t=
he challenger sends a<br>challenge, and the responder needs to respond with=
:<br>MD5(challenge || password)<br>where || denotes concatenation.<br><br>T=
he attacker wants to e.g. test whether the password starts with &#39;a&#39;=
. They<br>pick an MD5 collision x, y such that MD5(x) =3D MD5(y) and both x=
 and y end with<br>&#39;a&#39;. They wait for the client to connect in two =
different sessions, and send<br>x[:-1] and y[:-1] as the challenges, where =
[:-1] denotes removing the last byte<br>from a string. If the password star=
ts with &#39;a&#39;, and the MD5 blocks align, then<br>the response will be=
 the same for both challenges. The attacker can therefore<br>test a single =
guess for the starting byte with two sessions, and learn that byte<br>after=
 at most 512 sessions. See [1], [2].<br><br>best wishes,<br>Nimrod Aviram, =
Benjamin Dowling, Ilan Komargodski, Kenny Paterson, Eyal Ronen, Eylon Yogev=
<br><br>References: <br>[1] Practical key-recovery attack against APOP, an =
MD5-based challenge-response authentication. Leurent, Gaetan.<br><br>[2] Pr=
actical Password Recovery on an MD5 Challenge and Response.<br>Sasaki, Yu a=
nd Yamamoto, Go and Aoki, Kazumaro.</span><u></u><u></u></p></div><div><p c=
lass=3D"MsoNormal" style=3D"margin-left:1in"><span style=3D"font-size:12pt"=
>=C2=A0</span><u></u><u></u></p></div></div></div></div></blockquote></div>=
</div></div>
</blockquote></div>

--000000000000b4004405cb56ae07--

