Re: [TLS] What would make TLS cryptographically better for TLS 1.3

Robert Ransom <rransom.8774@gmail.com> Sat, 02 November 2013 03:53 UTC

Return-Path: <rransom.8774@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 161B321E809B for <tls@ietfa.amsl.com>; Fri, 1 Nov 2013 20:53:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KU-DnR4w5E99 for <tls@ietfa.amsl.com>; Fri, 1 Nov 2013 20:53:14 -0700 (PDT)
Received: from mail-qc0-x22a.google.com (mail-qc0-x22a.google.com [IPv6:2607:f8b0:400d:c01::22a]) by ietfa.amsl.com (Postfix) with ESMTP id CC0A921E8093 for <tls@ietf.org>; Fri, 1 Nov 2013 20:53:13 -0700 (PDT)
Received: by mail-qc0-f170.google.com with SMTP id n9so2911071qcw.15 for <tls@ietf.org>; Fri, 01 Nov 2013 20:53:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=YBlUPgkD3qtyjRiwO/HOsw4bTE4vVh3bYjfvRkO752o=; b=GsvuLWBNIiXgkStgcgbnXKFMi3n/R329UJUpy8i2Ox9YHjpk2t3h8lkBN1Vg1r3j2K Vjzb9Q6bXBWkGOHopDo+8ol8w5WFLaelFlGPHwQdKnsWna6Jo25qDzYS6+OStAjhf/q9 x0snnFcSNpGfyMYu1kMBAa8w7QBg7OlARdNHGgxgtSpnz/Wxi0Fbq/5NTm3AlbX365j5 5eWxTp7DtIuhANrD47mTcKm0vR67KQGzHAildAU4PS9Y2eiPnJcjqiRbq5BehtuFQuYz Vfuf48fWLEKaqRgbF8PmrNFPYPmRBeBYJUwPR66SNIntZ51XlNgkhuAY0dEBY+2/ev+k Rmtg==
MIME-Version: 1.0
X-Received: by 10.224.171.196 with SMTP id i4mr8085878qaz.38.1383364393196; Fri, 01 Nov 2013 20:53:13 -0700 (PDT)
Received: by 10.229.12.198 with HTTP; Fri, 1 Nov 2013 20:53:13 -0700 (PDT)
In-Reply-To: <e5081bc3784fe15976397ccf73eee71f.squirrel@www.trepanning.net>
References: <CACsn0cnS7LWo+AN1maw-KYGhWXY1BLNPNOjiL-Y3UU3zG-Je_Q@mail.gmail.com> <20131031230955.GB32733@gmail.com> <CABqy+sof-NtSmZwTNN-x9Ekppz4PYMu2Pr3KjaEUdT7Wzxe7mQ@mail.gmail.com> <4e1772ced74d9347c88a66b123f8878f.squirrel@www.trepanning.net> <20131101231342.GG32733@gmail.com> <7e7cd08953358f9e9344d0afdb2e37bf.squirrel@www.trepanning.net> <CABqy+sq=9ue=iNkUEzrddJLdYRdAWk5YRz43sR2DV2Xrv5CHBQ@mail.gmail.com> <e5081bc3784fe15976397ccf73eee71f.squirrel@www.trepanning.net>
Date: Fri, 01 Nov 2013 20:53:13 -0700
Message-ID: <CABqy+sq9pp3hVkDYhZ98AfkXAYcdt2j+fbrFSnCmLteGHYEETg@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: text/plain; charset="UTF-8"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] What would make TLS cryptographically better for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Nov 2013 03:53:15 -0000

On 11/1/13, Dan Harkins <dharkins@lounge.org> wrote:
>
>
> On Fri, November 1, 2013 5:38 pm, Robert Ransom wrote:
>> On 11/1/13, Dan Harkins <dharkins@lounge.org> wrote:
>>>
>>>
>>> On Fri, November 1, 2013 4:13 pm, Nico Williams wrote:
>>
>>>> Agreed.  A small nonce should suffice for key derivation if either
>>>> party
>>>> reuses their supposedly-ephemeral DH keys.  By "small" I mean "not
>>>> nearly as large as 32 bytes, i.e., not enough to suffice for a
>>>> Dual_EC-type backdoored RNG attack".  The party reusing a key should
>>>> send some such small nonce, possibly a 64-bit nonce.  In any case, the
>>>> client ought not be reusing ephemeral DH keys, and any server that does
>>>> should be rotating them often (like SSHv1 used to).
>>>
>>>   It has nothing to do with key derivation, it's to prevent a small
>>> sub-group
>>> attack. Sending a nonce does not prevent this attack since it's just
>>> going
>>> to
>>> be another known for the attacker to use when running through the small
>>> sub-group looking the right secret.
>>
>> Small-subgroup attacks are entirely orthogonal to whether a server can
>> be caused to reuse a session key.  (Reusing a session key destroys the
>> security properties of many bulk encryption methods, including all
>> stream ciphers, regardless of whether the server's DH secret key is
>> disclosed.)
>
>   "caused to reuse a session key"? Who said anything about that.

Nico Williams proposed omitting all nonces from (EC)DHE handshakes and
shared secrets in a future version of TLS.  My objection to that
proposal was that servers need to ensure that *something* in the
handshake is fresh, and if that is not a nonce, they will need to
ensure that at least one of the DH keypairs is new.  I thought it was
obvious that the reason for that was to prevent an attacker from
replaying the client DH public key and causing the server to reuse a
session key.  (It was obvious to Nico.)

> My
> statement was in response to yours that said:
>
>    "If the server sends a nonce during DHE/ECDHE key exchange, the
>     server can safely reuse its DH keypair for multiple clients WITH NO
>     FURTHER DESIGN OR IMPLEMENTATION CONSIDERATIONS  (emphasis
>     mine)".
>
> Again, if the server decides to reuse its DH key pair with multiple
> clients then it needs some implementation considerations, namely it
> needs to protect itself against a small sub-group attack. And this is
> regardless of whether it sends a nonce or not. It has nothing to do with
> key derivation.

Sorry.  I forgot that some elliptic-curve groups are meant to be
implemented in such a way that single-use ECDH keypairs appear to
remain safe, but an attacker can obtain the secret portion of an ECDH
keypair if it is used for more than one key exchange.

If the server sends a nonce during DHE/ECDHE key exchange, the server
can safely reuse its DH keypair for multiple clients with no further
*protocol-level* design or implementation constraints.  The
cryptographic primitive still needs to be securely designed and
implemented.

My main point was that if the server does *not* send a nonce, as Nico
suggested, the server needs significant further design,
implementation, and runtime computation to reuse its DH keypair
without reusing session keys.  That further effort may negate the
performance benefits of reusing DH keypairs on the server side, and
may lead implementations to not support (EC)DHE or a hypothetical
future version of TLS.


>   Also, your statement that "[r]eusing a session key destroys the security
> properties of...all stream ciphers" leaves a bit of quantification up to
> the reader. It's reuse of a session key _and_ a counter/nonce, and that's
> only if you are not using SIV mode.

RC4 does not support a counter/nonce.  Adam Langley's proposed
ChaCha/Poly1305 ciphersuites use ChaCha's nonce input for the message
number, not to permit safe reuse of a session key.

GCM mode (which uses AES in counter mode as a stream cipher) may or
may not reuse a nonce.  There's no way to guarantee that a GCM
implementation will not choose to reuse the portion of a nonce that it
generates, especially if it does not know that the key is being
reused, but you do have a point -- GCM can be implemented in such a
way that using a session key twice will not immediately destroy its
security.  (Reusing a session key many times will still eventually
lead to nonce reuse.)

CCM mode (also based on AES in counter mode) may or may not reuse a
nonce.  They cut-and-pasted the text from the GCM RFC that "Each value
of the nonce_explicit MUST be distinct for each distinct invocation of
the GCM encrypt function for any fixed key.", without changing "GCM"
to "CCM", and again without any mention of how this distinctness is to
be guaranteed within a 64-bit field if the implementation does not
know that a key has been reused.  As with GCM, reusing a session key
many times will still lead to nonce reuse in implementations with
limited storage.

SIV mode should be safer under key reuse, but is not used in any TLS
ciphersuite, and is not likely to be useful if future versions of TLS
retain the ServerRandom field (or an equivalent server-provided nonce
in the handshake).

Future stream-cipher-based ciphersuites are likely to be more like the
proposed ChaCha ciphersuite than GCM/CCM.


In any case, for the sake of security, performance, and simplicity,
ciphersuites should be able to rely on the handshake layer to not
generate the same session key twice.


Robert Ransom