Re: [TLS] Possible TLS 1.3 erratum

Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 16 July 2021 12:44 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B55113A35D7 for <tls@ietfa.amsl.com>; Fri, 16 Jul 2021 05:44:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ExTwqzjDG-mc for <tls@ietfa.amsl.com>; Fri, 16 Jul 2021 05:43:59 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.23.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1947B3A35D5 for <tls@ietf.org>; Fri, 16 Jul 2021 05:43:58 -0700 (PDT)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01lp2169.outbound.protection.outlook.com [104.47.71.169]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-2-7tqeFERENnONtqwqd81mnA-1; Fri, 16 Jul 2021 22:43:53 +1000
X-MC-Unique: 7tqeFERENnONtqwqd81mnA-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by SYCPR01MB3392.ausprd01.prod.outlook.com (2603:10c6:10:a::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.22; Fri, 16 Jul 2021 12:43:35 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::98a4:33de:1d06:e141]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::98a4:33de:1d06:e141%4]) with mapi id 15.20.4331.026; Fri, 16 Jul 2021 12:43:34 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Eric Rescorla <ekr@rtfm.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Possible TLS 1.3 erratum
Thread-Index: AQHXeWfZVoV1kD9i3UmF8KiMIWESdatEADMAgAGM1Tc=
Date: Fri, 16 Jul 2021 12:43:34 +0000
Message-ID: <SY4PR01MB62513B6545E754DC00C09D80EE119@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <ME3PR01MB624282F25AA6983F9CEFDCD2EE129@ME3PR01MB6242.ausprd01.prod.outlook.com>, <CABcZeBNajvtG8pebcrD2dgmP+Pb4+gTQMfB6NDOMH7hpqNSS-w@mail.gmail.com>
In-Reply-To: <CABcZeBNajvtG8pebcrD2dgmP+Pb4+gTQMfB6NDOMH7hpqNSS-w@mail.gmail.com>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 34d330b0-aedb-424a-1051-08d948575380
x-ms-traffictypediagnostic: SYCPR01MB3392:
x-microsoft-antispam-prvs: <SYCPR01MB33929D52C5A1EF209FAC10C8EE119@SYCPR01MB3392.ausprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: +fmQoBurPTv4NHs8tYhS8GJQaZk6l9bAYmHdStg3ogOQXZ3sH1LUUxRw75YtWbruQ4YGxGZ4gPmmk0Z/tLmbqpPXEUYbfvNKTmmPly27badmGA9AbJdb8W2yJGBVVIHQDIeoKXspqFRTu6mGISGFITZTBqaedEpquTnIzEKMpeKiu4+UaPzcAgFBDzyfHIc7kbI0ORZtpmVmE3xRfdtjAD6EVTMh3Tfh8RIL2qaBqI43SlOBxf2n1oZAu20H6Q5Y33ArO+pPyI2RfZKUxq0FNqpF5q5IU2mBhMS27ppT0YLoOVjz2b7W1IOh7IeBMdhfgxi46dj82erX+ixN/CAC/CEE1a0cjxDjnGIOKdyO5qoCnXk18BuzTFjp2mtc2e69ElviUbMkBWXHg8PyJqvDuBtB3yW+G3nR/NkmLb3cb8UzCce7X//hfFsimInIHtHCNH0LxHGYK25HutubKhWS7sz+gxEFG9YKqBCKgyLkJNmDO2LiME7l8uFwDC8TOZp6DvIoW1dH70E53RlJi84z6Vn4lBBUU65++hHAY7VWPcbMv1gog93hqU2a1QkRP2bE3XMxTtSbofAoQM34FhlH7lAS810X9VR9w7EiZtWGttQItHowWMa6Uc3PkiaQopE1u4ncJj5dmE5iQhmXtCnlrzQ3CwkNBlsehZC6/2uIskQb+UMHv7gsoRnqcYSh/uuqWc4dUNuiObUA99nf6hYVpxTPEarbwPHZPO2VwrpX4vmZy97BqFRAaRSqvV83sBrrPYrAFy7Xl8ho8c7EvbI+g0UjgaVPCBHEOvD8KwtTAeyFvbu/hv+Yuo35c9yrV8BH
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(376002)(136003)(396003)(39850400004)(346002)(7696005)(6916009)(122000001)(38100700002)(55016002)(186003)(4326008)(76116006)(6506007)(8676002)(66946007)(478600001)(5660300002)(33656002)(26005)(86362001)(316002)(786003)(966005)(8936002)(71200400001)(2906002)(9686003)(66476007)(66556008)(64756008)(52536014)(66446008)(21314003)(38070700004); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?suNxH4mrm0Hgf1MN+deuvep69K7pLXQRACBovN8NQSssHWdjRY7sNvxNlx?= =?iso-8859-1?Q?kXGKikV8BGmNLX+jXAJ/Wh4DRnVqPsICt1Z6YDnReWr8DT2u8AUCjTA65I?= =?iso-8859-1?Q?IHfHv9X22L0eaFja17BvUcJ3Vxs+M1P4NpWCYGy68dnvzycuRP1e9D/BuK?= =?iso-8859-1?Q?SZNoSWajuzY+j4JQDde7qx+Vu1dnv9ojA//2Ku5017zsxfuFF+8irLmz2r?= =?iso-8859-1?Q?x2Gyg37TpcL+ceshCSNHbo2tx+JOmbMe6zQVJPB2huA1vGbY2BGqBBMO4f?= =?iso-8859-1?Q?qD+Qcnke5uicVfNbSGjyICD5lXtaiUA3GxGucEHAbJRhvOr7OEslffv8zZ?= =?iso-8859-1?Q?9EAklNhUet0lgr2r42zkLySuVKG9cKFXObm7FIlOspxnW0SP1ZAcNfxcHV?= =?iso-8859-1?Q?m2ArWLW7ra1nxbhpvPvHbRas8KdDZ3SOIOJIy39q+OsEinbBtBkyOllEYP?= =?iso-8859-1?Q?AEAxZG3r/dBGC5cEF0XHuDLXZK1fcXyv6t6VmV0m0LGD5gFPRWK+UImMtE?= =?iso-8859-1?Q?4TzqKxKqbpfEqqmHkY0frSHbcnrPWQ7YjQMWB+8UYdpWnJo2Ps+1cNUJRs?= =?iso-8859-1?Q?g9E4Ek4J/75iCAighq3/ha9rX8wSJD2JbPVbvrrdpNL7Gk3kvtMAXP6U/z?= =?iso-8859-1?Q?z3TUK1rvb3QSJuK2hfljs01LxXXhcnewAgE5/8bCOdwRj6ctUsMVBrZvWF?= =?iso-8859-1?Q?3T1Lq3c/rnoStZFsLLtUG+Ua/m0GXzALvJPssdBB1poc8CuL30Cnok6KPn?= =?iso-8859-1?Q?ZarhFOBR1ZHOphCOpcG0U//fzcuYWmg9jKVpsJ0mU1lqxBdnejw39Xvu9A?= =?iso-8859-1?Q?IKjRjGpa9QvcmpUmh64K2GeifIrUtvJ20rjMJMBfqRpwRbmHbPeeS7tjty?= =?iso-8859-1?Q?rEqdWeeRmaeiosawkAsi9ClQR1eEbMapxEBeqfGWKpRnypKB72na68PRmx?= =?iso-8859-1?Q?3Nbz7r+6O4ufqffEX7YXKXbaGo/2pTVKoZdqkx+y9Inf/US+eCcqR63GnL?= =?iso-8859-1?Q?ABZL/uTU+zQy7YumhJ4LO++t69kow3tZnlvI3YJ0KAgysz6DbPsPr7Zz3W?= =?iso-8859-1?Q?paZnA8gVefYbbFXbgdeTdmCMM9yGkN70SdnQ5JlbhY2i+g6xAy+FZKOQOQ?= =?iso-8859-1?Q?7wajm+RqNKLC1AYupOM9t4DA67jWTarIVZofDSs+srD2colSQgQsE89mAX?= =?iso-8859-1?Q?UsBD9ZXiiyeaqW/1iBGx7+Q5y94r5llUDYxzaRA+awSLXgy/Bpu0h2s7id?= =?iso-8859-1?Q?rQmbMa2DRj5RxsoTEfOMLaXjBnF1jaKFZ+e4Nz9sRLpxo8QkAB9Hms/HSg?= =?iso-8859-1?Q?BwnEDi3CR6cbF0nCcwCZb7FWaMgHE7tn6XxumiLs5iKt8JpyfTC7rtyRTu?= =?iso-8859-1?Q?wOk65IT9fb?=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 34d330b0-aedb-424a-1051-08d948575380
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jul 2021 12:43:34.7871 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: WyEXveFOUC5Kqie3+IZRqUKm1zbVVPSoWJIo48MUMuvpY47qDZvy4Kq+6EGexgn7yNVPyXeq1+8tJWYeSxV7B97iZXw2WX53Kn8ozOku7xU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYCPR01MB3392
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TI20JtthdHQs5K3lwI6sC3rMto4>
Subject: Re: [TLS] Possible TLS 1.3 erratum
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jul 2021 12:44:02 -0000

Eric Rescorla <ekr@rtfm.com> writes:

>As we are currently working on a 8446-bis, the best thing to do would be to
>file a PR at: https://github.com/tlswg/tls13-spec

Before I do that I thought I'd get some input on what to say, there's actually
two issues, the first being the one I mentioned.  I was thinking something
like:

  TLS 1.2 defined the entries in the "extension_data" as two eight-bit values
  constituting a { hash, signature } pair.  TLS 1.3 changes the definition to
  be a single 16-bit value constituting a cipher suite that encodes both the
  signature and hash algorithm into a single value.  Although some of the TLS
  1.3 values, in particular the rsa_pss_rsae_xxx ones, appear to follow the
  TLS 1.2 format, implementations SHOULD NOT treat them as { hash, signature }
  pairs but as a single cipher suite identifier.

The second one is the fact that there are two different cipher suites for RSA-
PSS, rsa_pss_rsae_xxx and rsa_pss_pss_xxx, with conditions for use that are
stated in a somewhat backwards form, "If the public key is carried in an
X.509 certificate, it MUST use the RSASSA-PSS OID".  Since the only reason
these exist AFAICT is to deal with rsaEncryption vs. RSA-PSS certs, it should
really be stated as something like "the RSA-PSS code point used depends on how
the key is carried in an X.509 certificate.  If the certificate OID is
rsaEncryption then the rsa_pss_rsae_xxx form MUST be used.  If the certificate
OID is RSASSA-PSS then the rsa_pss_pss_xxx form MUST be used".

And then add some explanation for why this is so and what'll go wrong if you
use the other one, since I can't see any reason why you can't just use
rsa_pss_rsae_xxx or rsa_pss_pss_xxx for everything.  What vulnerability is
this mitigating?

Peter.