Re: [TLS] draft-tls-tls13 - comments on section 4.8.1 Digital Signature
Eric Rescorla <ekr@rtfm.com> Fri, 27 May 2016 21:59 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67CC912D1B0 for <tls@ietfa.amsl.com>; Fri, 27 May 2016 14:59:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KpImrTJO9obJ for <tls@ietfa.amsl.com>; Fri, 27 May 2016 14:58:59 -0700 (PDT)
Received: from mail-yw0-x235.google.com (mail-yw0-x235.google.com [IPv6:2607:f8b0:4002:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4148912D11F for <tls@ietf.org>; Fri, 27 May 2016 14:58:59 -0700 (PDT)
Received: by mail-yw0-x235.google.com with SMTP id o16so118126286ywd.2 for <tls@ietf.org>; Fri, 27 May 2016 14:58:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=sabG1mYojMCv2PCTns3iRFmLEYG7iAX5rCH1W3jHAe4=; b=JLdGknD543uWcDbE3pT069VEQsfTArXI5Bl84xX1ITGkv4ycMY4JAjNXYl5D24kRyN YXMQkznPwUFF9NBuzF6AMY1DgoCKTXXNDYpRXzmk6RNjeQkt4fR9WOS+0K6QHEpYlCrb 26kzCER8SH8yTsEEZfJ3hwBnDRUQ2xdTmX0aoZ+7OVx95bR5qRswe1FgbgG6O/CahLwy qlvZZJF9ZAizWw1BbuS34Ai3V9MnY7k2D7d+bdl858XCkKBTn98qsKJIaIY/c05a7861 Xnr9Q5PGy6Ft9+DGtnQIOhcsAztPoZ8wT8t27U7eb4PNVh0ZARBqnhQr2U05drn0Io5D I8Fw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=sabG1mYojMCv2PCTns3iRFmLEYG7iAX5rCH1W3jHAe4=; b=h6FJdlGZP3zLaoSTL4RFEUTCRSr58wSKkq1S7nKCm1pCZ0b6AFBN2pApMdeGSRl5E/ UJa/gbza5idFjIMOzMFEv8SM77dDpTAcFCE9jLKi4RnLNpcW95neC5jhBflhXwYFiREG K17V7KNzTT8jWt116KT+irtagVffi3ac6tE17Z4bLa1Tozh6XmzoTk5ytMhtktJCcEWN mtnm/Gqrx61RlV5mCeChtz6w/lh+fcsNcLhDBUhstsyBbnESUpwEZOYo8JrvI6eI2uQQ DbMgfhKHgpYdjLIthKjem9JWDgaB6yJJvPWf8H8xiCVcOjhuhMzzo8DDpQ69y9JkyW80 o4Pw==
X-Gm-Message-State: ALyK8tJ1lqpuxmMsd9TCa91TENlfV93rG8+RUkaxT/6BHUHyrYJMOsw5epLeZwr20p4uDA5ufMFvaFc+KZFzhQ==
X-Received: by 10.13.233.1 with SMTP id s1mr9830035ywe.286.1464386338492; Fri, 27 May 2016 14:58:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.132.12 with HTTP; Fri, 27 May 2016 14:58:19 -0700 (PDT)
In-Reply-To: <CADZyTk=WDQ3yxvqY5vuczsoTtXb6LUPJk0T6fWDYOFCJXPeJAw@mail.gmail.com>
References: <CADZyTk=WDQ3yxvqY5vuczsoTtXb6LUPJk0T6fWDYOFCJXPeJAw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 27 May 2016 14:58:19 -0700
Message-ID: <CABcZeBPzXUT9WrL4i0tLWJhYwVZGAZtz=-PMENBawS3ra4WGcg@mail.gmail.com>
To: Daniel Migault <daniel.migault@ericsson.com>
Content-Type: multipart/alternative; boundary="94eb2c07cfb48549ba0533da03db"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/YbddOLMCq2a5WpB2sopdqJhrxxM>
Cc: tls <tls@ietf.org>
Subject: Re: [TLS] draft-tls-tls13 - comments on section 4.8.1 Digital Signature
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 May 2016 21:59:01 -0000
On Fri, May 27, 2016 at 1:17 PM, Daniel Migault <daniel.migault@ericsson.com > wrote: > Hi, > > I have a few comments while reading 4.8.1 Digital Signature of > draft-tls-tls13.Hope it helps. > > BR, > Daniel > > Comment a) > "In previous versions of TLS, the ServerKeyExchange format meant that > attackers can obtain a signature of a message with a chosen, 32-byte prefix. > " > > My understanding is that the ServeKeyExchange format defines the bits > exchanged between the TLS Client and the TLS Server. I think the attack > vector is more coming from how the signatures are computed. I would rather > propose something like: > > "In previous version of TLS, the signature of the ECDH or EDH public key > is performed by concatenating the client random, the server random to the > public keys. The concatenation is hash and then signed. As the client > random is chosen by the TLS CLient, such design allows an attacker to > obtain a signature of a message with a chosen 32-byte prefix." > Hmm... I'm not sure this makes it much clearer. How about "The computation of the signature in the ServerKeyExchange...." Comment b) > > "Because TLS 1.3 servers are likely to also implement prior versions, the > contents of the element always start with 64 bytes of octet 32 in order to > clear that chosen-prefix. > > I think some additional steps need to be explicitly specified. I am not > completely sure of what is being signed. > a) padding + context + H(client.random + server + random + ECDHE/DHE > Params) > OR > b) padding + context + client.random + server + random + ECDHE/DHE > Params > OR > c) padding + context + ECDHE/DHE Params > OR > d) something else > > I assume that is a) in which case, the reason for choosing this format is > to constraint changes between TLS versions at the signing module. In > addition, if the correct scheme is a) maybe some additional text or > reference could explain why the padding and context solves this problem. By > prepending a fixed padding and some context, to the output of the hash > function, the TLS Client does not control the input that is signed as > cryptographic hash function are expected to be non-invertible. > None of these. The specific structs are indicated with digitally-signed, but generally the thing being signed is the concatenation of the handshake hashes and the hash of the resumption ctx. > Comment c) > > "A single 0 byte is appended to the context to act as a separator." > > When describing how the input to be signed is built, it may be clearer to > emphasize that string ends with 0, whihc leads to a "00" separator. I would > propose to add something like: "As the string ends with a "0" byte, the > binary representation will results in two zero bytes." > It's just one zero. TLS strings don't have trailing zeros. The 00 is 0x00. It would help the reader to add that “Example” is represented in hexa by 4578616d706c650 > with the end of string character. > > > > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- [TLS] draft-tls-tls13 - comments on section 4.8.1… Daniel Migault
- Re: [TLS] draft-tls-tls13 - comments on section 4… Eric Rescorla
- Re: [TLS] draft-tls-tls13 - comments on section 4… Daniel Migault