IETF Logo Mail Archive

[TLS] Short Authentication Strings for TLS

Christian Huitema <huitema@microsoft.com> Thu, 18 August 2016 17:48 UTC

Return-Path: <huitema@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD32612B051 for <tls@ietfa.amsl.com>; Thu, 18 Aug 2016 10:48:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j4TVBZPxPVBE for <tls@ietfa.amsl.com>; Thu, 18 Aug 2016 10:48:18 -0700 (PDT)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0096.outbound.protection.outlook.com [104.47.38.96]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF38A12D733 for <tls@ietf.org>; Thu, 18 Aug 2016 10:48:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=PFzF4GNTPYfrwOXmMfy7VTMs2WEZTY6W3Pd9790jiKQ=; b=QvDtWEt8/aF8479pdE8V3Q+eIXrkPqaHomfGaqyAyfhNv6ZeufHwFKBa/qfDPAx7Vt7IDs5Rw4YAMKfPdl+qK6PbPeUoqSz3eVPcgJTgTdFUTuy8KFBTvVveHAsZMY+GXb7tYgqw39O2hhPwkv2wuJHKx8B3mrNTiuzVrRBprgs=
Received: from BN6PR03MB2675.namprd03.prod.outlook.com (10.173.143.150) by BN6PR03MB2675.namprd03.prod.outlook.com (10.173.143.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.549.15; Thu, 18 Aug 2016 17:47:58 +0000
Received: from BN6PR03MB2675.namprd03.prod.outlook.com ([10.173.143.150]) by BN6PR03MB2675.namprd03.prod.outlook.com ([10.173.143.150]) with mapi id 15.01.0549.027; Thu, 18 Aug 2016 17:47:58 +0000
From: Christian Huitema <huitema@microsoft.com>
To: "<tls@ietf.org>" <tls@ietf.org>, "imiers@cs.jhu.edu" <imiers@cs.jhu.edu>, "mgreen@cs.jhu.edu" <mgreen@cs.jhu.edu>, Eric Rescorla <ekr@rtfm.com>
Thread-Topic: Short Authentication Strings for TLS
Thread-Index: AdH5ctgVeV1w1b1MRb+YwaKtrD5Lxw==
Date: Thu, 18 Aug 2016 17:47:58 +0000
Message-ID: <BN6PR03MB2675BA146E2ACC19C754B2DCA8150@BN6PR03MB2675.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=huitema@microsoft.com;
x-originating-ip: [2001:4898:80e8:f::4dd]
x-ms-office365-filtering-correlation-id: 38600514-fc15-4566-2816-08d3c78fcafd
x-microsoft-exchange-diagnostics: 1; BN6PR03MB2675; 6:y9+PvGZAUVcLkHVOAGEtROzZK8PSrTJH4DmM+U7SEu5mx9af9EcFHMLEdouoHPateMsW3U8xAQnEBK6wodPqUqLLqgwNSCmVUoYgWsqosoqGXoLkgEw0biXngsu/tW6GmAhSi+Em50wtsTLEgydJkXk4yQqY2A+5jvMPhUm2aa847qN+ZZ83EO16EgKRVEhPdYqfuNd7Rpwp55yesh+X6kjC6cDr9WP05SLhjBkcAdoJVyThYe+KG8w0WBuT/BQzefEogDu2BzvlhnWuCeT5YBDyp/XugkuO6NRK9EMBmNfxBSR5soGvIY9ONgZapbxpjzh33CW/i/d0I6ngfLdBJw==; 5:TSuSMf3OF8CCrI9iSvQLt1Q+hF+MaY4NApl3f5CNUekKP1nQnRaeed8PcTnhrEo8KUx8DG+C1VWYN1ErQ0lWnLN5Kfyw6JLZXuYobm4sTXM7+s5hzGpDM4IMGDTwFwg+ArzN4HvzPej+9fjHT24nmg==; 24:vF7EA9KS8b9QTBPjXtkiwGyHxIrRPLnbHtfV/WVruGcLQ62oIhbXwvYjm/q4idp0PJu0WzMJ4HX79Pyi9NIdDQTd0ZgvluvZR5iu9uThl7w=; 7:QjhuCKByzPq0jFC/J3PhcCptasBfckHqjoMUDDwnBfYG6VchoAoIKRTLHizuXn5KiSEB3pTc9Miuakwx0bcEjdSXVLvCkOxi9xrJ7JZyqyOuCTlUf7SoOQqmC9Rqvag1njNNqZPJXj2KSlzeTmiKHwqbK3oOsoekPjgyxpb8wwgyF5h5IyL0XvsXxzG20u6a/g1Vt3r6tDbDUWNQwmU9MJj/dx6G8P8mSOkDsurYxcSZoUj315ROVOlDgSEEubQF
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN6PR03MB2675;
x-microsoft-antispam-prvs: <BN6PR03MB267598C0492D2C90803BED7EA8150@BN6PR03MB2675.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040176)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038); SRVR:BN6PR03MB2675; BCL:0; PCL:0; RULEID:; SRVR:BN6PR03MB2675;
x-forefront-prvs: 0038DE95A2
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(199003)(189002)(101416001)(77096005)(97736004)(102836003)(122556002)(15975445007)(4326007)(19300405004)(81166006)(86612001)(8676002)(229853001)(54356999)(19617315012)(81156014)(11100500001)(8936002)(10090500001)(33656002)(3280700002)(68736007)(92566002)(50986999)(110136002)(19625215002)(5005710100001)(5002640100001)(2201001)(106356001)(16236675004)(3660700001)(2171001)(105586002)(790700001)(8990500004)(99286002)(10290500002)(2900100001)(86362001)(2501003)(7736002)(7846002)(189998001)(586003)(74316002)(87936001)(7906003)(2906002)(19580395003)(6116002)(10400500002)(9686002)(76576001)(7696003)(3826002)(491001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR03MB2675; H:BN6PR03MB2675.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN6PR03MB2675BA146E2ACC19C754B2DCA8150BN6PR03MB2675namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Aug 2016 17:47:58.6819 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR03MB2675
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/qKycGFMqcqiBfREgV4Q0A6YADlk>
Cc: Daniel Kaiser <daniel.kaiser@uni-konstanz.de>
Subject: [TLS] Short Authentication Strings for TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2016 17:48:39 -0000

Daniel Kaiser and I are working on a "pairing" specification in the context of DNS SD. Short Authentication Strings are one of the preferred methods for verifying pairings. I would like to use TLS as much as possible in the pairing protocol. EKR pointed me to the expired draft by Ian Miers, Matthew Green and him: https://tools.ietf.org/html/draft-miers-tls-sas-00. I am interested in reviving that draft.

The draft implements a classic "coin flipping" protocol into TLS, using a "commit before disclose" logic to prevent Nessie from hiding as an MITM between Alice and Bob. From my superficial reading, this looks fine. I could use a reference to http://people.csail.mit.edu/shaih/pubs/hm96.pdf, both to explain why the attack by Halevi and Micali does not apply to this particular construct, and also to provide a 20 years old reference to similar algorithms, which may be useful in this day and age.

One nit, though. If Nessie has infinite computing resource, she can build a catalog of multiple random values that all hash to the same string, and then use that catalog to work around the commitment protocol. The scheme in the draft prevents that attack by using a hash keyed with the master secret, which defeats catalog attacks, and also by limiting the length of the nonce to be below the length of the hash, which in theory prevents collision attacks. Explaining that would be neat.

As I said, I am interested in reviving that draft, and adapting it to TLS 1.3. Does someone else share the feeling?

-- Christian Huitema

v2.23.0 | Report a Bug | By Email