Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.
Eric Rescorla <ekr@rtfm.com> Tue, 25 November 2014 16:41 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C124C1A700F for <tls@ietfa.amsl.com>; Tue, 25 Nov 2014 08:41:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.377
X-Spam-Level:
X-Spam-Status: No, score=-1.377 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_24=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b4XZJPMtmwsB for <tls@ietfa.amsl.com>; Tue, 25 Nov 2014 08:41:31 -0800 (PST)
Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com [209.85.212.173]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A5991A6FE8 for <tls@ietf.org>; Tue, 25 Nov 2014 08:41:30 -0800 (PST)
Received: by mail-wi0-f173.google.com with SMTP id r20so9716854wiv.12 for <tls@ietf.org>; Tue, 25 Nov 2014 08:41:29 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=dBPxlk5aGJAb8PRh4mt5MjyXlrcQjoLN8Yt2xM31h08=; b=mk1SRl0PV8STIn4GWkV12L/mAcIr0y6xWklyhKmlv+ar1q+f/UwJ8LyGTw+NIwYW0m cpxZghzfiyt4TIcVLyy77uIvHUiTSJIBkiIqaPmyq6C63evfS/OdAb4Q1pLVuiw5WO6F wPSa2K4Q1AtL+SgQv21APQwwKtvPd/z6nEI1YXQZiLa2VizEm72ctn9+hnlMtofVFUEg sxTkutLk1CNwHyChJswJrYp1DToaUtPqBQuuAIJJY6QVOG8cybxAQ9f2qjBYIoapwyzC tTKXf1IkGlMBr6Ff42dcbD0lcWqGrQg+SFRzKmvUJCMBl1ywb5jdOuN4ggNlK659K8Oc DL+Q==
X-Gm-Message-State: ALoCoQkeeCT7mbCmsfFXk9Y7Qie4FobcV6np2c+yPg721dR8rGhApWlnEzPJZ3tNQfRMsGByNaMb
X-Received: by 10.180.102.98 with SMTP id fn2mr25479042wib.61.1416933689070; Tue, 25 Nov 2014 08:41:29 -0800 (PST)
MIME-Version: 1.0
Received: by 10.27.130.34 with HTTP; Tue, 25 Nov 2014 08:40:48 -0800 (PST)
In-Reply-To: <CAMfhd9XgR-N6BZVLojfyf6E2+0fhYVHopp5FKALoup_GjTji5A@mail.gmail.com>
References: <CAMfhd9XgR-N6BZVLojfyf6E2+0fhYVHopp5FKALoup_GjTji5A@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 25 Nov 2014 08:40:48 -0800
Message-ID: <CABcZeBMmFWOoh6Av=eAaMi6AA1Kb7X41Efie-0PuRZWwPPVz_A@mail.gmail.com>
To: Adam Langley <agl@imperialviolet.org>
Content-Type: multipart/alternative; boundary="f46d0444ef3b352bb10508b19502"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/bAM8x1W2FY3wqfxp_5t_1OVVGJ4
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Nov 2014 16:41:32 -0000
This seems like a good idea. Thanks for raising it. If you want to make a PR, I will merge it in. -Ekr On Mon, Nov 24, 2014 at 10:55 PM, Adam Langley <agl@imperialviolet.org> wrote: > I generally recommend that, whenever signing a message, a > NUL-terminated, ASCII context string is prepended to the message to > ensure that the verifier isn't confused about the context. > (NUL-terminated, ASCII strings have the property that none is a prefix > of any other.) > > I think that TLS 1.3 provides a good demonstration of why: > > Mavrogiannopoulos, Vercauteren, Velichkov and Preneel[1] showed a > near-miss in the design of TLS <= 1.2 due to a lack of context in > ServerKeyExchange messages resulting in an ambiguity about whether a > specific message was DHE or ECDHE. > > TLS 1.3 has the server return a CertificateVerify message[2] that > signs the handshake so far, similar to TLS <= 1.2's message of the > same name. However, consider a client that implements any version of > TLS and a server that implements TLS 1.3: > > An attacker watches for the ClientHello from the client. Assume, as is > quite common now, that the client generates its client_random with 32 > random bytes (i.e. there's no timestamp). With probability 2^-32, the > client_random will start with 0x0100 and bytes 4 and 5 will be 0x03 > and 0x04. > > The attacker now connects to the TLS 1.3 server and sends a > ClientHello such that the prefix of the message (including handshake > message type and length) is equal to the victim client's client_random > value. (Most of the bytes can be put into the attacker's client_random > value and the restriction on the victim client's message ensures that > the handshake type, length and protocol version are taken care of.) > > With the rest of the ClientHello, the attacker is free to make the TLS > 1.3 handshake look like a TLS 1.2 ServerKeyExchange message. An > obvious choice is to stuff a dummy server_random into the session ID > and specify a small p and g such that a discrete-log is easy, then > consume the rest of the handshake with a huge Y. (The length of the > TLS 1.3 handshake from the server is predictable.) > > Some clients might check that Y < p but, if they do the obvious thing, > then the TLS 1.3 server's signature over the handshake can be used as > a TLS 1.2 ServerKeyExchange signature and the client compromised. > > > I may have missed something and, even if not, the restrictions on the > client's client_random value make it an expensive attack to pull off. > But it's still another near-miss. > > Thus I suggest that signed messages in TLS 1.3 be prefixed with > context strings. For example, "TLS 1.3 CertificateVerify message from > server\x00" in this case. > > However, since TLS <= 1.2 provides an attacker the ability to get a > signature for a message with a 32-byte, chosen prefix via the > ServerKeyExchange, I additionally suggest that the context string > start with 48-64 bytes of "PADTLS" repeated, in order to clear that > prefix and cover part or all of the server_random. > > (And that signature oracle in TLS <= 1.2 provides another reason, > should any be needed, not to run a CA:TRUE certificate on a server.) > > > [1] https://www.cosic.esat.kuleuven.be/publications/article-2216.pdf > [2] https://tlswg.github.io/tls13-spec/#rfc.section.7.4.7 > [3] https://tools.ietf.org/html/rfc5246#section-7.4.1.2 > [4] https://tools.ietf.org/html/rfc5246#section-7.4.3 > > > Cheers > > AGL > > -- > Adam Langley agl@imperialviolet.org https://www.imperialviolet.org > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Signed messages should be prefixed with a N… Adam Langley
- Re: [TLS] Signed messages should be prefixed with… Nikos Mavrogiannopoulos
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Nikos Mavrogiannopoulos
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Adam Langley
- Re: [TLS] Signed messages should be prefixed with… Nikos Mavrogiannopoulos
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Ilari Liusvaara
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Ilari Liusvaara
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Ilari Liusvaara
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Adam Langley
- Re: [TLS] Signed messages should be prefixed with… Michael StJohns
- Re: [TLS] Signed messages should be prefixed with… Watson Ladd
- Re: [TLS] Signed messages should be prefixed with… Adam Langley
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Michael StJohns
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Michael StJohns
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla