Re: [TLS] TLS 1.2
Bodo Moeller <bmoeller@acm.org> Sat, 17 September 2005 08:55 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EGYTo-00065Q-EC; Sat, 17 Sep 2005 04:55:28 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EGYTk-000656-5I for tls@megatron.ietf.org; Sat, 17 Sep 2005 04:55:26 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA02790 for <tls@ietf.org>; Sat, 17 Sep 2005 04:55:22 -0400 (EDT)
Received: from moutng.kundenserver.de ([212.227.126.183]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EGYYu-0002UC-BK for tls@ietf.org; Sat, 17 Sep 2005 05:00:45 -0400
Received: from S01060030bdc6ced5.cg.shawcable.net [68.147.55.50] (helo=tau.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwpI-1EGYTY0m9I-0005MA; Sat, 17 Sep 2005 10:55:12 +0200
Received: by tau.local (Postfix, from userid 500) id 5924E2F224; Sat, 17 Sep 2005 02:54:47 -0600 (MDT)
Date: Sat, 17 Sep 2005 02:54:47 -0600
From: Bodo Moeller <bmoeller@acm.org>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Subject: Re: [TLS] TLS 1.2
Message-ID: <20050917085446.GA15797@tau.local>
References: <20050827003010.19815285E3@sierra.rtfm.com> <E1E9gEQ-0002RK-00@medusa01.cs.auckland.ac.nz>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <E1E9gEQ-0002RK-00@medusa01.cs.auckland.ac.nz>
User-Agent: Mutt/1.4i
X-Provags-ID: kundenserver.de abuse@kundenserver.de login:2100a517a32aea841b51dac1f7c5a318
X-Spam-Score: 2.1 (++)
X-Scan-Signature: 21c69d3cfc2dd19218717dbe1d974352
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Sender: tls-bounces@lists.ietf.org
Errors-To: tls-bounces@lists.ietf.org
On Mon, Aug 29, 2005 at 09:47:10PM +1200, Peter Gutmann wrote: > [...] Most of the use in TLS is as PRFs and in HMAC, none of which > are even remotely endangered by any known attack. Signatures, however, need > to be fixed for three main reasons: [...] > 3. Signing of hashes that don't correspond to anything that's calculated > during part of the normal handshake. That is, the dual-MAC that's sent in > the Finished message isn't what gets signed, so it's necessary to run a > parallel hash of handshake messages that terminates before the Finished- > message hashing does. Since client certs are almost never used, there's a > lot of extra overhead involved in running an extra dual hash that (most of > the time) never gets used. Whether this is overhead depends on the hashing API used by the TLS implementation -- if you can copy the current hash state if a client CertificateVerify is to be sent, then you won't have to do the hashing work twice. > In practice all that's needed is to sign the > client and server nonces to ensure signature freshness, > > So my proposal was to include a new extension signatureSuites, consisting of > (currently) three values: > > SIG_RSA_PKCS1_WITH_SHA1 > SIG_RSA_PKCS1_WITH_SHA256 > SIG_DSA_WITH_SHA1 > > and if that gets acknowledged by the other side (as per RFC 3546) then using a > standard signature of the given type over the value: > > { "certificate verify" || client_nonce || server_nonce } This will provide the server with assurance that the client holding the appropriate signing key is currently engaging in a TLS handshake, and that *either* said client *or* a man in the middle is the other party to the key exchange that the server is directly involved in. In other words, it does not say anything on whether the ClientKeyExchange comes from the legitimate client or the man in the middle and thus whether the symmetric key material has actually been negotiated with the client whose certificate was sent, or with Mr Wile E Coyote c/o General Delivery, Grand Canyon AZ 86023. _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] TLS 1.2 Eric Rescorla
- Re: [TLS] TLS 1.2 Steven M. Bellovin
- Re: [TLS] TLS 1.2 Peter Gutmann
- Re: [TLS] TLS 1.2 Steven M. Bellovin
- Re: [TLS] TLS 1.2 Bodo Moeller
- [TLS] TLS 1.2 Mike
- [TLS] TLS 1.2 Mike
- [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 Mike
- [TLS] TLS 1.2 MAC calculation Mike
- Antwort: [TLS] TLS 1.2 MAC calculation Axel.Heider
- Re: Antwort: [TLS] TLS 1.2 MAC calculation Bodo Moeller
- Re: [TLS] TLS 1.2 interoperating Mike
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Mike
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- RE: [TLS] TLS 1.2 hash agility Russ Housley
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen