IETF Logo Mail Archive

Re: [TLS] Remove DH-based 0-RTT

Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Wed, 24 February 2016 23:29 UTC

Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3F3F1A8919 for <tls@ietfa.amsl.com>; Wed, 24 Feb 2016 15:29:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_39=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ntexkt0-rla9 for <tls@ietfa.amsl.com>; Wed, 24 Feb 2016 15:29:00 -0800 (PST)
Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 698501A88EB for <tls@ietf.org>; Wed, 24 Feb 2016 15:28:59 -0800 (PST)
Received: by mail-wm0-x236.google.com with SMTP id a4so4657985wme.1 for <tls@ietf.org>; Wed, 24 Feb 2016 15:28:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=84y0RGwvG+BxvrX4gJL7ZpU1SRnPlzxHzumxmeeEDOU=; b=oXbKIZwdeLbGrA4srS6WM3xj6UfC21CgGrJylDHW7VCVkuroljaocpItiuA/rcMmTT CBsXnt9IdFdSHF0qlajoXf/tIRXdD6/kRMfWGYY74i7ZCmn8Tgqw7YjwC49e01h+rWGt cD8cK9SJ79fBS01qlicSWAPnE4WGk2Pd1mhLkVJko+z9Am04fB8hdLtrjHa6t2+CdTgQ VXNlRB4c9CgFnlun0qm7qpL+rlkWWBhk8F/feIKy6W4FfbbHFvPyRI6VGqRWE1eQ8bRc 4ad/XPrVuOWOtjvBtvQit5Csh5Nszz31Pwu4ucq793SszoTNObSAfNkFgBI87VQbDcH4 ESmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=84y0RGwvG+BxvrX4gJL7ZpU1SRnPlzxHzumxmeeEDOU=; b=iThse3PsJOPsAI0LyVbKaIxA0vGETZlThm9TJz2xSWaVScFU079Chk3/dYe6vos/Ji tYKvyC51GfiOkqipQCMakdnrZxRLL8sPVSi0JLm3U1tMwvVkN/zmSBrtVVKg9ejbrVLX AfhvL7vzVxXvGLwwYg6FS49oNk+yJQ4go5XxwX+NagiB0tMbrwvZb2sCGlcWR7DzQzVb G0joUllc/PrH0RHZfztgrbM1iME+KLAHQp0oJoHz+xaoJcwAZE0gNHBVc076dadTETOM 65VMUvH4JV7ThTeXqmn190mIeAseUrfBpVCkCeYdyg2uyEei2oFTO/1Y0hpqYJOW+Phm DFQA==
X-Gm-Message-State: AG10YOTYXRc55g6N9SHZhW/fNsB4t16gW84s9jJnoiBmId6FPmjX9jfJhDOyhYNVS2fd0A==
X-Received: by 10.194.116.9 with SMTP id js9mr49972891wjb.112.1456356537960; Wed, 24 Feb 2016 15:28:57 -0800 (PST)
Received: from [192.168.0.12] (89-156-8-219.rev.numericable.fr. [89.156.8.219]) by smtp.gmail.com with ESMTPSA id w136sm428817wmw.0.2016.02.24.15.28.56 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 24 Feb 2016 15:28:57 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
In-Reply-To: <20160224181450.GB28926@LK-Perkele-V2.elisa-laajakaista.fi>
Date: Thu, 25 Feb 2016 00:28:56 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <C7D168A4-BFBC-4AE5-8087-E32BABD7C6BD@gmail.com>
References: <CABkgnnUUXQh=aStz4DuPtw5mWaF7aDFozuUwQp_QbJ2EGL0eHg@mail.gmail.com> <201602232057.18505.davemgarrett@gmail.com> <CADi0yUP-TAFPWgzG4voFTfUcbrPXcffC5rTTsbsOs+=TQ7jYmw@mail.gmail.com> <CACsn0cnoCNLPY3ic9Z72ZgUuvCwTyxzzGXU5W8LeZ4zBEwpHVw@mail.gmail.com> <CABcZeBNCgfdsBioP8_9E2Jrh0WDLHjW0QS+x=99LqdYnYwsbuw@mail.gmail.com> <974CF78E8475CD4CA398B1FCA21C8E99564E7F92@PRN-MBX01-4.TheFacebook.com> <CABkgnnX-+_fxAg=uJzDri-58+Ax0w2paQee8AEai-tCGCDv63A@mail.gmail.com> <20160224180045.GA28926@LK-Perkele-V2.elisa-laajakaista.fi> <CABkgnnUsRpcaZvmxMH=xohh6ev+3QZPuw4yjySGMtA=pCq_Qwg@mail.gmail.com> <20160224181450.GB28926@LK-Perkele-V2.elisa-laajakaista.fi>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/YMvZeDONMnpIhveR4MKIOu_NTVM>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Remove DH-based 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2016 23:29:01 -0000

> 
> The server signature is essentially over raw handshake messages, up
> to and including ServerCertificate. The first message that would
> depend on actual value of SS is ServerFinished, which comes after
> that point…

Yes Ilari, you’re right.

In my TRON talk, I described an attack on PSK+Signature server auth
which showed that the natural way of composing PSK + Sigs won’t work.
(And no it doesn’t work for PSK-ECDHE either.)

I think the proper way to do it is that the pre_shared_key extension
should include a ps_context value derived from the PSK. E.g for resumption,
it could include the session hash of the previous connection.
For pure PSK, it could include a MAC computed using the PSK.

It is worth noting that having such a psk_context in the client hello
would’ve prevented the attack that Cremers et al found in Tamarin as well.

Best,
Karthik


> 
> 
> -Ilari
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email