Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.

Eric Rescorla <ekr@rtfm.com> Wed, 24 December 2014 21:02 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38FFD1A1ADC for <tls@ietfa.amsl.com>; Wed, 24 Dec 2014 13:02:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8vckk-5iqVmi for <tls@ietfa.amsl.com>; Wed, 24 Dec 2014 13:02:26 -0800 (PST)
Received: from mail-wi0-f174.google.com (mail-wi0-f174.google.com [209.85.212.174]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81A821A1ADF for <tls@ietf.org>; Wed, 24 Dec 2014 13:02:26 -0800 (PST)
Received: by mail-wi0-f174.google.com with SMTP id h11so14355697wiw.13 for <tls@ietf.org>; Wed, 24 Dec 2014 13:02:25 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=7zQM87vDg6E9AjjuKnrriJKnpr0SgMrRBdTlVs9Esjs=; b=b4yYCxWeJd2lnplVQivShqsHX44QFyIdO7e2WZ4cSvUDfpTGtQo/NSk765SKtrVOEZ VjBMPfXuX9TYweKZlWvyoRh/qVHd/hqoAdwJprIEUD0HwYKfsDWFPLa8Ja9r1DngaTlq hvZD+KvlPbrLZ9uwe/wpRTKqDP244RKGmmjpzOoQTeuv2woFoI415vq42hrI8y213WqN ff8IGjsp+V6b8PqXd3FmKcOhF5rQ328KD5RzAKIWUIzAJZFC2mttUcRwTZ21FxgAF0ZW 8khBMxw/ABVzzL3u1QLMqrlYMS6bt/+/wKAYHQ+mVv7dlgw703ekaOjHJj6nrBgzv/Ez y0Fg==
X-Gm-Message-State: ALoCoQlx6vgX5HXERIYnRvB0WoQOe5Ijf6ttkNDc7X2U2Vj9N/+GsiwT9l8FTGwqFgx7DNAh3nL7
X-Received: by 10.180.21.178 with SMTP id w18mr53767455wie.78.1419454945313; Wed, 24 Dec 2014 13:02:25 -0800 (PST)
MIME-Version: 1.0
Received: by 10.27.130.34 with HTTP; Wed, 24 Dec 2014 13:01:45 -0800 (PST)
In-Reply-To: <20141224193906.GB4583@LK-Perkele-VII>
References: <CAMfhd9XgR-N6BZVLojfyf6E2+0fhYVHopp5FKALoup_GjTji5A@mail.gmail.com> <CABcZeBMmFWOoh6Av=eAaMi6AA1Kb7X41Efie-0PuRZWwPPVz_A@mail.gmail.com> <860778484.3559563.1416987612674.JavaMail.zimbra@redhat.com> <CABcZeBPHQGMNYU1QbG=oeuVZYG71BqVaJU9E9e2Kh+rEWq=RXA@mail.gmail.com> <CAL9PXLwrZCgDUqd8ugqhcpYEBwLOcQXSLg8Kx8fgCq6tzLvO4A@mail.gmail.com> <CABcZeBPY8Jrg_ou_=frs9O2-0nrfL+V-H-jBCxDgQ4Ora55kvQ@mail.gmail.com> <20141223143719.GB11149@LK-Perkele-VII> <CABcZeBOb9tL5UO94Qrdn7AuamkPvs=+7aU0EF78p3Lac=JEh9w@mail.gmail.com> <20141224185031.GA4583@LK-Perkele-VII> <CABcZeBO2D+DBW+XAzNv9BgXqXzmy8GgwbX24iGZDYXN=aqZ9fg@mail.gmail.com> <20141224193906.GB4583@LK-Perkele-VII>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 24 Dec 2014 13:01:45 -0800
Message-ID: <CABcZeBOD_6Uan73ntOBKb3JwhYB2xzhrz+xGue_sy-B4-1VA4A@mail.gmail.com>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Content-Type: multipart/alternative; boundary=047d7bb70a7cca59d7050afc9b0e
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/effvwLbx8O-erDVWarl_xVl3yQc
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Dec 2014 21:02:28 -0000

On Wed, Dec 24, 2014 at 11:39 AM, Ilari Liusvaara <
ilari.liusvaara@elisanet.fi>; wrote:

> On Wed, Dec 24, 2014 at 10:55:53AM -0800, Eric Rescorla wrote:
> > On Wed, Dec 24, 2014 at 10:50 AM, Ilari Liusvaara <
> > ilari.liusvaara@elisanet.fi>; wrote:
> >
> > > On Wed, Dec 24, 2014 at 10:21:58AM -0800, Eric Rescorla wrote:
> > > > On Tue, Dec 23, 2014 at 6:37 AM, Ilari Liusvaara <
> > > > ilari.liusvaara@elisanet.fi>; wrote:
> > > > >
> > > > > Any reason not to fix the hash function per-ciphersuite, so servers
> > > > > and clients don't have to run multiple hashes in parrallel?
> > > > >
> > > >
> > > > The client and server may want to use different signature algorithms.
> > >
> > > I mean the hash in data to be signed (not the internal hash function in
> > > signature algortithm).
> > >
> > > That is, it would be digital signature of:
> > >
> > > - 32 padding bytes (or ClientRandom)
> > > - 32 padding bytes (or ServerRandom)
> > > - Context string
> > > - Ciphersuite ID (to provode domain separation)
> > > - handshake_hash(transcript)
> > >
> >
> > So to be clear, you are proposing that we might (for instance) have
> > a signature with (say) SHA-1 over a handshake hash computed with
> > SHA-256?
>
> Yes.
>
> E.g ECDSA/SHA1 for signatures and TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> for connection. That would result in SHA-1 signature over SHA-256 hash.
>
>
> The other way around can't happen with any current ciphersuite (because
> every current one has prf-hash of either SHA-256 or SHA-384).


Thanks for the clarification. What do other people think about this
suggestion?

-Ekr


>
>
>
> -Ilari
>