Re: [TLS] TLS and KCI vulnerable handshakes

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Tue, 11 August 2015 19:05 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD2D51AD10A for <tls@ietfa.amsl.com>; Tue, 11 Aug 2015 12:05:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QfPTCpwxViAx for <tls@ietfa.amsl.com>; Tue, 11 Aug 2015 12:05:49 -0700 (PDT)
Received: from emh01.mail.saunalahti.fi (emh01.mail.saunalahti.fi [62.142.5.107]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C23131AD0EA for <tls@ietf.org>; Tue, 11 Aug 2015 12:05:47 -0700 (PDT)
Received: from LK-Perkele-VII (a91-155-194-207.elisa-laajakaista.fi [91.155.194.207]) by emh01.mail.saunalahti.fi (Postfix) with ESMTP id 8FADB900D4; Tue, 11 Aug 2015 22:05:44 +0300 (EEST)
Date: Tue, 11 Aug 2015 22:05:44 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Martin Thomson <martin.thomson@gmail.com>
Message-ID: <20150811190544.GA13734@LK-Perkele-VII>
References: <55C8CD7A.7030309@rise-world.com> <9A043F3CF02CD34C8E74AC1594475C73F4AD80F3@uxcn10-5.UoA.auckland.ac.nz> <9690882F-B794-4D1D-973F-DE7F90120CC3@gmail.com> <CABkgnnXruou6BbgZK8vWUeyb-gW5OTSZKPwPVPwZ826usNz9RA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABkgnnXruou6BbgZK8vWUeyb-gW5OTSZKPwPVPwZ826usNz9RA@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Uv72-F99rEmQqRKwyCNtnkrD_S0>
Cc: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, Clemens Hlauschek <clemens.hlauschek@rise-world.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS and KCI vulnerable handshakes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2015 19:05:51 -0000

On Tue, Aug 11, 2015 at 11:29:12AM -0700, Martin Thomson wrote:
> On 11 August 2015 at 11:25, Karthikeyan Bhargavan
> <karthik.bhargavan@gmail.com> wrote:
> > No, a regular ECDSA certificate would do.
> > That is, the attack would work as long as
> > - a client has an ECDSA certificate, and
> > - it enables any static TLS_ECDH_* cipher suite, and
> > - its ECDSA private key has been stolen (or chosen) by an attacker.
> 
> I don't see how that would work.  A client that understands the cert
> to be ECDSA won't pair the key with the server's ECDH share, they will
> sign the session transcript with it.

a) ECDSA certs are usable for ECDH (modulo KeyUsage) because there is
no ECDSA-specific keytype in X.509.

b) SSL v3.0 server PoP (still there in TLS v1.2) does not sign
transcript but only the public key (only TLS 1.3 fixes this).
Logjam, anyone?

c) Non-signature client certs (like ECDH) don't have transcript
signatures either.


Attacker can just replay randoms and SKE, and then compute client-
side PMS. Game Over, EMS will not save you.



-Ilari