Re: [TLS] Another IRINA bug in TLS

Santiago Zanella-Beguelin <santiago@microsoft.com> Wed, 20 May 2015 16:58 UTC

Return-Path: <santiago@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A60AA1A8965 for <tls@ietfa.amsl.com>; Wed, 20 May 2015 09:58:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.003
X-Spam-Level:
X-Spam-Status: No, score=-0.003 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QuQeTjxAvtHd for <tls@ietfa.amsl.com>; Wed, 20 May 2015 09:58:15 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0121.outbound.protection.outlook.com [65.55.169.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 836341A88F8 for <tls@ietf.org>; Wed, 20 May 2015 09:58:14 -0700 (PDT)
Received: from BN3PR0301CA0056.namprd03.prod.outlook.com (10.160.152.152) by DM2PR0301MB0701.namprd03.prod.outlook.com (10.160.96.27) with Microsoft SMTP Server (TLS) id 15.1.160.19; Wed, 20 May 2015 16:58:11 +0000
Received: from BN1AFFO11OLC003.protection.gbl (2a01:111:f400:7c10::187) by BN3PR0301CA0056.outlook.office365.com (2a01:111:e400:401e::24) with Microsoft SMTP Server (TLS) id 15.1.166.22 via Frontend Transport; Wed, 20 May 2015 16:58:11 +0000
Authentication-Results: spf=pass (sender IP is 206.191.250.196) smtp.mailfrom=microsoft.com; ietf.org; dkim=none (message not signed) header.d=none;
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 206.191.250.196 as permitted sender) receiver=protection.outlook.com; client-ip=206.191.250.196; helo=064-smtp-out.microsoft.com;
Received: from 064-smtp-out.microsoft.com (206.191.250.196) by BN1AFFO11OLC003.mail.protection.outlook.com (10.58.53.74) with Microsoft SMTP Server (TLS) id 15.1.172.14 via Frontend Transport; Wed, 20 May 2015 16:58:09 +0000
Received: from DB4PR30MB032.064d.mgd.msft.net (141.251.50.216) by DB4PR30MB032.064d.mgd.msft.net (141.251.50.216) with Microsoft SMTP Server (TLS) id 15.1.112.16; Wed, 20 May 2015 16:58:07 +0000
Received: from DB4PR30MB032.064d.mgd.msft.net ([141.251.50.216]) by DB4PR30MB032.064d.mgd.msft.net ([141.251.50.216]) with mapi id 15.01.0112.000; Wed, 20 May 2015 16:58:06 +0000
From: Santiago Zanella-Beguelin <santiago@microsoft.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Another IRINA bug in TLS
Thread-Index: AQHQkwYvDdHZ+lmQNUW54l67jurcrZ2FE+rT
Date: Wed, 20 May 2015 16:58:06 +0000
Message-ID: <1432141085848.37685@microsoft.com>
References: <CACsn0ckaML0M_Foq9FXs5LA2dRb1jz+JDX7DUej_ZbuSkUB=tQ@mail.gmail.com>
In-Reply-To: <CACsn0ckaML0M_Foq9FXs5LA2dRb1jz+JDX7DUej_ZbuSkUB=tQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [92.151.241.88]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11OLC003; 1:DY8JdvR4ihlXrOEv//LZF8rrh0t3CGFKrjEXPUoFJOQ3OZn94NbGMDRuZu3C6KgDN57ruSfO8jphMAFL4/nh63xL3b6viko/AeXtj7lTEHBhY5NOYWuVY64ytaAj0Epr5eJQTjI49sfya3Et1Tr0w4Itsf8cnijQMLK8OfjkfOu0+yeGXdFvegfNJQGbMKuj+lHDahObDSiP5s0+lB5T7UgVZ+TfxdKttGrmTeNNLYL554SSjcqpeCUOuYsgy3cMlPU6Fgu0kfp7tD4JBBw8yg==
X-Forefront-Antispam-Report: CIP:206.191.250.196; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(199003)(189002)(55674003)(31014004)(377454003)(66066001)(4001540100001)(6806004)(86362001)(50466002)(64706001)(86146001)(2656002)(87936001)(86612001)(2501003)(76176999)(46102003)(50986999)(102836002)(2900100001)(15975445007)(68736005)(81156007)(97736004)(77156002)(450100001)(54356999)(92566002)(106466001)(23756003)(110136002)(5001960100002)(189998001)(107886002)(5001860100001)(5001830100001)(117636001)(5001920100001)(106116001)(2351001)(16796002)(62966003)(2950100001)(47776003)(69596002)(19580395003)(19580405001)(36756003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB0701; H:064-smtp-out.microsoft.com; FPR:; SPF:Pass; PTR:ErrorRetry; A:1; MX:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0301MB0701; 2:osxaQnLfgWr2rsPonEzGVyuHd5VOPnE8UTcNAcqsFCNKZTmwhS5i8HcY1/vp6qce; 2:h7JKt1q7U9ocIlrhcwY30tjSfkQ3wtWUjiLihmzdNwMOvRNN3cQEFCkWC3W/pIi7nMPI5eqOIBmrdDlS2bIwnvgAgqbRnxybQuya9Zo8DwQ0YW35g6VTRdxKEtlDRg1EBcyFgNCVy+j33O+9XSmx4JulMoKcns/LSifAQsiutlfDCXkeF6yYc2sMQbAOfUSTrzwWXXkhtFPWfBFgXjC3TZNIyV+T8uICKmFg6SOWq8dmBt49b/dhHH0SWRp1iSwW; 6:qBbtiac0UgmB/LOqWCil1uHyN0hkz4p1tL6PV06RqptFnlnzo3gBmFDAIgPP4lESMiLbSVpRrRJmiSCkNkeaEyNNvopNSHDG3TlWzWqL95H+bo6IqzQWl/5Jq/dCgVyYSBAvaD702cVrXoM1r/p03gE2s+ZGElKL4O0zJty5TQkxBiBoiMf6nu/2nCmB7tk3b6485sZIgyytjkN5LkQcEG2DkJJezAo2mcy0o3MoEqLaI/mESekt20f+1RimYF9L49YC48jzuRMTdLkGfG1jnH/ncnMqPevkCbOOzlYwtip3oBjRcmnI4SW1FhXU/yMAhzN2Yto7RySEm5Jn2JYRL2NljNXjBFLIZKRm8Kd+a6eQ/JQk4zqRa1ngvB1xvpv8j9XhvaDgahlw8473dQhG/iyB4EoIH2MUS3V7nIop2JtShrbhkMHcf6IuH3Qk4FoYjLRl94MSjNEF0guSOKQGcVGdOu1G4+mcdMzofVLHVRdv2MDGqqal4PpEd/vxrRns
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB0701;
X-Microsoft-Antispam-PRVS: <DM2PR0301MB07013FC6A0E9E9FA104D6186C9C20@DM2PR0301MB0701.namprd03.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:DM2PR0301MB0701; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0301MB0701;
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0301MB0701; 3:u5kWi18+I8DBINXjsW9ppv2lCLz50DW5DlHrYbhoD2GwJ5g4Ti+Vm1xCiA+gHIV5+QFeLnL+K6YxqDMelCeR9vMrdOTNdHBLjxTHqxxI+kje7SEt6zwsB05Ni6d/qg40osQf7uLBH4Yev00wlmeXPnxUJq++BQuKe8daLI2BmXp58ukQ+gXoOfcmq/21KRBTYgWuW1QRODSK6T2clTV8E72SCj9KV6FBB4BCoSynYyemuo6+YU+RwhFDQoqVAiXBla7hOhFzk9/hK4va+sfG8FyMFgVSkC8CtxXQqE+mFFhswO1Q0YjjO4Xjm7mQLnLh
X-Forefront-PRVS: 0582641F53
X-Microsoft-Exchange-Diagnostics: =?iso-8859-1?Q?1; DM2PR0301MB0701; 9:o+6h2R4y5/MFfqkZzILI9h1lYXUJzqrmZLKoQB?= =?iso-8859-1?Q?P3gUr9nnl5tcuQPko+sSLQ242aUUH+Iu7gpuOjy0lgYRKaj4KETV2VsYcx?= =?iso-8859-1?Q?jYpIoBxh8JQoZalGjeZu2/xP83XoBdccxaT7/j5N3spGgBESMIxkXNg0C/?= =?iso-8859-1?Q?YoGT8RLAn2x5aiNBlXW4OVe75eRQ0e25i18oyRhN6sejvelXLeSsnzVbbo?= =?iso-8859-1?Q?RzKvaMQZ7JT4r0VTaCX72V9rsVpHeL1f++fjTQ5Mspv6erg3HQ02a5wfns?= =?iso-8859-1?Q?l5AcA5iRsXCagX54RaqP5jpW8LI5K20dNDiJpggk4PW+KEkufcPFhNPANf?= =?iso-8859-1?Q?ztOxPImSLbF1LOPbeYrSNJBRNwY2omqWhL8c38Ic4hmh5uJdMN+AuJTHH7?= =?iso-8859-1?Q?rYRsOs3dONvdGAqMh/bQdHYyZwDtRkSTR8l82ooM5t3b7Ra/4NLXEi4i+B?= =?iso-8859-1?Q?rcH91jv+BDVocE05RreO2irUjp0GwCiUj4Qp9TsETmIonbr+zsCgN096w/?= =?iso-8859-1?Q?cSfx18pY52Txbr+GO05l/jcRXZCpxI9EfKkDIxXrHkYUlx6/vukTmQVdqx?= =?iso-8859-1?Q?bXQ2CU7+DRVK65hWXBYA7aSh4FivliTRu3MjUxoshpy8lVRIvfBe96s+vd?= =?iso-8859-1?Q?MGSyE5DydCzzcbLzWw7LHfiwyGZkx+SvO6Ws7BoOSoDjvq5x62XlIDlj1V?= =?iso-8859-1?Q?4/rDejU5MDtNrfBudaewaGvMu4Vw3aNYfL/qo1qxgtbmAMgaXEupZ0yFsu?= =?iso-8859-1?Q?Rr7RqDCiOT+gXUUdViOZC0PPpfFBulrILDQCVEXrH9DVutj5eqnjuKbpBF?= =?iso-8859-1?Q?ZanIijFA69aO45CfP5b+iQDQxe3RUKcI4A8jh8moVXSL7uG+DeWLh8LDO8?= =?iso-8859-1?Q?34gRSFKSEAqjzsx6SkzgAjR7jOGlqYRVXixEts7J+922pYpLvhpLCGq75x?= =?iso-8859-1?Q?qWovM3gjj3Uh7+B5eMTeXLyQUKs1R894wY5RuHu20gnmku9Mvux4M4lCFb?= =?iso-8859-1?Q?5HJ5cggEYP9sgLbB478m271hytG4pd8vNFZMnBPM3iWSCPNb6IPUdcHv56?= =?iso-8859-1?Q?6uJQ91mnxNyYDe+fWlK20nWC8BcVuvzoujEEHLbIc9gHOsBUDXQTRSKjed?= =?iso-8859-1?Q?bfFh0RJwBlPvPLcaCokmPNskYlRPnLLQMh7sbNacn2Gf2YP6zAGd+Pu8tE?= =?iso-8859-1?Q?Dro0ilV6BcKnX4TyL0NahExbiV5hK1EdITWV0f2u4iUnZ9ctVIodpa1eiK?= =?iso-8859-1?Q?xFlfIh77BC+TOCCXNPcKNI/+6Mal9QcL65ayHWpDzQeQA+OTGJ19ps4dSt?= =?iso-8859-1?Q?HdQxa1JPyCCqlSox3VgfljynudEFC2iqccDHsEezJTsGYXIEmdtPbWqEbE?= =?iso-8859-1?Q?yreRtyeIo=3D?=
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0301MB0701; 3:ptJACe62OUObNS9VTwgV50Ja9oGQls/VHSCr60Dvers2gmc3hefmGyK0TTcfb8kpasJtjBcafV7yl+lUwT5iFB6jTa2u3YWpykREA+xy9+uaXKzVu3CmBkW21EPinmCkhtKdx8tETiyH6OvaK8uH5Q==; 10:gfvJyjqDR0EcmsF66UsM8PhdvQImDQmiZk123j0R/dOYj3LO9ZkeIgVwuwd0iX1eMY5qYhoxVL4foDekFImKAE/PChf22Z6gKIklW1MFRiA=; 6:RLjtXamV+a/7gJVJLSWKdjCxkG3saZpQb2zjdBcphT6tOwJ8oT/9QwjQTT3tP9Cm
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 May 2015 16:58:09.8165 (UTC)
X-MS-Exchange-CrossTenant-Id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47; Ip=[206.191.250.196]; Helo=[064-smtp-out.microsoft.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0301MB0701
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/hDci_VBNeTeLUmFY7HVByKr_HpI>
Subject: Re: [TLS] Another IRINA bug in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 May 2015 16:58:16 -0000

Indeed, we are lazy and didn't want to write things like TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA in full.

The extended master secret extension won't prevent the attack because the downgrade happens within the handshake and before key confirmation.

If the signature in the ServerKeyExchange message covered a hash of the transcript so far (including the ciphersuite that the server chose), downgrading to "DHE_EXPORT" would no longer be possible.

To be fair, it's not an "INRIA bug". It's joint work with U. Penn, U. Michigan, Johns Hopkins, and Microsoft Research (funded in part by the Microsoft Research-Inria joint centre in Paris).

Cheers,
--Santiago
________________________________________
From: TLS <tls-bounces@ietf.org>; on behalf of Watson Ladd <watsonbladd@gmail.com>;
Sent: Wednesday, May 20, 2015 3:05 PM
To: tls@ietf.org
Subject: [TLS] Another IRINA bug in TLS

https://weakdh.org/

Transcript hashing will solve this problem. In the meantime, you want
to turn off DH_EXPORT. There are also implications for false start.
Chrome has already announced countermeasures. I'm pretty sure this
won't be the last issue of this nature.

Sincerely,
Watson Ladd

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls