Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.

Eric Rescorla <ekr@rtfm.com> Tue, 25 November 2014 16:41 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C124C1A700F for <tls@ietfa.amsl.com>; Tue, 25 Nov 2014 08:41:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.377
X-Spam-Level:
X-Spam-Status: No, score=-1.377 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_24=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b4XZJPMtmwsB for <tls@ietfa.amsl.com>; Tue, 25 Nov 2014 08:41:31 -0800 (PST)
Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com [209.85.212.173]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A5991A6FE8 for <tls@ietf.org>; Tue, 25 Nov 2014 08:41:30 -0800 (PST)
Received: by mail-wi0-f173.google.com with SMTP id r20so9716854wiv.12 for <tls@ietf.org>; Tue, 25 Nov 2014 08:41:29 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=dBPxlk5aGJAb8PRh4mt5MjyXlrcQjoLN8Yt2xM31h08=; b=mk1SRl0PV8STIn4GWkV12L/mAcIr0y6xWklyhKmlv+ar1q+f/UwJ8LyGTw+NIwYW0m cpxZghzfiyt4TIcVLyy77uIvHUiTSJIBkiIqaPmyq6C63evfS/OdAb4Q1pLVuiw5WO6F wPSa2K4Q1AtL+SgQv21APQwwKtvPd/z6nEI1YXQZiLa2VizEm72ctn9+hnlMtofVFUEg sxTkutLk1CNwHyChJswJrYp1DToaUtPqBQuuAIJJY6QVOG8cybxAQ9f2qjBYIoapwyzC tTKXf1IkGlMBr6Ff42dcbD0lcWqGrQg+SFRzKmvUJCMBl1ywb5jdOuN4ggNlK659K8Oc DL+Q==
X-Gm-Message-State: ALoCoQkeeCT7mbCmsfFXk9Y7Qie4FobcV6np2c+yPg721dR8rGhApWlnEzPJZ3tNQfRMsGByNaMb
X-Received: by 10.180.102.98 with SMTP id fn2mr25479042wib.61.1416933689070; Tue, 25 Nov 2014 08:41:29 -0800 (PST)
MIME-Version: 1.0
Received: by 10.27.130.34 with HTTP; Tue, 25 Nov 2014 08:40:48 -0800 (PST)
In-Reply-To: <CAMfhd9XgR-N6BZVLojfyf6E2+0fhYVHopp5FKALoup_GjTji5A@mail.gmail.com>
References: <CAMfhd9XgR-N6BZVLojfyf6E2+0fhYVHopp5FKALoup_GjTji5A@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 25 Nov 2014 08:40:48 -0800
Message-ID: <CABcZeBMmFWOoh6Av=eAaMi6AA1Kb7X41Efie-0PuRZWwPPVz_A@mail.gmail.com>
To: Adam Langley <agl@imperialviolet.org>
Content-Type: multipart/alternative; boundary=f46d0444ef3b352bb10508b19502
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/bAM8x1W2FY3wqfxp_5t_1OVVGJ4
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Nov 2014 16:41:32 -0000

This seems like a good idea. Thanks for raising it.

If you want to make a PR, I will merge it in.

-Ekr


On Mon, Nov 24, 2014 at 10:55 PM, Adam Langley <agl@imperialviolet.org>;
wrote:

> I generally recommend that, whenever signing a message, a
> NUL-terminated, ASCII context string is prepended to the message to
> ensure that the verifier isn't confused about the context.
> (NUL-terminated, ASCII strings have the property that none is a prefix
> of any other.)
>
> I think that TLS 1.3 provides a good demonstration of why:
>
> Mavrogiannopoulos, Vercauteren, Velichkov and Preneel[1] showed a
> near-miss in the design of TLS <= 1.2 due to a lack of context in
> ServerKeyExchange messages resulting in an ambiguity about whether a
> specific message was DHE or ECDHE.
>
> TLS 1.3 has the server return a CertificateVerify message[2] that
> signs the handshake so far, similar to TLS <= 1.2's message of the
> same name. However, consider a client that implements any version of
> TLS and a server that implements TLS 1.3:
>
> An attacker watches for the ClientHello from the client. Assume, as is
> quite common now, that the client generates its client_random with 32
> random bytes (i.e. there's no timestamp). With probability 2^-32, the
> client_random will start with 0x0100 and bytes 4 and 5 will be 0x03
> and 0x04.
>
> The attacker now connects to the TLS 1.3 server and sends a
> ClientHello such that the prefix of the message (including handshake
> message type and length) is equal to the victim client's client_random
> value. (Most of the bytes can be put into the attacker's client_random
> value and the restriction on the victim client's message ensures that
> the handshake type, length and protocol version are taken care of.)
>
> With the rest of the ClientHello, the attacker is free to make the TLS
> 1.3 handshake look like a TLS 1.2 ServerKeyExchange message. An
> obvious choice is to stuff a dummy server_random into the session ID
> and specify a small p and g such that a discrete-log is easy, then
> consume the rest of the handshake with a huge Y. (The length of the
> TLS 1.3 handshake from the server is predictable.)
>
> Some clients might check that Y < p but, if they do the obvious thing,
> then the TLS 1.3 server's signature over the handshake can be used as
> a TLS 1.2 ServerKeyExchange signature and the client compromised.
>
>
> I may have missed something and, even if not, the restrictions on the
> client's client_random value make it an expensive attack to pull off.
> But it's still another near-miss.
>
> Thus I suggest that signed messages in TLS 1.3 be prefixed with
> context strings. For example, "TLS 1.3 CertificateVerify message from
> server\x00" in this case.
>
> However, since TLS <= 1.2 provides an attacker the ability to get a
> signature for a message with a 32-byte, chosen prefix via the
> ServerKeyExchange, I additionally suggest that the context string
> start with 48-64 bytes of "PADTLS" repeated, in order to clear that
> prefix and cover part or all of the server_random.
>
> (And that signature oracle in TLS <= 1.2 provides another reason,
> should any be needed, not to run a CA:TRUE certificate on a server.)
>
>
> [1] https://www.cosic.esat.kuleuven.be/publications/article-2216.pdf
> [2] https://tlswg.github.io/tls13-spec/#rfc.section.7.4.7
> [3] https://tools.ietf.org/html/rfc5246#section-7.4.1.2
> [4] https://tools.ietf.org/html/rfc5246#section-7.4.3
>
>
> Cheers
>
> AGL
>
> --
> Adam Langley agl@imperialviolet.org https://www.imperialviolet.org
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>