IETF Logo Mail Archive

Re: [TLS] Computation of static secret in anonymous DH

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Wed, 17 June 2015 15:05 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A76B1ACEA2 for <tls@ietfa.amsl.com>; Wed, 17 Jun 2015 08:05:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A_gfkH9dZGwY for <tls@ietfa.amsl.com>; Wed, 17 Jun 2015 08:05:09 -0700 (PDT)
Received: from emh02.mail.saunalahti.fi (emh02.mail.saunalahti.fi [62.142.5.108]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4F991ACEA8 for <tls@ietf.org>; Wed, 17 Jun 2015 08:05:08 -0700 (PDT)
Received: from LK-Perkele-VII (a91-155-194-207.elisa-laajakaista.fi [91.155.194.207]) by emh02.mail.saunalahti.fi (Postfix) with ESMTP id F229C81806; Wed, 17 Jun 2015 18:05:05 +0300 (EEST)
Date: Wed, 17 Jun 2015 18:05:05 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20150617150505.GA19959@LK-Perkele-VII>
References: <2AA11887-2F82-48EF-BD45-4D85CFA83847@qut.edu.au> <20150617082529.GA17280@LK-Perkele-VII> <CABcZeBNzzfxo+xQRrS=7-7C65kr3DqtJ5BHqTnt0mC8v-oFuUw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBNzzfxo+xQRrS=7-7C65kr3DqtJ5BHqTnt0mC8v-oFuUw@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/WGopqCiZO8az2A9a_jgFdUgv6zI>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Computation of static secret in anonymous DH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2015 15:05:16 -0000

On Wed, Jun 17, 2015 at 05:56:23AM -0700, Eric Rescorla wrote:
> On Wed, Jun 17, 2015 at 1:25 AM, Ilari Liusvaara <
> ilari.liusvaara@elisanet.fi> wrote:
> 
> > On Wed, Jun 17, 2015 at 07:33:31AM +0000, Douglas Stebila wrote:
> > > In the DH-based draft of TLS 1.3 (
> > https://github.com/ekr/tls13-spec/blob/ietf92_materials/draft-ietf-tls-tls13-dh-based.txt
> > ),
> > > how is the ServerParameters message containing the static secret SS
> > > constructed in the unauthenticated setting?
> >
> > There's much newer version in ekr/tls13-spec#WIP_draft_06
> > (seems to have fixed most of the mistakes in the original WIP)
> >
> 
> Don't worry, I'm sure there are plenty of mistakes left!

Such as how keys for TLS exporters are derived? Trying to
search for 'export' or 'extractor' only gives changelog
entry about fixing used key...

Editor's copy says exporters use master secret (not quite
ideal).

> > It also does not say what master key to use for handshake
> > encryption key derivation. I presume tmp2.
> >
> 
> " For handshake records, this means the ephemeral secret (ES)"
> 
> This whole section is still under active development, though.
 
I was thinking about avoiding using ES twice (since it is not
secured against THS-style attacks, while tmp2 is).


-Ilari

v2.23.0 | Report a Bug | By Email