Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Wed, 24 December 2014 18:50 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0C571A1A39 for <tls@ietfa.amsl.com>; Wed, 24 Dec 2014 10:50:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nc9OMHZhp6EL for <tls@ietfa.amsl.com>; Wed, 24 Dec 2014 10:50:34 -0800 (PST)
Received: from emh03.mail.saunalahti.fi (emh03.mail.saunalahti.fi [62.142.5.109]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27C311A1A5B for <tls@ietf.org>; Wed, 24 Dec 2014 10:50:33 -0800 (PST)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh03.mail.saunalahti.fi (Postfix) with ESMTP id 89B171887EF; Wed, 24 Dec 2014 20:50:31 +0200 (EET)
Date: Wed, 24 Dec 2014 20:50:31 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20141224185031.GA4583@LK-Perkele-VII>
References: <CAMfhd9XgR-N6BZVLojfyf6E2+0fhYVHopp5FKALoup_GjTji5A@mail.gmail.com> <CABcZeBMmFWOoh6Av=eAaMi6AA1Kb7X41Efie-0PuRZWwPPVz_A@mail.gmail.com> <860778484.3559563.1416987612674.JavaMail.zimbra@redhat.com> <CABcZeBPHQGMNYU1QbG=oeuVZYG71BqVaJU9E9e2Kh+rEWq=RXA@mail.gmail.com> <CAL9PXLwrZCgDUqd8ugqhcpYEBwLOcQXSLg8Kx8fgCq6tzLvO4A@mail.gmail.com> <CABcZeBPY8Jrg_ou_=frs9O2-0nrfL+V-H-jBCxDgQ4Ora55kvQ@mail.gmail.com> <20141223143719.GB11149@LK-Perkele-VII> <CABcZeBOb9tL5UO94Qrdn7AuamkPvs=+7aU0EF78p3Lac=JEh9w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CABcZeBOb9tL5UO94Qrdn7AuamkPvs=+7aU0EF78p3Lac=JEh9w@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/n169ixKUuhLgemj__PGxNXQWi60
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Dec 2014 18:50:36 -0000

On Wed, Dec 24, 2014 at 10:21:58AM -0800, Eric Rescorla wrote:
> On Tue, Dec 23, 2014 at 6:37 AM, Ilari Liusvaara <
> ilari.liusvaara@elisanet.fi>; wrote:
> 
> > On Mon, Dec 22, 2014 at 01:38:36PM -0800, Eric Rescorla wrote:
> > > Adam updated his PR to sign the prefix concatenated with the handshake
> > > hashes, which makes it easier to have a single hash context.
> > >
> > > https://github.com/tlswg/tls13-spec/pull/100
> > >
> > > I haven't seen any objections to this idea, so I'll merge this on
> > Wednesday
> > > unless I hear an objection before then.
> > >
> >
> > Any reason not to fix the hash function per-ciphersuite, so servers
> > and clients don't have to run multiple hashes in parrallel?
> >
> 
> The client and server may want to use different signature algorithms.

I mean the hash in data to be signed (not the internal hash function in
signature algortithm).

That is, it would be digital signature of:

- 32 padding bytes (or ClientRandom)
- 32 padding bytes (or ServerRandom)
- Context string
- Ciphersuite ID (to provode domain separation)
- handshake_hash(transcript)

Where handshake_hash is the same hash as used by session hash (that one
better be CR anyway!)

This PR lacks the domain separation and requires both sides to buffer
handshake or run potentailly lots of hashes (instead of just running
one they need to run anyway).



-Ilari