Re: [TLS] Another IRINA bug in TLS

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Wed, 20 May 2015 14:59 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19B5B1A8834 for <tls@ietfa.amsl.com>; Wed, 20 May 2015 07:59:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.002
X-Spam-Level:
X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fENP9cVJbudZ for <tls@ietfa.amsl.com>; Wed, 20 May 2015 07:59:29 -0700 (PDT)
Received: from emh06.mail.saunalahti.fi (emh06.mail.saunalahti.fi [62.142.5.116]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEED41A882F for <tls@ietf.org>; Wed, 20 May 2015 07:59:28 -0700 (PDT)
Received: from LK-Perkele-VII (a91-155-194-207.elisa-laajakaista.fi [91.155.194.207]) by emh06.mail.saunalahti.fi (Postfix) with ESMTP id 58C01699D4; Wed, 20 May 2015 17:59:26 +0300 (EEST)
Date: Wed, 20 May 2015 17:59:26 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Watson Ladd <watsonbladd@gmail.com>
Message-ID: <20150520145925.GA17676@LK-Perkele-VII>
References: <CACsn0ckaML0M_Foq9FXs5LA2dRb1jz+JDX7DUej_ZbuSkUB=tQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CACsn0ckaML0M_Foq9FXs5LA2dRb1jz+JDX7DUej_ZbuSkUB=tQ@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Ud_Tvlrvt3qb3wojV1YMRLRmAug>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Another IRINA bug in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 May 2015 14:59:34 -0000

On Wed, May 20, 2015 at 10:05:25AM -0400, Watson Ladd wrote:
> https://weakdh.org/
> 
> Transcript hashing will solve this problem.

AFAICT, extended_master_secret won't save you from this.

The problem is screwed up server key PoP, and EMS will not fix that
(TLS 1.3 does).

Also, this is not the first attack arising from the way server key
PoP is done...

BTW: Client key PoP is not screwed, so attacker can't forward client
certs...

> In the meantime, you want to turn off DH_EXPORT.

Only works on serverside...

> There are also implications for false start.

I have regarded using false start with non-named groups (and
thus without key checks) as a bad idea.



-Ilari