IETF Logo Mail Archive

Re: [TLS] Fresh results

Fabrice Gautier <fabrice.gautier@gmail.com> Thu, 03 December 2015 18:41 UTC

Return-Path: <fabrice.gautier@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C55B01B352F for <tls@ietfa.amsl.com>; Thu, 3 Dec 2015 10:41:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.3
X-Spam-Level:
X-Spam-Status: No, score=0.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MANGLED_BACK=2.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fg4cEMY2LC_K for <tls@ietfa.amsl.com>; Thu, 3 Dec 2015 10:41:08 -0800 (PST)
Received: from mail-lb0-x22a.google.com (mail-lb0-x22a.google.com [IPv6:2a00:1450:4010:c04::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41C3B1ACDA4 for <tls@ietf.org>; Thu, 3 Dec 2015 10:41:08 -0800 (PST)
Received: by lbblt2 with SMTP id lt2so7195238lbb.3 for <tls@ietf.org>; Thu, 03 Dec 2015 10:41:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=UHYjNVAJGNcJ9rFZGHHyb1AbtNqASXhUHZZNqTOa4IA=; b=wYGQI0wnesTEeW56y7gk58QxcW32ZzdgSMHDXzqzRMoHTT1PMc88USVDeRHmpkH6Qd Jk//cARZrYKjx+nRimGiRPv/JMTM1nEak6x24tM8YbXtWefHESZeR2711aCM/aXeAStQ GpSI2ooU4qOoxaipjrLz/M9D9mJRO7gEJcLO16gWBMo+xfdYfBKz7Mgk5kfpMe3ujK3y PUWUYuJOtJsU+sC30HI34sdHDj2F9cNfa4eH4eOfUB5/aR1N6kwOZTwqrnqKDFn7dFCm Cs51haALtAKR5kEgXIXfrNh8GhPaPkSMgCOQl74esWQwFtPKSCPNxef2pGQpk+at1fmt Pa2w==
X-Received: by 10.112.130.231 with SMTP id oh7mr6398882lbb.88.1449168066443; Thu, 03 Dec 2015 10:41:06 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.207.135 with HTTP; Thu, 3 Dec 2015 10:40:47 -0800 (PST)
In-Reply-To: <1449051281.4345.31.camel@redhat.com>
References: <CACsn0cm41VD40tiwR-sO9piPu01rRkoWKPwHWCKcr5Z9id8kDg@mail.gmail.com> <20151201210257.64f1a7a5@pc1> <1449051281.4345.31.camel@redhat.com>
From: Fabrice Gautier <fabrice.gautier@gmail.com>
Date: Thu, 03 Dec 2015 10:40:47 -0800
Message-ID: <CANOyrg9AwQHfjZssf0c_=hfHvwLAuq2kFZwkOM7d8tHoHjaQ1A@mail.gmail.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/hDhJcRYcI9wa6fD2Qcb7HZaILts>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Fresh results
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2015 18:41:09 -0000

On Wed, Dec 2, 2015 at 2:14 AM, Nikos Mavrogiannopoulos <nmav@redhat.com> wrote:
> On Tue, 2015-12-01 at 21:02 +0100, Hanno Böck wrote:
>> On Tue, 1 Dec 2015 14:28:49 -0500
>> Watson Ladd <watsonbladd@gmail.com> wrote:
>>
>> > https://www.nds.rub.de/media/nds/veroeffentlichungen/2015/08/21/Tls
>> > 13QuicAttacks.pdf
>> >
>> > This one looks very nasty to fix. Short of disallowing the use of
>> > RSA
>> > certificates for TLS 1.2 with the RSA handshake and in TLS 1.3, I
>> > don't see a good fix. I haven't read this paper in detail yet.
>> >
>> > Cross-protocol attacks are the gift that keeps giving.
>>
>> Correct me if I'm wrong, but as I understand the result (and I had
>> one
>> of the authors explaining it to me a few days ago) the problem
>> appears
>> only if you have a TLS 1.2 implementation with an RSA keyexchange
>> that
>> is vulnerable to a bleichenbacher attack. If it is not then you're
>> fine.
>
> The interesting result of the paper is:
> "Even though this limits the
> practical  impact  of  this  attack,  it  demonstrates  that  simply
> removing a legacy algorithm from a standard is not necessarily
> sufficient to protect against its weaknesses."
>
> Even though the attack does not work for current implementations it
> underlines that if you reuse keys from TLS 1.2 to TLS 1.3 you don't get
> any advantage from the better algorithms in TLS 1.3. You are as safe,
> as if you'd be using TLS 1.2.
>
> That can be claimed to be trivial result given that it is underlined on
> almost every paper that describes a cross-protocol attack, but it is
> not still grasped by the engineering community. There have been
> described quite some cross protocol attacks (Kerberos 4 -> Kerberos 5
> by Yu et al., TLS between ciphersuites starting by Wagner and
> Schneier), but still we reuse keys between protocols.

Can we solve that problem generically by having TLS implementations
use different certs for different TLS version, and have an indicator
in the certs to indicate which version(s) they are for ?

-- Fabrice

>
> regards,
> Nikos
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email