IETF Logo Mail Archive

Re: [TLS] cryptanalysis vs. encrypted parts of the TLS handshake [was: Re: Simplifying the proof]

Watson Ladd <watsonbladd@gmail.com> Thu, 18 September 2014 04:29 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84B0E1A0680 for <tls@ietfa.amsl.com>; Wed, 17 Sep 2014 21:29:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8e4cIn6aIIq6 for <tls@ietfa.amsl.com>; Wed, 17 Sep 2014 21:29:28 -0700 (PDT)
Received: from mail-qg0-x22c.google.com (mail-qg0-x22c.google.com [IPv6:2607:f8b0:400d:c04::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0432E1A01E0 for <tls@ietf.org>; Wed, 17 Sep 2014 21:29:27 -0700 (PDT)
Received: by mail-qg0-f44.google.com with SMTP id z107so426710qgd.3 for <tls@ietf.org>; Wed, 17 Sep 2014 21:29:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=vsqT/nzbDiX13JzzLqvP1XDfy6+1pKHh5cf1QRhhZS4=; b=VzqNgSdk7APUtNaO0vuzDDdb/G0qvL8Iwlmgg8gFZAWNsi9/x5lm8I1muCQgVcu4JG 91OJd0Rmq8mAiKfsRGTjs8OMpTGmXnNLt1/UwCLCoptHFINLEszOEPeNzbHsAHCWxDhW +fia1uyty6ix9iltH2mlm2H1+EsVXKZ4/cTF160KIAPdjGEG+6oAvcB+mhg46E1I8rK4 s2GHo2HbyOZsDOE6Q+l6nFEKhQzazfowG3rzp1dIY+y7Zyna3TufcpeVwHjS9o08enx6 EIhHaOvZrsEzksjaTIJAtfwC9EmsGQGwXjOwKRiVkCUtRZ4tPEjVkKu7W1R4BNblP2d4 oB7A==
MIME-Version: 1.0
X-Received: by 10.236.8.69 with SMTP id 45mr1411760yhq.19.1411014567249; Wed, 17 Sep 2014 21:29:27 -0700 (PDT)
Received: by 10.170.207.216 with HTTP; Wed, 17 Sep 2014 21:29:27 -0700 (PDT)
In-Reply-To: <20140918034042.GA4273@localhost>
References: <20140912200607.GE16660@localhost> <20140918011622.CB9391AE4C@ld9781.wdf.sap.corp> <20140918034042.GA4273@localhost>
Date: Wed, 17 Sep 2014 21:29:27 -0700
Message-ID: <CACsn0cm1yVMAVLYDb-kz2-UVuMt06=m_OabCxV4W9FjLMgwHLQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/TwXOMCUEY3vyUT5tL-xkMGQ9108
Cc: Markulf Kohlweiss <markulf@microsoft.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] cryptanalysis vs. encrypted parts of the TLS handshake [was: Re: Simplifying the proof]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Sep 2014 04:29:29 -0000

On Wed, Sep 17, 2014 at 8:40 PM, Nico Williams <nico@cryptonector.com> wrote:
> On Thu, Sep 18, 2014 at 03:16:22AM +0200, Martin Rex wrote:
>> Nico Williams wrote:
>> > On Thu, Sep 11, 2014 at 05:18:37PM +0200, Martin Rex wrote:
>> > > I also don't understand why the fact that TLS finished messages are
>> > > encrypted would make any proof harder.  I believe that to be untrue.
>> >
>> > Hugo K.'s rationale is that you then need to have replay protection.  We
>> > need replay protection anyways, but if you're only analyzing the
>> > handshake then it helps to not have to include subsequent replay
>> > protection in the analysis.
>>
>> Somehow that argument feels quite lame when it is combined with the
>> argument "the proof would be easier when the finished messages were
>> sent in the clear, could we not change this".
>>
>> Just do the proof under the assumption/premise that the finished messages
>> *ARE* in the clear.  Then send them encrypted.  Unless you're doing avoidable
>> weird things, sending them encrypted rather then in the clear should not
>> affect the original proof at all.
>
> To me the argument feels lame because we must anyways be able to
> distinguish record types[0] and detect replays[1] (at least for TLS, and
> for DTLS[2] I would argue that replays of handshake messages must always
> be enabled).

That wasn't the argument Mr. Krawczyk and I made. TLS provides a
secure channel, and we know how to prove it does.
Rather the problem is that some applications like RFCs I've cited,
that are deployed, use the TLS handshake to derive a key
that is used for another purpose. This is not safe without analysing
the specifics of the encryption scheme used.

In particular, an application that has its own record layer may
interpret the Finished message in strange ways. This can cause
problems.

There are other unpatched issues, like the possibility to misinterpret
the Server Key Exchange field and use this to impersonate a server,
that need addressing. And so far nothing has been said about the
proposed changes.

Sincerely,
Watson Ladd
>
> [0] Certainly if we retain any asynchronous handshake or other
>     non-application records post-initial handshake then we must be able
>     to securely distinguish record types!
>
> [1] Certainly if we retain any asynchronous... then we must be able to
>     securely detect replays.
>
> [2] I understand application record replay detection being optional in
>     DTLS.  But certainly it mustn't be for any async handshake records.



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email