Re: [TLS] False Start, DHE key exchange, and the Negotiated FF-DHE extension
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 10 December 2014 20:27 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 234511A9080 for <tls@ietfa.amsl.com>; Wed, 10 Dec 2014 12:27:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UX14yodIzJaE for <tls@ietfa.amsl.com>; Wed, 10 Dec 2014 12:27:35 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 863D21A90AE for <tls@ietf.org>; Wed, 10 Dec 2014 12:27:30 -0800 (PST)
Received: from [10.70.10.53] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id D8044F984; Wed, 10 Dec 2014 15:27:27 -0500 (EST)
Message-ID: <5488ACB1.6090201@fifthhorseman.net>
Date: Wed, 10 Dec 2014 15:27:29 -0500
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:34.0) Gecko/20100101 Icedove/34.0
MIME-Version: 1.0
To: Brian Smith <brian@briansmith.org>, "<tls@ietf.org>" <tls@ietf.org>
References: <CAFewVt4J4TdBa9tzzhmpU6rpwrbHXGpiSLeQNDUbQZEosFUtdg@mail.gmail.com>
In-Reply-To: <CAFewVt4J4TdBa9tzzhmpU6rpwrbHXGpiSLeQNDUbQZEosFUtdg@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="Vq5q2hGlukGga8khD6Q2L8M76VSnrLeAg"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/qL7nLkLpG__qHHjVklN5UZ7h7vY
Subject: Re: [TLS] False Start, DHE key exchange, and the Negotiated FF-DHE extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Dec 2014 20:27:38 -0000
On 12/10/2014 01:33 AM, Brian Smith wrote: > * The Negotiated FF-DHE draft mechanism is specified in such a way > that the server's signature on DHParams does not cover the client or > server FF-DHE extensions, There are no FFDHE-specific extensions in the draft, just a reuse of NamedCurves on the client side to specify FFDHE groups. > because the definition of DHParams was not > modified to cover them. This is unfortunate, because it means that > these parameters, and thus the entire DHE exchange, cannot be fully > validated until the peer's Finished message is validated. If there is a change in the way that you think the signature should be processed in draft-ietf-tls-negotiated-ff-dhe, please suggest a concrete change. I considered making a new Handshake message that differed from ServerKeyExchange (but performed the same function) as the server's response when selecting an offered FFDHE named group. I found it difficult to draft it in such a way that the mechanism would be straightforward for implementers to add, but it's possible that (a) i missed some obvious way to differentiate between a signed DHParams object and one of these new objects, or (b) i was being too conservative about what implementers would find acceptable. (btw, if TLS was already following the excellent suggestion for always using a string-prefix for signing anything, then distinguishing between types of signed dh params would be a much easier call) > In particular, this means that the FF-DHE mechanism, as currently > designed, is not useful for enhancing the security of False Start > handshakes that use DHE key exchange. I'm not sure i reach the same conclusion. consider it from both sides: * abbreviated handshake, server sends first i fail to see the risk here -- in the abbreviated handshake, the client has identified itself by a TLS session ID or ticket, and is resuming the existing session, so no key exchange is necessary. use of an FFDHE ciphersuite (or not) isn't relevant to this case. * full handshake, client sends first In this situation, the client sent the server a list of preferred FFDHE groups. the server either responded with one of them, or did not respond with one of them. If the server responded with one of them, and it was signed by the server's validated public key, why should this preclude the use of FalseStart by the client? The server replied with a value from an acceptable group, and the message (including client and server randoms for freshness) was signed by the server. Why should a client refuse to send traffic early in this case? Perhaps the false start draft should say that a client shouldn't do false start for a server that offers FFDHE but does not send an acceptable named group. --dkg
- [TLS] False Start, DHE key exchange, and the Nego… Brian Smith
- Re: [TLS] False Start, DHE key exchange, and the … Daniel Kahn Gillmor
- Re: [TLS] False Start, DHE key exchange, and the … Brian Smith
- Re: [TLS] False Start, DHE key exchange, and the … Daniel Kahn Gillmor
- Re: [TLS] False Start, DHE key exchange, and the … Brian Smith