Re: [TLS] RFC5487 PSK Key Exchange Algorithm with SHA-256/384. Premaster secret if ciphersuites negotiated for TLS V1.2?
Fox Arcadia <enricarcediano@gmail.com> Thu, 06 November 2014 19:40 UTC
Return-Path: <enricarcediano@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB6EF1A8A6D for <tls@ietfa.amsl.com>; Thu, 6 Nov 2014 11:40:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CQD0lmly1Pjs for <tls@ietfa.amsl.com>; Thu, 6 Nov 2014 11:40:39 -0800 (PST)
Received: from mail-qa0-x230.google.com (mail-qa0-x230.google.com [IPv6:2607:f8b0:400d:c00::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70B041A1B83 for <tls@ietf.org>; Thu, 6 Nov 2014 11:40:39 -0800 (PST)
Received: by mail-qa0-f48.google.com with SMTP id x12so1261877qac.7 for <tls@ietf.org>; Thu, 06 Nov 2014 11:40:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=W4IclgG+NNyeYw4rso1lkHu96jz3CIpZiwfuA9Hj1V0=; b=A7+GjciEw/1vRskRbtVqrcN239ITCodmGW6qJK4PaaLnhAdkBAczzDG/6yipFg/NUx gjcDjLRxbkUlI7PD492p1zIliAFMSWQaMd5GTaku94Y6W+SPDPzyMJaX+jeppd7SJyNX 9Pbe8X2TEXo4CEPqGM/A0laJS5j4UcF5FBuLF/N7SwmjfJvjM8xJTjos5cEJZcgXqi1S kLyPOR1bhP/4WferCMGoTLPZSU5lhRHFn/UD0DCAbcegBGahmi/oxspRUkQGIRdcDjmd rOohUcF5PecmwR5iowgYgNguXphioIAwXnbhBCe1PH+R8S4zR42eeE3EJW28dOBYQA6E KIqQ==
MIME-Version: 1.0
X-Received: by 10.224.86.68 with SMTP id r4mr10172888qal.55.1415302838513; Thu, 06 Nov 2014 11:40:38 -0800 (PST)
Received: by 10.140.195.132 with HTTP; Thu, 6 Nov 2014 11:40:38 -0800 (PST)
In-Reply-To: <54438671.8060806@polarssl.org>
References: <CAOrsqC0AeU-yDRY2ZRXqcS_X1=+ZNuWiSAjJmFUW4WAnM1JZ0w@mail.gmail.com> <54438671.8060806@polarssl.org>
Date: Thu, 06 Nov 2014 20:40:38 +0100
Message-ID: <CAOrsqC3VtK0K_7ETnCvcvdL=Mo_fx0L70m95xJSfHArMKP2yBw@mail.gmail.com>
From: Fox Arcadia <enricarcediano@gmail.com>
To: Manuel Pégourié-Gonnard <mpg@polarssl.org>
Content-Type: multipart/alternative; boundary="001a11c3ec7af07752050735def2"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/gi8ibrZPaCRe43Y7l4WEooPe6p0
X-Mailman-Approved-At: Fri, 07 Nov 2014 04:57:37 -0800
Cc: tls@ietf.org
Subject: Re: [TLS] RFC5487 PSK Key Exchange Algorithm with SHA-256/384. Premaster secret if ciphersuites negotiated for TLS V1.2?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Nov 2014 19:40:41 -0000
Hi Mr Pégourié Thanks for your answer. It is very helpful. But one security concern. Tls is now used by GlobalPlatform Amd. B. (Basically SmartCards, UICCs and Embedded Secure elements). Please see http://www.globalplatform.org/specificationscard.asp. Part of the PMS is zeroes and this fact is known by the attacker. Now he can study the power consumption of the device when the PRF is processing the zeroes and try to get some information about counter measures implemented by the protocol for these devices. These attacks are known as DFA/SPA. Please see http://www.springer.com/computer/security+and+cryptology/book/978-0-387-30857-9 In your opinion using a key partially known by the attacker could imply a security threat? Thanks for your help Kind regards On Sun, Oct 19, 2014 at 11:37 AM, Manuel Pégourié-Gonnard <mpg@polarssl.org> wrote: > Hi, > > Sorry for replying so late, I hope this reply is still useful. > > On 20/09/2014 09:51, Fox Arcadia wrote: > > Note 2: Using zeroes for "other_secret" effectively means that > > only the HMAC-SHA1 part (but not the HMAC-MD5 part) of the TLS PRF > > is used when constructing the master secret. This was considered > > more elegant from an analytical viewpoint than, for instance, > > using the same key for both the HMAC-MD5 and HMAC-SHA1 parts. See > > [KRAWCZYK <http://tools.ietf.org/html/rfc4279#ref-KRAWCZYK>] for > > a more detailed rationale. > > > IMO, this is only a rationale for using the zeroes, not a normative part. > > > but if using a PRF defined in TLS V1.2, then HMAC-MD5 is not used but > > the HMAC defined by the PRF. > > > > And, in that case, part of the used premaster is zeroes. > > > Yes, in that case part of the PMS is zeroes, and it's fed to the TLS PRF > (using > SHA256) as is, including the zeroes. > > At least, that's what we do in PolarSSL and we never had interop issues > (tested > regularly with OpenSSL and GnuTLS at least). > > > should we in that case reuse PSK for other_secret? > > > Nope. > > Manuel. >
- [TLS] RFC5487 PSK Key Exchange Algorithm with SHA… Fox Arcadia
- Re: [TLS] RFC5487 PSK Key Exchange Algorithm with… Manuel Pégourié-Gonnard
- Re: [TLS] RFC5487 PSK Key Exchange Algorithm with… Fox Arcadia
- Re: [TLS] RFC5487 PSK Key Exchange Algorithm with… Salz, Rich