IETF Logo Mail Archive

Re: [TLS] cryptanalysis vs. encrypted parts of the TLS handshake [was: Re: Simplifying the proof]

Michael Sweet <msweet@apple.com> Thu, 18 September 2014 11:29 UTC

Return-Path: <msweet@apple.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86B0C1A017C for <tls@ietfa.amsl.com>; Thu, 18 Sep 2014 04:29:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.743
X-Spam-Level:
X-Spam-Status: No, score=-5.743 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yz6TSzAZ75IP for <tls@ietfa.amsl.com>; Thu, 18 Sep 2014 04:29:50 -0700 (PDT)
Received: from mail-in7.apple.com (mail-out7.apple.com [17.151.62.29]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFEAC1A014D for <tls@ietf.org>; Thu, 18 Sep 2014 04:29:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1411039790; x=2274953390; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Z5bd3NOO5zJohtn7ZZQ5RkWeAeo0P/+StbhO8YJ9MWg=; b=J4V98kzHhYblbScKE5Mj5Xr0SSeJPesw6unzJHOjHuogjrsZnbRDpfTVSWbR0Jur EoPmFYU+BfudThPnpPp+dNHDYVgXN/qEscWhl+c7SkN4qqq2tnAs5WnTIB/dETvS kvZDqwmvbM/0jMg9boLrOwjpSUlHx0a0LW5Pj8vhzBdbm7JJkrQEj9bmI3q7d9Tz htq7hjmRBbuDGZYQ5ySGOZHNOmiQHNExQbzBFGoeKuQ9eybX27L5dHG1GG45ZVpo ak17FS4F8JfRTZN/ag0TCKJzRNSry2JT6nN9c8ycs2hbNpkdcOql07WpuKGoRQmS cHv5PeHbdHElVi78Jq1tsw==;
Received: from mail-out.apple.com (honeycrisp.apple.com [17.151.62.51]) (using TLS with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by mail-in7.apple.com (Apple Secure Mail Relay) with SMTP id 13.81.31401.E22CA145; Thu, 18 Sep 2014 04:29:50 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; CHARSET="US-ASCII"
Received: from relay4.apple.com ([17.128.113.87]) by local.mail-out.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) with ESMTP id <0NC300607H95NSK0@local.mail-out.apple.com> for tls@ietf.org; Thu, 18 Sep 2014 04:29:50 -0700 (PDT)
X-AuditID: 11973e16-f793b6d000007aa9-8f-541ac22e157b
Received: from chive.apple.com (chive.apple.com [17.128.115.15]) (using TLS with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by relay4.apple.com (Apple SCV relay) with SMTP id 19.65.03493.532CA145; Thu, 18 Sep 2014 04:29:57 -0700 (PDT)
Received: from [17.153.50.154] by chive.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) with ESMTPSA id <0NC300EIPH9OZ030@chive.apple.com> for tls@ietf.org; Thu, 18 Sep 2014 04:29:49 -0700 (PDT)
From: Michael Sweet <msweet@apple.com>
In-reply-to: <CACsn0cmUAeof0o7b2RG=RzqpBrezYihyu-ggS7qX5M8dd5BSQA@mail.gmail.com>
Date: Thu, 18 Sep 2014 07:29:49 -0400
Message-id: <58A06E37-B0FB-4D53-87AD-288CF2278B42@apple.com>
References: <20140912200607.GE16660@localhost> <20140918011622.CB9391AE4C@ld9781.wdf.sap.corp> <CACsn0cmUAeof0o7b2RG=RzqpBrezYihyu-ggS7qX5M8dd5BSQA@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrDLMWRmVeSWpSXmKPExsUiON3OWFfvkFSIwbbTvBafzncxOjB6LFny kymAMYrLJiU1J7MstUjfLoEro+uUR8F7mYolLwobGJeJdzFyckgImEicmHaADcIWk7hwbz2Q zcUhJDCHSeJVyxdWkASvgKDEj8n3WLoYOTiYBeQlDp6XBQkzC2hJfH/UygJiCwlMZpI4O0MX Zub+/1eg5nQzSWzYu4MFwvnAKHH8RjvYUGGBHImXd/+wg9hsAmoSvyf1gcU5BYIltt1fDhZn EVCVaHm8mhliW65E78d/bBAH2Ugs+bQBauhyRomrO6aCJUQE1CUmLN/EAnGGvMSHD8fZQYok BF6zSuxZ08w2gVFkFpKPZiF8NAvJRwsYmVcxCuUmZuboZuaZ6yUWFOSk6iXn525ihAS32A7G h6usDjEKcDAq8fBKCEiFCLEmlhVX5h5ilOZgURLnnc0AFBJITyxJzU5NLUgtii8qzUktPsTI xMEp1cC4TTEguPPYqoKvP6xKBJ279s1/xrffg3kny27bic96FYQi+VXYj9TnPV7UNCHde6eO uvk5403qjYmOx25+OvKdU7LrkKVF6mSl8OrtYdbcV+77dk936dg4s0c43OalhuC55L3Pij3f XTvdciEg8kig4ELdQ8wJV3p28nqFxd544nf6XKeTdpESS3FGoqEWc1FxIgCK0g3ITwIAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrOLMWRmVeSWpSXmKPExsUi2FDMr2t6SCrE4GefgMWn812MDoweS5b8 ZApgjOKySUnNySxLLdK3S+DKWNnyj7Fgi2zF1dc/2RoYH4h3MXJySAiYSOz/f4UNwhaTuHBv PZDNxSEk0M0k8bR/AROE84FR4viNdlaQKmGBHImXd/+wg9i8AgYSr34+ZgaxmQW0JNbvPM4E YrMJqEn8ntQHVs8pECyx7f5ysHoWAVWJlseroepzJXo//mODsLUlnry7wAox00ZiyacNLBCL lzNKXN0xFaxIREBdYsLyTSwQp8pLfPhwnH0Co8AsJHfMQnLHLCRzFzAyr2IUKErNSaw00Uss KMhJ1UvOz93ECA6+wvAdjP+WWR1iFOBgVOLhPcArFSLEmlhWXJl7iFGCg1lJhPfXQqAQb0pi ZVVqUX58UWlOavEhRmkOFiVx3vdlQCmB9MSS1OzU1ILUIpgsEwenVANj7seGW3dvXVdnK7xk 66TJq+GyQPCW8OMdKVPzFDUDTkzfcJLZlN8sJOeA+9Kf59pTk3vaW3mOcFq0Ci67ln/r2mWb 19dy3tx0cwnyY/CJqbY9tVbrXChjTZrX2xWbl2Q73L/Uzum9i0ehqoVr+72+VbK8V1/tOfip cY4U48d29ocz7ws+Y/RRYinOSDTUYi4qTgQAXyJs2zoCAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/pbfyCJtCOuisj8CXKQOt7dYTalg
Cc: Markulf Kohlweiss <markulf@microsoft.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] cryptanalysis vs. encrypted parts of the TLS handshake [was: Re: Simplifying the proof]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Sep 2014 11:29:52 -0000

My $0.02: Would it make sense to stop treating extensions as an a la carte mechanism, and instead define "extension suites", much as TLS already groups specific combinations of cryptographic primitives that can be selected in cipher suites?

Seems like that would limit the allowed combinations of extensions to those that have gone through the necessary analysis and are considered "safe" to use together?


On Sep 17, 2014, at 10:03 PM, Watson Ladd <watsonbladd@gmail.com> wrote:

> On Wed, Sep 17, 2014 at 6:16 PM, Martin Rex <mrex@sap.com> wrote:
>> Nico Williams wrote:
>>> On Thu, Sep 11, 2014 at 05:18:37PM +0200, Martin Rex wrote:
>>>> I also don't understand why the fact that TLS finished messages are
>>>> encrypted would make any proof harder.  I believe that to be untrue.
>>> 
>>> Hugo K.'s rationale is that you then need to have replay protection.  We
>>> need replay protection anyways, but if you're only analyzing the
>>> handshake then it helps to not have to include subsequent replay
>>> protection in the analysis.
>> 
>> Somehow that argument feels quite lame when it is combined with the
>> argument "the proof would be easier when the finished messages were
>> sent in the clear, could we not change this".
>> 
>> Just do the proof under the assumption/premise that the finished messages
>> *ARE* in the clear.  Then send them encrypted.  Unless you're doing avoidable
>> weird things, sending them encrypted rather then in the clear should not
>> affect the original proof at all.
> 
> Yes, that's what previous analysis had to do. In combination with
> other misfeatures (need for Oracle DH assumptions, additional
> complexity) the result was that protocol weaknesses went undetected.
> 
> The bigger the difference between TLS and the protocol that is
> actually analyzed, the weaker the guaranties are about the safety of
> TLS. Furthermore the space of changes people make to TLS is much
> larger than is actually realized: take all the RFCs referring to any
> version of TLS, and consider that each one may or may not be
> implemented. The resulting combinatorial explosion cannot be dealt
> with except by modularizing the proof.
> 
> TLS 1.3 adds new tricks, like Zero-RTT, one-RTT forms, and possibly
> new forms of encrypted data. The easier it is to analyze the core
> protocol the easier it will be to analyze these proposals, and fix
> them. Most of the people who are making proposals including myself
> have not got the ability or time to do a proper analysis. The few
> people who do are really overworked, and so far we've heard nothing
> from them (for good reason: you don't want a late change to turn a
> significant amount of work into a nonstarter) It is a substantially
> more complicated protocol.
> 
> We need to think about how to avoid the past two decades of major
> cryptographic weaknesses, repeatedly identified in TLS
> implementations, some of which are still not fixed.
> 
> Sincerely,
> Watson Ladd
>> 
>> If the TLS channel would be sensitive to what exact data is transferred
>> within that encrypted channel, then you would have *MUCH* larger problems
>> and it would apply to just about any kind of arbitrary application data.
>> 
>> -Martin
> 
> 
> 
> -- 
> "Those who would give up Essential Liberty to purchase a little
> Temporary Safety deserve neither  Liberty nor Safety."
> -- Benjamin Franklin
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

v2.23.0 | Report a Bug | By Email