IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt

Watson Ladd <watsonbladd@gmail.com> Sat, 25 October 2014 21:36 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 538C61A1AF8 for <tls@ietfa.amsl.com>; Sat, 25 Oct 2014 14:36:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F0kiD-FFqZ-I for <tls@ietfa.amsl.com>; Sat, 25 Oct 2014 14:36:10 -0700 (PDT)
Received: from mail-yh0-x236.google.com (mail-yh0-x236.google.com [IPv6:2607:f8b0:4002:c01::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCA841A1AD5 for <tls@ietf.org>; Sat, 25 Oct 2014 14:36:09 -0700 (PDT)
Received: by mail-yh0-f54.google.com with SMTP id 29so3130180yhl.27 for <tls@ietf.org>; Sat, 25 Oct 2014 14:36:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=0kxQLM99q3Ac4kcrShLVMIsxaieDyQnzaxpLviKabQY=; b=SGpBZKpcauwC5HeGv4ojQrEmaWGE2QExf9yan32L3vSjjYKLqAUZ5t43/VaQUOFYSh xrbc6j18eigctawN1F6QX+A+Qi9AGxRoRctcKOJar/9tcu6O/f8dncM+YfVq2EaKajTR AJRIKVvzHh1BF0DIIsA4nm8+pmtkPH/fPvIesKTnjFo5++WPPkFZgxbeWr8XWsRcENt1 bo1HLXNjx1dXVgO1ITdoh/w/oOB2+oK6sGOmHTAQri3BYeCtt1pbKtiwnxFbRnZgu6aM chBIKJowhsKgKx+Ul+Ww0Fe1V+zi574h/FC2622C7at8UhaNaprNLlqszU4uSQ9mdhOr 4IdQ==
MIME-Version: 1.0
X-Received: by 10.236.46.38 with SMTP id q26mr4291734yhb.176.1414272969198; Sat, 25 Oct 2014 14:36:09 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Sat, 25 Oct 2014 14:36:09 -0700 (PDT)
In-Reply-To: <20141025201642.GA7408@LK-Perkele-VII>
References: <20141011044948.27553.93984.idtracker@ietfa.amsl.com> <5438B82B.6090600@fifthhorseman.net> <544BD3BF.9030702@streamsec.se> <1682594903.63043.1414266713793.JavaMail.zimbra@redhat.com> <CACsn0ckWj2Jb65JN3mpABe0hC=ao3Bi7qQgUJYkUgzG9giAn8Q@mail.gmail.com> <20141025201642.GA7408@LK-Perkele-VII>
Date: Sat, 25 Oct 2014 14:36:09 -0700
Message-ID: <CACsn0cna6uZqZP=j6U67PNNJncTTNO+PP=iyrHp_mBOpm+pt+Q@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/a6KyQaMikQ9idGTEE0lMBV2gXuA
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Oct 2014 21:36:11 -0000

On Sat, Oct 25, 2014 at 1:16 PM, Ilari Liusvaara
<ilari.liusvaara@elisanet.fi> wrote:
> On Sat, Oct 25, 2014 at 12:55:58PM -0700, Watson Ladd wrote:
>> On Sat, Oct 25, 2014 at 12:51 PM, Nikos Mavrogiannopoulos
>> <nmav@redhat.com> wrote:
>>
>> > 3. There are known attacks against the current ServerKeyExchange format which
>> > remain applicable if we go this path (a sufficiently long DH serverkeyexchange
>> > message can be parsed as an ECDH serverkeyexchage).
>>
>> And 4: session_hash solves the same problem if I understand the
>> elements of it correctly, and we need it anyway because of this
>> ambiguity in parsing mentioned above. So do we even need this draft?
>
> AFAIK, no, it won't, at least not completely.

I'm afraid I didn't realize how what I wrote would be read. It seems
to me that the session_hash doesn't necessarily fix the ambiguity
issue, but does ensure that sending bad groups will achieve nothing
for an attacker. Even if we adopt this draft for DHE, session_hash is
still needed in TLS 1.2. So what does this draft get us, assuming
session_hash is deployed?

>
> (TLS 1.3 has this problem fixed, even without session_hash[1]).
>
>
> [1] Without session_hash TLS 1.3 is broken in other ways without DH
> order check (and one can't rely on endpoints to perform such check
> even if it is feasible, so session_hash is a good idea there too).
>
>
> -Ilari



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.39.1 | Report a Bug | By Email | System Status