[TLS] (no subject)
Eric Rescorla <ekr@rtfm.com> Thu, 09 February 2017 21:18 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09FD31294CF for <tls@ietfa.amsl.com>; Thu, 9 Feb 2017 13:18:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ko-e2li5csIs for <tls@ietfa.amsl.com>; Thu, 9 Feb 2017 13:18:14 -0800 (PST)
Received: from mail-yw0-x22a.google.com (mail-yw0-x22a.google.com [IPv6:2607:f8b0:4002:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B276129484 for <tls@ietf.org>; Thu, 9 Feb 2017 13:18:14 -0800 (PST)
Received: by mail-yw0-x22a.google.com with SMTP id v200so10078795ywc.3 for <tls@ietf.org>; Thu, 09 Feb 2017 13:18:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=sdxyC8H8P4Omvh+NegEvncPQ9l8ko2CACRPz5VBqfVg=; b=dgneLn8kGDHA9iGaapIFlCUfWGP+qzRpDFgW2b+H2EkpDeQ1G5OX3/n4VM8XyPoHaE EmN2buCJaafdIuu21qsac2+umtoipL058LM3wYW7vV9iY6Sk43lPqmL0t0GgZrkK8yjN QlbQmwihKNpw9gpekDo+KoiZIQ4q/A1yFtckEfXkEuoe0s84ELuLjFOXzIe9YFKMxUTH iSQlCEZ8ZTADH+v+fhNMZ106fJ8R/gB4mfF54Wo8KeAMrX6FsWbylP7AXEAWOGQlveAN /fx24ukt4KKBDs+weuLqU9jcComNPOXv/WEhfu2JiCNb26yU99avuyxKPf245VXtVrF+ KwMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=sdxyC8H8P4Omvh+NegEvncPQ9l8ko2CACRPz5VBqfVg=; b=Khv8QPgjqRDe16nR8jiwdPqqxvjgRsK/VbjfugwLkNx0fPaZEzOqsrbFFgIy/HtW83 zDNAgD0BzvBrzBtmORYx+5llhrHtTSqBKwJpjdzHMM8bry/9DPNDqyztpWqf2aDGM3H6 grNojmoVJDUZll0cE9tsFXxofPSD8hBn1SVF5/StSkIpOqRyng3LDLYusGLRw41OgiYh z4OBY8fRi9D6uxoXDzy8Ad0B13Lz6WpyTPlj5KHx8nTcM61//aETBpW9WX1SUfA8yR9N u6VT/+A9nMfuWOIY2p19375sy7+a2BOUjqCLFIAmeDvCVzT8U3cio8DmuY6g2ZnH2CKG Hg+w==
X-Gm-Message-State: AMke39kDuo86z2OLhlk1yvblBvmtqDFyTSpVJT5sIXX3t1EQCFXJ6ht0kMZzW+VnSoeCZkT8XXPurcvFyxeOKA==
X-Received: by 10.129.132.77 with SMTP id u74mr3960752ywf.125.1486675093496; Thu, 09 Feb 2017 13:18:13 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.204.80 with HTTP; Thu, 9 Feb 2017 13:17:33 -0800 (PST)
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 09 Feb 2017 13:17:33 -0800
Message-ID: <CABcZeBN_orTCuVoqg_KRQqRBvMXNzp=yT64W=d2M3D8r2=uoKg@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a114f0996d876c605481f840d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/aDukiSh5dd5oofzn5Ab85H4uJ_Q>
Subject: [TLS] (no subject)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2017 21:18:16 -0000
Hi folks,
We need to close on an issue about the size of the
state in the HelloRetryRequest. Because we continue the transcript
after HRR, if you want a stateless HRR the server needs to incorporate
the hash state into the cookie. However, this has two issues:
1. The "API" for conventional hashes isn't designed to be checkpointed
at arbitrary points (though PKCS#11 at least does have support
for this.)
2. The state is bigger than you would like b/c you need to store both
the compression function and the "remainder" of bytes that don't
fit in [0]
Opinions differ about how severe all this is, but it's certainly
unaesthetic, and it would be nice if the state that was stored in
the HRR cookie was just a hash output. There seem to be three
major approaches for this (aside from "do nothing").
1. Special case HRR and say that the transcript is either
CH || SH .... (no HRR)
or
Hash(CH1) || HRR || CH ... (HRR) [1]
2. Pre-hash the messages, so that the handshake hash
becomes:
Handshake_hash_N = Hash(Hash(msg_1) || Hash(msg_2)
... Hash(msg_N))
3. Recursively hash, so that the handshake hash becomes:
Handshake_hash_N= Hash(Handshake_hash_N-1 || msg_N)
[As Antoine Delignat-Lavaud points out, this is basically making
a new Merkle-Damgard hash with H as the compression function.]
I've posted PR#876, which implements version #2, but we could do any one of
the three.
and they all have the same state size. The argument for #1 seems to be
that it's the minimal change, and also the minimal overhead, and the
argument against is that it's non-uniform because CH1 is treated
differently. We might imagine making it seem more uniform by also
hashing HRR but that doesn't make the code any simpler. Versions #2
and #3 both are more uniform but also more complicated changes.
The arguments for #2 versus #3 are that #3 is somewhat faster
(consider the case where you have a short message to add, #2 always
needs to run the compression function twice whereas #3 can run it
once). However, with #3 it is possible to take a hash for an unknown
transcript and create a new hash that matches that unknown transcript
plus an arbitrary suffix. This is already a property of the M-D
hashes we are using but it's worse here because those hashes add
padding and length at the end before finalizing, so an extension
wouldn't generally reflect a valid handshake transcript, whereas in
this case you get to append a valid message, because the padding is
added with every finalization stage. I don't know of any reason
why this would be a security issue, but I don't have any proof it's
not, either.
I'd like to get the WG's thoughts on how to resolve this issue over the next
week or so so we can close this out.
-Ekr
[0] The worst-case overhead for SHA-256 is > 64 bytes and for SHA-512
it’s > 128 bytes. The average is half that.
[1] We actually need to do something to make it injective, because
H(CH1) might look like a handshake message, but that should be easy.
- [TLS] (no subject) Eric Rescorla
- Re: [TLS] (no subject) Kyle Nekritz
- Re: [TLS] (no subject) Dr Stephen Henson
- Re: [TLS] (no subject) Eric Rescorla
- Re: [TLS] (no subject) Eric Rescorla
- Re: [TLS] (no subject) Hubert Kario
- Re: [TLS] (no subject) Ilari Liusvaara
- Re: [TLS] (no subject) Eric Rescorla