Re: [TLS] rm Hello.random w/ (EC)DHE [was OPTLS: Signature-less TLS 1.3]

Geoffrey Keating <geoffk@geoffk.org> Mon, 10 November 2014 19:06 UTC

Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADB141A9146 for <tls@ietfa.amsl.com>; Mon, 10 Nov 2014 11:06:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.498
X-Spam-Level:
X-Spam-Status: No, score=0.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_54=0.6, J_CHICKENPOX_55=0.6, J_CHICKENPOX_56=0.6, J_CHICKENPOX_57=0.6, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oHrnmNqvatnl for <tls@ietfa.amsl.com>; Mon, 10 Nov 2014 11:06:12 -0800 (PST)
Received: from dragaera.releasedominatrix.com (dragaera.releasedominatrix.com [216.129.105.14]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D5C91A9172 for <tls@ietf.org>; Mon, 10 Nov 2014 11:05:53 -0800 (PST)
Received: by dragaera.releasedominatrix.com (Postfix, from userid 501) id A790733D1A3; Mon, 10 Nov 2014 19:05:51 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: Dan Brown <dbrown@certicom.com>
References: <810C31990B57ED40B2062BA10D43FBF5CFDCC9@XMB116CNC.rim.net>
From: Geoffrey Keating <geoffk@geoffk.org>
Date: Mon, 10 Nov 2014 11:05:51 -0800
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5CFDCC9@XMB116CNC.rim.net>
Message-ID: <m2vbmmri40.fsf@localhost.localdomain>
Lines: 23
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/na3Hg2bqS2q0l58wXGyM5l9zkYc
Cc: "'hoeteck@alum.mit.edu'" <hoeteck@alum.mit.edu>, "'tls@ietf.org'" <tls@ietf.org>
Subject: Re: [TLS] rm Hello.random w/ (EC)DHE [was OPTLS: Signature-less TLS 1.3]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Nov 2014 19:06:13 -0000

Dan Brown <dbrown@certicom.com> writes:

> When using (EC)DHE (inc. OPTLS below), the TLS random nonces
> (ClientHello.random and ServerHello.random) seem redundant (unless
> one re-uses ephemeral secret keys (but then maybe a counter or
> secure time would be almost as good a nonce as a random in this
> case), or perhaps for some other reason I’m missing), and perhaps
> even a point of fragility (e.g. if a common generator for nonces and
> keys is weak, or corrupted). So, does it make sense to remove these
> Hello.randoms, when using (EC)DHE, or to replace them with something
> milder, like Hello.time, Hello.counter, or just Hello.nonce?

The client's nonce is its way of ensuring that the server has
generated a fresh signature on the server's DHE parameters.  However
you could achieve the same thing by having the server sign both its
and the client's DHE parameters, effectively treating them as a nonce.

Another thing the nonces do is ensure that even if the DHE exchange is
controlled by one side, the master secret (and therefore the
connection identification) is still different between different
connections from the client.  To preserve this you would need to
ensure all the DHE parameters are valid.  This is necessary to prevent
a triple handshake style of attack.