Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Wed, 24 December 2014 18:50 UTC
Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0C571A1A39 for <tls@ietfa.amsl.com>; Wed, 24 Dec 2014 10:50:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nc9OMHZhp6EL for <tls@ietfa.amsl.com>; Wed, 24 Dec 2014 10:50:34 -0800 (PST)
Received: from emh03.mail.saunalahti.fi (emh03.mail.saunalahti.fi [62.142.5.109]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27C311A1A5B for <tls@ietf.org>; Wed, 24 Dec 2014 10:50:33 -0800 (PST)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh03.mail.saunalahti.fi (Postfix) with ESMTP id 89B171887EF; Wed, 24 Dec 2014 20:50:31 +0200 (EET)
Date: Wed, 24 Dec 2014 20:50:31 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20141224185031.GA4583@LK-Perkele-VII>
References: <CAMfhd9XgR-N6BZVLojfyf6E2+0fhYVHopp5FKALoup_GjTji5A@mail.gmail.com> <CABcZeBMmFWOoh6Av=eAaMi6AA1Kb7X41Efie-0PuRZWwPPVz_A@mail.gmail.com> <860778484.3559563.1416987612674.JavaMail.zimbra@redhat.com> <CABcZeBPHQGMNYU1QbG=oeuVZYG71BqVaJU9E9e2Kh+rEWq=RXA@mail.gmail.com> <CAL9PXLwrZCgDUqd8ugqhcpYEBwLOcQXSLg8Kx8fgCq6tzLvO4A@mail.gmail.com> <CABcZeBPY8Jrg_ou_=frs9O2-0nrfL+V-H-jBCxDgQ4Ora55kvQ@mail.gmail.com> <20141223143719.GB11149@LK-Perkele-VII> <CABcZeBOb9tL5UO94Qrdn7AuamkPvs=+7aU0EF78p3Lac=JEh9w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBOb9tL5UO94Qrdn7AuamkPvs=+7aU0EF78p3Lac=JEh9w@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/n169ixKUuhLgemj__PGxNXQWi60
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Dec 2014 18:50:36 -0000
On Wed, Dec 24, 2014 at 10:21:58AM -0800, Eric Rescorla wrote: > On Tue, Dec 23, 2014 at 6:37 AM, Ilari Liusvaara < > ilari.liusvaara@elisanet.fi> wrote: > > > On Mon, Dec 22, 2014 at 01:38:36PM -0800, Eric Rescorla wrote: > > > Adam updated his PR to sign the prefix concatenated with the handshake > > > hashes, which makes it easier to have a single hash context. > > > > > > https://github.com/tlswg/tls13-spec/pull/100 > > > > > > I haven't seen any objections to this idea, so I'll merge this on > > Wednesday > > > unless I hear an objection before then. > > > > > > > Any reason not to fix the hash function per-ciphersuite, so servers > > and clients don't have to run multiple hashes in parrallel? > > > > The client and server may want to use different signature algorithms. I mean the hash in data to be signed (not the internal hash function in signature algortithm). That is, it would be digital signature of: - 32 padding bytes (or ClientRandom) - 32 padding bytes (or ServerRandom) - Context string - Ciphersuite ID (to provode domain separation) - handshake_hash(transcript) Where handshake_hash is the same hash as used by session hash (that one better be CR anyway!) This PR lacks the domain separation and requires both sides to buffer handshake or run potentailly lots of hashes (instead of just running one they need to run anyway). -Ilari
- [TLS] Signed messages should be prefixed with a N… Adam Langley
- Re: [TLS] Signed messages should be prefixed with… Nikos Mavrogiannopoulos
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Nikos Mavrogiannopoulos
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Adam Langley
- Re: [TLS] Signed messages should be prefixed with… Nikos Mavrogiannopoulos
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Ilari Liusvaara
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Ilari Liusvaara
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Ilari Liusvaara
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Adam Langley
- Re: [TLS] Signed messages should be prefixed with… Michael StJohns
- Re: [TLS] Signed messages should be prefixed with… Watson Ladd
- Re: [TLS] Signed messages should be prefixed with… Adam Langley
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Michael StJohns
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Michael StJohns
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla
- Re: [TLS] Signed messages should be prefixed with… Eric Rescorla