Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Tue, 23 December 2014 14:37 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1B4D1ACEF2 for <tls@ietfa.amsl.com>; Tue, 23 Dec 2014 06:37:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aBuWnV8cFQKw for <tls@ietfa.amsl.com>; Tue, 23 Dec 2014 06:37:22 -0800 (PST)
Received: from emh02.mail.saunalahti.fi (emh02.mail.saunalahti.fi [62.142.5.108]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEB071ACEEB for <tls@ietf.org>; Tue, 23 Dec 2014 06:37:21 -0800 (PST)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh02.mail.saunalahti.fi (Postfix) with ESMTP id 89F7081879; Tue, 23 Dec 2014 16:37:19 +0200 (EET)
Date: Tue, 23 Dec 2014 16:37:19 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20141223143719.GB11149@LK-Perkele-VII>
References: <CAMfhd9XgR-N6BZVLojfyf6E2+0fhYVHopp5FKALoup_GjTji5A@mail.gmail.com> <CABcZeBMmFWOoh6Av=eAaMi6AA1Kb7X41Efie-0PuRZWwPPVz_A@mail.gmail.com> <860778484.3559563.1416987612674.JavaMail.zimbra@redhat.com> <CABcZeBPHQGMNYU1QbG=oeuVZYG71BqVaJU9E9e2Kh+rEWq=RXA@mail.gmail.com> <CAL9PXLwrZCgDUqd8ugqhcpYEBwLOcQXSLg8Kx8fgCq6tzLvO4A@mail.gmail.com> <CABcZeBPY8Jrg_ou_=frs9O2-0nrfL+V-H-jBCxDgQ4Ora55kvQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CABcZeBPY8Jrg_ou_=frs9O2-0nrfL+V-H-jBCxDgQ4Ora55kvQ@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/n3lf9eNPbUNqdYqTyAIUNB5UVBA
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Signed messages should be prefixed with a NUL-terminated context string.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Dec 2014 14:37:23 -0000

On Mon, Dec 22, 2014 at 01:38:36PM -0800, Eric Rescorla wrote:
> Adam updated his PR to sign the prefix concatenated with the handshake
> hashes, which makes it easier to have a single hash context.
> 
> https://github.com/tlswg/tls13-spec/pull/100
> 
> I haven't seen any objections to this idea, so I'll merge this on Wednesday
> unless I hear an objection before then.
> 

Any reason not to fix the hash function per-ciphersuite, so servers
and clients don't have to run multiple hashes in parrallel? 

Suitable hash function is required by the THS fix anyway, and one
could just reuse that context if one has implementation capable of
intermediate hashes or hash context cloning.

If one is worried about cross-hash attacks (even if all hashes should
be strong), stick the ciphersuite ID (which fixes the hash) into
data to be signed.


-Ilari