Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Wed, 24 December 2014 19:39 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 200F61A1A69 for <tls@ietfa.amsl.com>; Wed, 24 Dec 2014 11:39:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4c8_0v9vD1jd for <tls@ietfa.amsl.com>; Wed, 24 Dec 2014 11:39:09 -0800 (PST)
Received: from emh03.mail.saunalahti.fi (emh03.mail.saunalahti.fi [62.142.5.109]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45A591A1A63 for <tls@ietf.org>; Wed, 24 Dec 2014 11:39:08 -0800 (PST)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh03.mail.saunalahti.fi (Postfix) with ESMTP id EE613188766; Wed, 24 Dec 2014 21:39:06 +0200 (EET)
Date: Wed, 24 Dec 2014 21:39:06 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20141224193906.GB4583@LK-Perkele-VII>
References: <CAMfhd9XgR-N6BZVLojfyf6E2+0fhYVHopp5FKALoup_GjTji5A@mail.gmail.com> <CABcZeBMmFWOoh6Av=eAaMi6AA1Kb7X41Efie-0PuRZWwPPVz_A@mail.gmail.com> <860778484.3559563.1416987612674.JavaMail.zimbra@redhat.com> <CABcZeBPHQGMNYU1QbG=oeuVZYG71BqVaJU9E9e2Kh+rEWq=RXA@mail.gmail.com> <CAL9PXLwrZCgDUqd8ugqhcpYEBwLOcQXSLg8Kx8fgCq6tzLvO4A@mail.gmail.com> <CABcZeBPY8Jrg_ou_=frs9O2-0nrfL+V-H-jBCxDgQ4Ora55kvQ@mail.gmail.com> <20141223143719.GB11149@LK-Perkele-VII> <CABcZeBOb9tL5UO94Qrdn7AuamkPvs=+7aU0EF78p3Lac=JEh9w@mail.gmail.com> <20141224185031.GA4583@LK-Perkele-VII> <CABcZeBO2D+DBW+XAzNv9BgXqXzmy8GgwbX24iGZDYXN=aqZ9fg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CABcZeBO2D+DBW+XAzNv9BgXqXzmy8GgwbX24iGZDYXN=aqZ9fg@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/hrhKhe25cJW8AbTJNkaB65YoUWc
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Dec 2014 19:39:11 -0000

On Wed, Dec 24, 2014 at 10:55:53AM -0800, Eric Rescorla wrote:
> On Wed, Dec 24, 2014 at 10:50 AM, Ilari Liusvaara <
> ilari.liusvaara@elisanet.fi>; wrote:
> 
> > On Wed, Dec 24, 2014 at 10:21:58AM -0800, Eric Rescorla wrote:
> > > On Tue, Dec 23, 2014 at 6:37 AM, Ilari Liusvaara <
> > > ilari.liusvaara@elisanet.fi>; wrote:
> > > >
> > > > Any reason not to fix the hash function per-ciphersuite, so servers
> > > > and clients don't have to run multiple hashes in parrallel?
> > > >
> > >
> > > The client and server may want to use different signature algorithms.
> >
> > I mean the hash in data to be signed (not the internal hash function in
> > signature algortithm).
> >
> > That is, it would be digital signature of:
> >
> > - 32 padding bytes (or ClientRandom)
> > - 32 padding bytes (or ServerRandom)
> > - Context string
> > - Ciphersuite ID (to provode domain separation)
> > - handshake_hash(transcript)
> >
> 
> So to be clear, you are proposing that we might (for instance) have
> a signature with (say) SHA-1 over a handshake hash computed with
> SHA-256?

Yes.

E.g ECDSA/SHA1 for signatures and TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
for connection. That would result in SHA-1 signature over SHA-256 hash.


The other way around can't happen with any current ciphersuite (because
every current one has prf-hash of either SHA-256 or SHA-384).



-Ilari