Re: [TLS] TLS and hardware security modules - some issues related to PKCS11
Michael StJohns <msj@nthpermutation.com> Sat, 21 September 2013 19:09 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F71011E8180 for <tls@ietfa.amsl.com>; Sat, 21 Sep 2013 12:09:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jU+eYgu8QHbw for <tls@ietfa.amsl.com>; Sat, 21 Sep 2013 12:09:31 -0700 (PDT)
Received: from mail-qc0-f173.google.com (mail-qc0-f173.google.com [209.85.216.173]) by ietfa.amsl.com (Postfix) with ESMTP id 4F29E21F9B10 for <tls@ietf.org>; Sat, 21 Sep 2013 12:09:11 -0700 (PDT)
Received: by mail-qc0-f173.google.com with SMTP id c3so1079857qcv.18 for <tls@ietf.org>; Sat, 21 Sep 2013 12:09:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=mPVXnhLh+lID9l5iLN6CEAgGgy/57co8PviWH9wamZg=; b=nGVRZTgmM+JSCP2lAbTb6uVV+xKOOoBgTURs04pFZID/bCK9M+GlhlaQDiJm7f0mQB II0rZOzyXNHDt/8ouFTMzdOlwHVIUYJF088Da3wK+JEIwjaY0VeowxeWdR3zVp4c+dYa 3usov03XYwpmTxXTNL4BNHfNr86KkoJQsgQaCYij5xPXW9hZfiKdpdpcwnbmI9D6V/Qp g1j67vH18s92TeC20eVQpV8Na2DTaDIu/l1WDQ12GYAcFixoUbnpH6rwKIn7ciIXH6MQ liow3Qt17kDQbzuiX/eJh2Q7pnOPO9QF4MQlJ2jVZ2loOj5w06292dcIyvIlbSjhs79V z01w==
X-Gm-Message-State: ALoCoQmhJ4wdKR/zsF//qFwOGWZWaOImEHYFDipDNK/dwTLN+jO+DB8Du7jBKgnlvnHp6qBYttwO
X-Received: by 10.49.42.101 with SMTP id n5mr12080365qel.31.1379790550793; Sat, 21 Sep 2013 12:09:10 -0700 (PDT)
Received: from [192.168.1.112] (c-68-83-212-126.hsd1.md.comcast.net. [68.83.212.126]) by mx.google.com with ESMTPSA id d3sm29688457qad.2.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 21 Sep 2013 12:09:10 -0700 (PDT)
Message-ID: <523DEED6.1060501@nthpermutation.com>
Date: Sat, 21 Sep 2013 15:09:10 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Juraj Somorovsky <juraj.somorovsky@rub.de>
References: <522955BC.8000407@nthpermutation.com> <52378A67.9010903@rub.de> <52379643.7070705@nthpermutation.com> <523AAA0E.2020105@rub.de>
In-Reply-To: <523AAA0E.2020105@rub.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] TLS and hardware security modules - some issues related to PKCS11
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Sep 2013 19:09:37 -0000
On 9/19/2013 3:38 AM, Juraj Somorovsky wrote: > Let me please extend your scenario: > o Consider an application that needs to produce 2 128 bit AES keys. > o Consider that an attacker (or a hacked program that's being used to > extract keys) re-runs the derivation using the same master key and same > random data, this time specifying 64 bits of DES keys. > o Consider that the attacker can "break" DES (can get key from > plaintext-ciphertext pairs), but cannot break AES. > > The part of the key stream previously used for AES is now assigned to > the DES keys. If the PKCS11 module now produces some > plaintext-ciphertext pairs, the attacker can break DES and thus gets > part of the key stream previously assigned to AES. > > I admit I am not that familiar with PKCS11 modules used in > TLS...However, would this be a valid scenario? Yes and yes. Yes - PKCS11 doesn't actually get any information on the specific TLS suite, so it doesn't know what keys are required or their length. And the suites are all over the place in required keys and lengths - the null encryption suites don't require encryption keys, and the AEAD suites don't require MAC keys, so PKCS11 can't really enforce minimum lengths there. Yes - yuck - I didn't even consider this. Even if you don't leak out into the IV, there are crypto algorithms still in use with way too short key lengths. You could do exactly what you said and use this to brute force the DES 56 bit keys (plus 8 parity) and then concatenate the individual results to get the AES keys. Thanks for this. I think it can be fixed though and relatively simply, but will require changes to the key expansion step that are a bit more than I suggested: E.g. in addition to the master_key, label and random data being fed into the KDF, also feed in - in order for each output key - 2 or 4 bytes each that describe the length of the key. And that's taken directly from the inputs for the key lengths requested. That means that any time you vary the length of ANY key in the key expansion, the entire key stream changes. It also means that there isn't a need for a separate IV sub key for the key expansion stage (I think....) I'll write it up. Mike
- [TLS] TLS and hardware security modules - some is… Michael StJohns
- Re: [TLS] TLS and hardware security modules - som… Juraj Somorovsky
- Re: [TLS] TLS and hardware security modules - som… Michael StJohns
- Re: [TLS] TLS and hardware security modules - som… Martin Rex
- Re: [TLS] TLS and hardware security modules - som… Pascal Urien
- Re: [TLS] TLS and hardware security modules - som… Michael StJohns
- Re: [TLS] TLS and hardware security modules - som… Michael StJohns
- Re: [TLS] TLS and hardware security modules - som… Salz, Rich
- Re: [TLS] TLS and hardware security modules - som… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] TLS and hardware security modules - som… Martin Rex
- Re: [TLS] TLS and hardware security modules - som… Salz, Rich
- Re: [TLS] TLS and hardware security modules - som… Michael StJohns
- Re: [TLS] TLS and hardware security modules - som… Nikos Mavrogiannopoulos
- Re: [TLS] TLS and hardware security modules - som… Bill Frantz
- Re: [TLS] TLS and hardware security modules - som… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] TLS and hardware security modules - som… Juraj Somorovsky
- Re: [TLS] TLS and hardware security modules - som… Michael StJohns
- Re: [TLS] TLS and hardware security modules - som… Michael StJohns
- Re: [TLS] TLS and hardware security modules - som… Juraj Somorovsky
- Re: [TLS] TLS and hardware security modules - som… Michael StJohns
- Re: [TLS] TLS and hardware security modules - som… Paterson, Kenny
- Re: [TLS] TLS and hardware security modules - som… Michael D'Errico
- Re: [TLS] TLS and hardware security modules - som… Nico Williams
- Re: [TLS] TLS and hardware security modules - som… Michael StJohns
- Re: [TLS] TLS and hardware security modules - som… Michael StJohns
- Re: [TLS] TLS and hardware security modules - som… Michael StJohns
- Re: [TLS] TLS and hardware security modules - som… Michael StJohns
- Re: [TLS] TLS and hardware security modules - som… Nico Williams
- Re: [TLS] TLS and hardware security modules - som… Michael StJohns
- Re: [TLS] TLS and hardware security modules - som… Juraj Somorovsky
- Re: [TLS] TLS and hardware security modules - som… Michael StJohns
- Re: [TLS] TLS and hardware security modules - som… Juraj Somorovsky