Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.
Michael StJohns <msj@nthpermutation.com> Sat, 27 December 2014 16:50 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23B0D1A8970 for <tls@ietfa.amsl.com>; Sat, 27 Dec 2014 08:50:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i-_tsK1b-w1k for <tls@ietfa.amsl.com>; Sat, 27 Dec 2014 08:50:05 -0800 (PST)
Received: from mail-qc0-f173.google.com (mail-qc0-f173.google.com [209.85.216.173]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09E4B1A896B for <tls@ietf.org>; Sat, 27 Dec 2014 08:50:04 -0800 (PST)
Received: by mail-qc0-f173.google.com with SMTP id i17so8134499qcy.32 for <tls@ietf.org>; Sat, 27 Dec 2014 08:50:04 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type; bh=eiJgH65Nf6t67rLu5xJtxtq3m2sAHqHPUheD9upAegc=; b=K4GTEsMsHs7//OKCU+/cOPy41Y1k4v+YON+GZhD1xMz1Slr3XFDvrV52VMYgTO6tjc n0iyw/2lH1STEe2dv+rUlKhh4cfb5HEMOv/otQPAN6e9Bjubm13JM0M9G5KcdELxSO7Q PXjuNnG4Ngxp9aD55xIceybysGtrlq3+CSLMZl6t4vNOr9BU5l5XWVrWDg1dcfSgXG9B o05FoLaoQsqlh3GkYJOdEu0W9y65b9QWADRMIIw5bHmNq3CU4zh+sa8iu9VMeBqeYvKL fJ4v4hk5Fx0LaXHxY24MRkBwKewPwSfSp1QNuekEc96IXktbI+w2pPzhDCqZmJ6PRXNt STHA==
X-Gm-Message-State: ALoCoQmPVcFA1TPZJ55o2Y/cT76WJJDrz8YvuNpgtBsUXif2CEGQ7wVc/Ou382rGiEaNjSgon1r9
X-Received: by 10.224.131.4 with SMTP id v4mr75612455qas.99.1419699004139; Sat, 27 Dec 2014 08:50:04 -0800 (PST)
Received: from [192.168.1.105] (c-69-255-115-150.hsd1.md.comcast.net. [69.255.115.150]) by mx.google.com with ESMTPSA id t2sm28968569qae.6.2014.12.27.08.50.03 for <tls@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 27 Dec 2014 08:50:03 -0800 (PST)
Message-ID: <549EE32B.7050703@nthpermutation.com>
Date: Sat, 27 Dec 2014 11:49:47 -0500
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: tls@ietf.org
References: <CAMfhd9XgR-N6BZVLojfyf6E2+0fhYVHopp5FKALoup_GjTji5A@mail.gmail.com> <CABcZeBMmFWOoh6Av=eAaMi6AA1Kb7X41Efie-0PuRZWwPPVz_A@mail.gmail.com> <860778484.3559563.1416987612674.JavaMail.zimbra@redhat.com> <CABcZeBPHQGMNYU1QbG=oeuVZYG71BqVaJU9E9e2Kh+rEWq=RXA@mail.gmail.com> <CAL9PXLwrZCgDUqd8ugqhcpYEBwLOcQXSLg8Kx8fgCq6tzLvO4A@mail.gmail.com> <CABcZeBPY8Jrg_ou_=frs9O2-0nrfL+V-H-jBCxDgQ4Ora55kvQ@mail.gmail.com> <20141223143719.GB11149@LK-Perkele-VII> <CABcZeBOb9tL5UO94Qrdn7AuamkPvs=+7aU0EF78p3Lac=JEh9w@mail.gmail.com> <20141224185031.GA4583@LK-Perkele-VII> <CABcZeBO2D+DBW+XAzNv9BgXqXzmy8GgwbX24iGZDYXN=aqZ9fg@mail.gmail.com> <20141224193906.GB4583@LK-Perkele-VII> <CABcZeBOD_6Uan73ntOBKb3JwhYB2xzhrz+xGue_sy-B4-1VA4A@mail.gmail.com>
In-Reply-To: <CABcZeBOD_6Uan73ntOBKb3JwhYB2xzhrz+xGue_sy-B4-1VA4A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------050502030803040508000004"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/jEb49EeTtkSsihouCg4iVnQDhbM
Subject: Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Dec 2014 16:50:07 -0000
On 12/24/2014 4:01 PM, Eric Rescorla wrote: > > > > > > > That is, it would be digital signature of: > > > > > > - 32 padding bytes (or ClientRandom) > > > - 32 padding bytes (or ServerRandom) > > > - Context string > > > - Ciphersuite ID (to provode domain separation) > > > - handshake_hash(transcript) > > > > > > > So to be clear, you are proposing that we might (for instance) have > > a signature with (say) SHA-1 over a handshake hash computed with > > SHA-256? > > Yes. > > E.g ECDSA/SHA1 for signatures and > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 > for connection. That would result in SHA-1 signature over SHA-256 > hash. > > > The other way around can't happen with any current ciphersuite > (because > every current one has prf-hash of either SHA-256 or SHA-384). > > > Thanks for the clarification. What do other people think about this > suggestion? > > -Ekr Three items - Doing it this way means that SHA1 is a permanent part of TLS1.3 - every implementation will need it. It also means that the security of the handshake transcript part is no better than that given by SHA1 so if further attacks on SHA1 are discovered, the fix will be TLS1.4. That applies regardless of which hash we select. That said, SHA256 is probably a better choice that SHA1 given that SHA1 is deprecated for signatures [while this isn't exactly using it in signatures, I will note that ECDSA (SHA256(SHA1(data)) has the same strength as ECDSA(SHA1(data)) - I would have to think a bit whether the addition of the 4 possibly fixed (or chosen) elements would increase the security back to SHA256 levels] If the client is willing to negotiate to TLS1.2, the client will still need to run multiple hashes in parallel until it gets the tls version selection confirmation (and the cipher suite selection) from the server as we're not changing how the TLS1.2 signature is calculated. Lastly, if we do the above, please add a uint32 length(transcript) value before handshake_hash(transcript) to at least make extension attacks a bit more difficult. Mike > > > > -Ilari > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] Signed messages should be prefixed with a N… Adam Langley
- Re: [TLS] Signed messages should be prefixed with… Nikos Mavrogiannopoulos
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Nikos Mavrogiannopoulos
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Adam Langley
- Re: [TLS] Signed messages should be prefixed with… Nikos Mavrogiannopoulos
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Ilari Liusvaara
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Ilari Liusvaara
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Ilari Liusvaara
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Adam Langley
- Re: [TLS] Signed messages should be prefixed with… Michael StJohns
- Re: [TLS] Signed messages should be prefixed with… Watson Ladd
- Re: [TLS] Signed messages should be prefixed with… Adam Langley
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Michael StJohns
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Michael StJohns
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla