Re: [TLS] Computation of static secret in anonymous DH

Ilari Liusvaara <> Fri, 26 June 2015 16:54 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A94191A893F for <>; Fri, 26 Jun 2015 09:54:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kSDjPjo7N2bA for <>; Fri, 26 Jun 2015 09:54:19 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 84B411A893E for <>; Fri, 26 Jun 2015 09:54:18 -0700 (PDT)
Received: from LK-Perkele-VII ( []) by (Postfix) with ESMTP id 06BE41A2612; Fri, 26 Jun 2015 19:54:15 +0300 (EEST)
Date: Fri, 26 Jun 2015 19:54:15 +0300
From: Ilari Liusvaara <>
To: Eric Rescorla <>
Message-ID: <20150626165415.GA28534@LK-Perkele-VII>
References: <> <20150617082529.GA17280@LK-Perkele-VII> <> <20150617150505.GA19959@LK-Perkele-VII> <> <20150626085008.GA25187@LK-Perkele-VII> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <>
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Computation of static secret in anonymous DH
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 26 Jun 2015 16:54:23 -0000

On Fri, Jun 26, 2015 at 05:55:21AM -0700, Eric Rescorla wrote:
> On Fri, Jun 26, 2015 at 1:50 AM, Ilari Liusvaara <
>> wrote:
> > 1) xSS is used as direct input to HKDF-Expand, so one would presume
> > it should be HKDF-Extract output (AFAIK, HKDF-Extract and HKDF-Expand
> > are supposed to be paired). HKDF-Extract does not take label nor
> > length.
> >
> > 2) Same as above for xES.
> >
> > 3) Same as above for master_secret.
> >
> > 4) Why does master_secret derivation take xSS and xES instead of
> > SS and ES directly (especially if xSS and xES are supposed to be
> > HKDF-Extract outputs)?
> >
> > 4) Why is finished independent of ES (IIRC, it did depend on it
> > in earlier version)?
> >
> i'm going to refer these to Hugo, as they were his suggestion.

Also, TLS 1.2 had tls-unique also be secret (but one would have to
really misuse it for that to matter). With finished just depending on
SS, secrecy might fail.

Probably nobody uses tls-unique the wrong way, but then, nobody
probably thought somebody uses tls-extractor outputs as nonces in
TLS 1.2 (I know two (now deprecated) protocols that do that, both
took a nasty hit from THS).

> > 5) Application data uses xES as secret. AFAICT, leads to an attack.
> > Should be master_secret (IIRC, was that way in earlier version)?
> >
> This is a typo. Will fix.  Remember, this is a WIP branch. :)
> With that said, I'd be interested in hearing what the attack is.

Pretty weak one, but replaying 0-RTT and then decoding what the server
sends back (which can be quite revealing about what the 0-RTT payload
> 7) I think there should be helper function defined to do the
> > label zero-padding, instead of it being just a note (just for
> > clarity).
> Hmm... Can you suggest text? Do you think we should do this
> for the signature context as well?

Maybe something like:

HKDF-Extract-Label(secret, label, seed, length) = 
    HKDF-Extract(secret, label + "\0" + seed, length)

Where label is ASCII label with no NUL bytes and "\0" is the NUL

And then use that.

Might be worthwhile doing for digital signatures as well, but
it isn't clear how to best denote it, since digitally-signed
works as a macro.

Some more stuff:

8) Client and Server certificate verify sign hash of handshake (using
prf-hash) but don't indicate what hash was used. Can have nasty effects
if the prf-hash is ever really broken and replacement has the same
bitlength (yes, we know that broken hashes should be de-implemented,
except this doesn't seem to happen as fast as we would like. RC4, MD5
and EXPORT anybody?).

9) Might make sense to replace the early_data_allowed in
ServerCofiguration with a bitfield listing acceptable uses (some other
uses might be ClientAuthentication and ServerAuthentication).

10) "Finally, note that if the server key is compromised, and client
authentication is used, then the attacker can impersonate the client
to the server (as it knows the traffic key)." ... How does that work?
I tried to figure that out, the problem I hit was that I couldn't
figure out how to compute ES on server side of MITM (without also
having compromised some signed client's key).

11) Section "Random Number Generation and Seeding". Maybe change
SHA-1 to SHA-256 and delete remark about PCs (it is throughly

12) "Implementation Pitfalls". Add rejecting incorrect sequence
of handshake message types. There have been _multiple_ catastrophic
security failures from getting this wrong.

13) 'the DSA "k" parameter'. Maybe change that to 'the ECDSA "k"
parameter' (DSA is pretty much obsolete, or better, use deterministic

14) 'In order to allow servers to readily distinguish between
messages sent in the first flight and in the second flight (in
cases where the server rejects the EarlyDataIndication extension),
the client MUST send the handshake messages as content type
"early_handshake"' ...  How does that work? Without explicit
end of transmission incidation, the server doesn't know when
to send ServerHello, and it needs to know that in order to
properly lay out its session_hash (and not including those in
session_hash needs _serious_ analysis).