Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.

Eric Rescorla <ekr@rtfm.com> Wed, 24 December 2014 18:22 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53B5B1A1A13 for <tls@ietfa.amsl.com>; Wed, 24 Dec 2014 10:22:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8KSiROocSEjT for <tls@ietfa.amsl.com>; Wed, 24 Dec 2014 10:22:46 -0800 (PST)
Received: from mail-wi0-f176.google.com (mail-wi0-f176.google.com [209.85.212.176]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F7E71A1A29 for <tls@ietf.org>; Wed, 24 Dec 2014 10:22:39 -0800 (PST)
Received: by mail-wi0-f176.google.com with SMTP id ex7so14186338wid.3 for <tls@ietf.org>; Wed, 24 Dec 2014 10:22:38 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=bAJ477BmHIW3QYx4Nxt+ukC1PYIbigJ3lVV/xCF7Pus=; b=NvaX9wXiSrvn4tyYATcnZXYlz+ZrviHqdQ1bJhLya0WbffvnqnHZpgJ8zABB1Yjmhx Fj5Y8aGJvrOCLnbcuJBiNtaZqC58M4Zg0UiM9JpQiUSiNPDtnd1QMqEPjUBLtLuto8n7 gBwJz1wA5pRW9fR1Tn7QXn28coioQowR94RQHCxPd8xKLSQCPDAuJwbvOke9necv8Sse L6xwCKWZ2VaPYT72zq6NkwayQhrxAEgnLhfKTgrOE7uJ0v5IgB7BP1xoqfu1g4/vipjU GXlOXcIoF4mUwPsA2+hvylrHswGVFZVph6xhc5kOyzuQ5YOVpSl/47VgZrKC4ufXR+KS gVzw==
X-Gm-Message-State: ALoCoQkFTwRtzcfGWwPfMcVDMwwvEL1T6SzZTjpT2IRfiLMRtjLT4ZlEj+7ztT+wsTDKU/ARj3Jp
X-Received: by 10.180.9.241 with SMTP id d17mr54094766wib.13.1419445358457; Wed, 24 Dec 2014 10:22:38 -0800 (PST)
MIME-Version: 1.0
Received: by 10.27.130.34 with HTTP; Wed, 24 Dec 2014 10:21:58 -0800 (PST)
In-Reply-To: <20141223143719.GB11149@LK-Perkele-VII>
References: <CAMfhd9XgR-N6BZVLojfyf6E2+0fhYVHopp5FKALoup_GjTji5A@mail.gmail.com> <CABcZeBMmFWOoh6Av=eAaMi6AA1Kb7X41Efie-0PuRZWwPPVz_A@mail.gmail.com> <860778484.3559563.1416987612674.JavaMail.zimbra@redhat.com> <CABcZeBPHQGMNYU1QbG=oeuVZYG71BqVaJU9E9e2Kh+rEWq=RXA@mail.gmail.com> <CAL9PXLwrZCgDUqd8ugqhcpYEBwLOcQXSLg8Kx8fgCq6tzLvO4A@mail.gmail.com> <CABcZeBPY8Jrg_ou_=frs9O2-0nrfL+V-H-jBCxDgQ4Ora55kvQ@mail.gmail.com> <20141223143719.GB11149@LK-Perkele-VII>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 24 Dec 2014 10:21:58 -0800
Message-ID: <CABcZeBOb9tL5UO94Qrdn7AuamkPvs=+7aU0EF78p3Lac=JEh9w@mail.gmail.com>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Content-Type: multipart/alternative; boundary=001a11c2a45a5e8c51050afa60a1
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/_b9rxUQvEX1XbY9Y5OEXYtQMFhw
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Dec 2014 18:22:48 -0000

On Tue, Dec 23, 2014 at 6:37 AM, Ilari Liusvaara <
ilari.liusvaara@elisanet.fi>; wrote:

> On Mon, Dec 22, 2014 at 01:38:36PM -0800, Eric Rescorla wrote:
> > Adam updated his PR to sign the prefix concatenated with the handshake
> > hashes, which makes it easier to have a single hash context.
> >
> > https://github.com/tlswg/tls13-spec/pull/100
> >
> > I haven't seen any objections to this idea, so I'll merge this on
> Wednesday
> > unless I hear an objection before then.
> >
>
> Any reason not to fix the hash function per-ciphersuite, so servers
> and clients don't have to run multiple hashes in parrallel?
>

The client and server may want to use different signature algorithms.

-Ekr


> Suitable hash function is required by the THS fix anyway, and one
> could just reuse that context if one has implementation capable of
> intermediate hashes or hash context cloning.
>
> If one is worried about cross-hash attacks (even if all hashes should
> be strong), stick the ciphersuite ID (which fixes the hash) into
> data to be signed.
>
>
> -Ilari
>