Re: [TLS] Key Control Vulnerability in SRP (Triple Handshake Variant)

Karthikeyan Bhargavan <karthikeyan.bhargavan@inria.fr> Fri, 08 August 2014 21:11 UTC

Return-Path: <karthikeyan.bhargavan@inria.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 299FB1ABD18 for <tls@ietfa.amsl.com>; Fri, 8 Aug 2014 14:11:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FRJLUgl7n1zZ for <tls@ietfa.amsl.com>; Fri, 8 Aug 2014 14:11:36 -0700 (PDT)
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64A841A0379 for <tls@ietf.org>; Fri, 8 Aug 2014 14:11:36 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.01,827,1400018400"; d="asc'?scan'208";a="74348410"
Received: from pool-71-161-100-124.cncdnh.east.myfairpoint.net (HELO [10.0.1.3]) ([71.161.100.124]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/AES128-SHA; 08 Aug 2014 23:11:33 +0200
Content-Type: multipart/signed; boundary="Apple-Mail=_C19BB4DE-E8B7-4E73-8009-16DD973BADB4"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Karthikeyan Bhargavan <karthikeyan.bhargavan@inria.fr>
In-Reply-To: <CAGZ8ZG3=xE5xv1oVAaL1Yxc-sm4ZuA+N++E5xt_QrMLYqR+Edw@mail.gmail.com>
Date: Fri, 8 Aug 2014 17:11:31 -0400
Message-Id: <184302E9-0674-49FE-B0E5-3D356404573F@inria.fr>
References: <79E82046-616E-4179-8CF6-12126DDE4640@inria.fr> <DB3BE984-3839-4681-97B2-C874C5154DC1@inria.fr> <CAGZ8ZG3=xE5xv1oVAaL1Yxc-sm4ZuA+N++E5xt_QrMLYqR+Edw@mail.gmail.com>
To: Trevor Perrin <trevp@trevp.net>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/naYiWniyDnrVYmaykoK6Q-G9ILs
Cc: "TLS@ietf.org \(tls@ietf.org\)" <tls@ietf.org>
Subject: Re: [TLS] Key Control Vulnerability in SRP (Triple Handshake Variant)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Aug 2014 21:11:42 -0000

> I haven't followed the triple-handshake discussion closely.  My
> impression is that it's a TLS issue - not an SRP issue - which should
> be fixed by something like [1].
> ….
> [1] http://datatracker.ietf.org/doc/draft-bhargavan-tls-session-hash/

Yes, [1] is the current proposal to prevent all triple-handshake-style key synchronisation attacks

The observation here is meant to document that TLS-SRP (not just TLS-RSA and TLS-DHE) also
allows key control, but that this can be easily avoided by some cheap implementation checks.

The main concern may be for for other uses of SRP where [1] may not apply, but I don’t know enough about
such applications to comment.

Best,
-Karthik

> 
> Is that correct?
> 
> Trevor
>