Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dtls-connection-id-07
Benjamin Kaduk <kaduk@mit.edu> Mon, 12 October 2020 19:57 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E53663A08AB for <tls@ietfa.amsl.com>; Mon, 12 Oct 2020 12:57:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gjg59_5AX477 for <tls@ietfa.amsl.com>; Mon, 12 Oct 2020 12:57:09 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 869963A08A6 for <tls@ietf.org>; Mon, 12 Oct 2020 12:57:09 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 09CJv2M7011115 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 12 Oct 2020 15:57:07 -0400
Date: Mon, 12 Oct 2020 12:57:02 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Michael D'Errico <mike-list@pobox.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Message-ID: <20201012195702.GC1212@kduck.mit.edu>
References: <0da9b525-ec78-bef5-6ceb-5f377019ade4@gmx.net> <4ca7c2f9-1e9d-0d16-0089-649f013b4565@gmx.net> <20201008233454.GF89563@kduck.mit.edu> <6185242d-8ba8-2d2f-5938-afad46c2e854@gmx.net> <20201009212240.GK89563@kduck.mit.edu> <401a965c-69ee-455a-8c09-12a37f3b89dc@www.fastmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <401a965c-69ee-455a-8c09-12a37f3b89dc@www.fastmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hCIXfYPhIjPK6MyomTLCnV83ras>
Subject: Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dtls-connection-id-07
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Oct 2020 19:57:11 -0000
Hi Mike, On Sat, Oct 10, 2020 at 01:29:13PM -0400, Michael D'Errico wrote: > On Fri, Oct 9, 2020, at 17:22, Benjamin Kaduk wrote: > > [...] The behavior we should demand from our cryptographic > > constructions is that the cryptography itself correctly returns > > "valid" or "invalid" based on the input message, provided that > > the application inputs the correct key material. (It should also > > return "invalid" if incorrect key material is supplied, of course.) > > The ability to produce two different messages for which the > > cryptography returns "valid" violates this principle; even if we > > do not see an obvious path by which a reasonable application > > might supply those inputs to the cryptographic code, it is still > > a flawed construction. > > Hi, > > I'd like clarification about this point, where the cryptography > should return values of "valid" or "invalid". This is a general > question, not specifically about this draft. (Please read at > least the next 2 paragraphs.) > > I remember a long time ago, it may have been the renegotiation > info extension, where there was a lot of calculation being done, > there were two complicated values each side had to compute. > If they were equal, then everything was fine and the handshake > could proceed. If not, there was an insecure renegotiation > happening. (Or maybe it was the downgrade protection RFC, > I can't remember now.) But if the values were not equal, then > something bad was happening and the handshake should not > proceed. > > The problem both Martin Rex and I discovered at nearly the > same time (posts to the mailing list within minutes of each > other) was that both sides could go through all the motions > faithfully calculating all of the values, correctly, and then > forget to compare them to see if the values were actually > the same. I noticed this because I wrote the code, and it > seemed like an easy thing to overlook. > > I remember suggesting that we somehow incorporate the > calculated values into the derivation of the record layer keys > so the MAC would fail, or maybe into the Finished message > calculation so (if you remember to check that?) a failure is > noticed later. This suggestion was shot down by the author > unilaterally for what I perceived at the time to be petty > reasons. > > I still believe that (D)TLS security should not rely on the > implementer to check whether two values are equal. This > is too easy to forget to do. Or you could do this in C: > > if (complex_value_a = complex_value_b) { > // we're in trouble.... > } > > I have not looked at the TLS 1.3 draft beyond the hour or so > I've put in so far to see whether this reliance on checking is > in there too. I've also not checked whether the security The TLS 1.3 handshake transcript is an input to the key schedule; manual comparison of generated values is not necessary for security. I would encourage you to continue in your efforts reading RFC 8446 -- in my opinion we put quite a bit of effort in towards making it readable. (With, perhaps, the exception of stateless HelloRetryRequest as you have already noted, since the main expected use case is in DTLS.) -Ben
- [TLS] AD review of draft-ietf-tls-dtls-connection… Benjamin Kaduk
- Re: [TLS] AD review of draft-ietf-tls-dtls-connec… Achim Kraus
- Re: [TLS] AD review of draft-ietf-tls-dtls-connec… Benjamin Kaduk
- Re: [TLS] AD review of draft-ietf-tls-dtls-connec… Achim Kraus
- Re: [TLS] AD review of draft-ietf-tls-dtls-connec… Achim Kraus
- [TLS] Fwd: Re: AD review of draft-ietf-tls-dtls-c… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] AD review of draft-ietf-tls-dtls-connec… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] AD review of draft-ietf-tls-dtls-connec… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Michael D'Errico
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Joseph Salowey
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Watson Ladd
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Ilari Liusvaara
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… antoine
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… antoine
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Michael D'Errico
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Eric Rescorla
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Eric Rescorla
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Eric Rescorla
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Peter Gutmann
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Eric Rescorla