IETF Logo Mail Archive

Re: [TLS] Fresh results

Nikos Mavrogiannopoulos <nmav@redhat.com> Wed, 02 December 2015 10:14 UTC

Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 776781A7D85 for <tls@ietfa.amsl.com>; Wed, 2 Dec 2015 02:14:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MANGLED_BACK=2.3, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K_-0gRdidwrU for <tls@ietfa.amsl.com>; Wed, 2 Dec 2015 02:14:46 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CF6C1A710C for <tls@ietf.org>; Wed, 2 Dec 2015 02:14:45 -0800 (PST)
Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (Postfix) with ESMTPS id 580E913595; Wed, 2 Dec 2015 10:14:45 +0000 (UTC)
Received: from dhcp-10-40-3-116.brq.redhat.com (dhcp-10-40-3-116.brq.redhat.com [10.40.3.116]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id tB2AEgWK024863 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 2 Dec 2015 05:14:44 -0500
Message-ID: <1449051281.4345.31.camel@redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Hanno Böck <hanno@hboeck.de>, tls@ietf.org
Date: Wed, 02 Dec 2015 11:14:41 +0100
In-Reply-To: <20151201210257.64f1a7a5@pc1>
References: <CACsn0cm41VD40tiwR-sO9piPu01rRkoWKPwHWCKcr5Z9id8kDg@mail.gmail.com> <20151201210257.64f1a7a5@pc1>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/cO6NCJXWq6tB3rcCHHHLKV1Cxww>
Subject: Re: [TLS] Fresh results
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 10:14:47 -0000

On Tue, 2015-12-01 at 21:02 +0100, Hanno Böck wrote:
> On Tue, 1 Dec 2015 14:28:49 -0500
> Watson Ladd <watsonbladd@gmail.com> wrote:
> 
> > https://www.nds.rub.de/media/nds/veroeffentlichungen/2015/08/21/Tls
> > 13QuicAttacks.pdf
> > 
> > This one looks very nasty to fix. Short of disallowing the use of
> > RSA
> > certificates for TLS 1.2 with the RSA handshake and in TLS 1.3, I
> > don't see a good fix. I haven't read this paper in detail yet.
> > 
> > Cross-protocol attacks are the gift that keeps giving.
> 
> Correct me if I'm wrong, but as I understand the result (and I had
> one
> of the authors explaining it to me a few days ago) the problem
> appears
> only if you have a TLS 1.2 implementation with an RSA keyexchange
> that
> is vulnerable to a bleichenbacher attack. If it is not then you're
> fine.

The interesting result of the paper is:
"Even though this limits the
practical  impact  of  this  attack,  it  demonstrates  that  simply
removing a legacy algorithm from a standard is not necessarily
sufficient to protect against its weaknesses."

Even though the attack does not work for current implementations it
underlines that if you reuse keys from TLS 1.2 to TLS 1.3 you don't get
any advantage from the better algorithms in TLS 1.3. You are as safe,
as if you'd be using TLS 1.2.

That can be claimed to be trivial result given that it is underlined on
almost every paper that describes a cross-protocol attack, but it is
not still grasped by the engineering community. There have been
described quite some cross protocol attacks (Kerberos 4 -> Kerberos 5
by Yu et al., TLS between ciphersuites starting by Wagner and
Schneier), but still we reuse keys between protocols.

regards,
Nikos

v2.23.0 | Report a Bug | By Email