Re: [TLS] Short Authentication Strings for TLS

Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 09 September 2016 14:29 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C29B12B46D for <tls@ietfa.amsl.com>; Fri, 9 Sep 2016 07:29:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.109
X-Spam-Level:
X-Spam-Status: No, score=-4.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-1.508, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pbDdeQjjZr_A for <tls@ietfa.amsl.com>; Fri, 9 Sep 2016 07:28:53 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54F6112B3FE for <tls@ietf.org>; Fri, 9 Sep 2016 07:28:13 -0700 (PDT)
Received: from [192.168.91.132] ([80.92.121.21]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0LeiJ8-1bGEYq1nvq-00qUdw; Fri, 09 Sep 2016 16:27:50 +0200
To: Christian Huitema <huitema@microsoft.com>, "<tls@ietf.org>" <tls@ietf.org>, "imiers@cs.jhu.edu" <imiers@cs.jhu.edu>, "mgreen@cs.jhu.edu" <mgreen@cs.jhu.edu>, Eric Rescorla <ekr@rtfm.com>
References: <BN6PR03MB2675BA146E2ACC19C754B2DCA8150@BN6PR03MB2675.namprd03.prod.outlook.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Message-ID: <d86c3983-46a2-f0fe-63ae-ade0a8928fc4@gmx.net>
Date: Fri, 9 Sep 2016 16:27:48 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <BN6PR03MB2675BA146E2ACC19C754B2DCA8150@BN6PR03MB2675.namprd03.prod.outlook.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:azEPiCXmKnbUI9GOsAvis2cyeuvC2+LVg4cWpv3c0rwbDuUkC4W cwvCxvwNkyq3XiJhXBu1JvkorWnv1Ju3XgOv+AjmBmyNvPlJQ11S0xm53QF4agIsE3oJVfh nurnmKd+AO6TwwSzbQvLeEOG57S4hV71J7atnJiCOEarxpSMYjYCyJsDJHoSxmiUW47DSNR TcBwhLKBFRy6m6Cv8BevQ==
X-UI-Out-Filterresults: notjunk:1;V01:K0:RJJEcjm7cNI=:Zu8fD3QkEW1kyYJRZUdE0Q ltae2Dql5H2GvVDBnN0eAK1CzZyL5iDENL5BrDl+4oTM2+WIqYUZwM26P7TDrDjMAbZ7llntz FAnL+ERcwHIYynG5t4Wg4D/xO6KOHTARwRkjn0C1F2QP78O77iDAm9ChRZHWKM92Po0b7Ioz1 Pf1zuerhxiB29iSxhfwixGroGEoxMq28AejcbCi05NRXrFK+dlXPNxyOXs7xvVUUJXUvQbLza R492J+8RYwCfpAGoPCcvnLOKXZRkGttgMAYsMOgxpzbUUSBJy1bkeSw0zlGRL5UIz5jPnRvvs Cn29yLtUt2zMsRUzWxoQw8leeD+xc1DwE2WZPLjCzGsJtx1DJiumC/9emxeSAF48eXsiQ2iS1 w6oq4QMtgdcUb3jWppXPXtXjvHZvrIp4d8hl9Ufjqe3/FqyJVZDC9jZCfmBWK40HL+LR7Bphp +UTjFMZnR51v7syZGUdAWUVagS7X9s8+1bYL7I3sMCxU0QBE6o6CiT9OG2vmxe+m6TqjrpPFz Sp3TlfZa6oqnhc5167dCWI5Luz4NVPe4GGL5OPFW4X3xbLv/OHJzsYTve/lWjZF9GLccuNqse ov1BeXWGPCyHlc/77pVmGe5pDyw9C1heHYRv2rIA1WE0iD2YsKo0eztnV4a0UQGFJO4R1ysAx D3AzP30QMSaHq7B7i+Fgc9PXFk0R596P0dDmFuBNNn8COa5U10cnxWcwJfYN06QGo+jOrWxuq BtnMymaYVdK7uq0GqzlbHmPcRNqAa99nVAmEiirUG2ErbP74J7qsOHr/FMlMMZQ0UGZs4CgZy GUzD7VH
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/sJATgUd4nB50y54sSJNl-YLAPPY>
Cc: Daniel Kaiser <daniel.kaiser@uni-konstanz.de>
Subject: Re: [TLS] Short Authentication Strings for TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Sep 2016 14:29:00 -0000

Hi Christian,

could you provide a bit more background why you are working on such a 
solution?

Ciao
Hannes


On 08/18/2016 07:47 PM, Christian Huitema wrote:
> Daniel Kaiser and I are working on a “pairing” specification in the
> context of DNS SD. Short Authentication Strings are one of the preferred
> methods for verifying pairings. I would like to use TLS as much as
> possible in the pairing protocol. EKR pointed me to the expired draft by
> Ian Miers, Matthew Green and him:
> https://tools.ietf.org/html/draft-miers-tls-sas-00. I am interested in
> reviving that draft.
>
>
>
> The draft implements a classic “coin flipping” protocol into TLS, using
> a “commit before disclose” logic to prevent Nessie from hiding as an
> MITM between Alice and Bob. From my superficial reading, this looks
> fine. I could use a reference to
> http://people.csail.mit.edu/shaih/pubs/hm96.pdf, both to explain why the
> attack by Halevi and Micali does not apply to this particular construct,
> and also to provide a 20 years old reference to similar algorithms,
> which may be useful in this day and age.
>
>
>
> One nit, though. If Nessie has infinite computing resource, she can
> build a catalog of multiple random values that all hash to the same
> string, and then use that catalog to work around the commitment
> protocol. The scheme in the draft prevents that attack by using a hash
> keyed with the master secret, which defeats catalog attacks, and also by
> limiting the length of the nonce to be below the length of the hash,
> which in theory prevents collision attacks. Explaining that would be neat.
>
>
>
> As I said, I am interested in reviving that draft, and adapting it to
> TLS 1.3. Does someone else share the feeling?
>
>
>
> -- Christian Huitema
>
>
>
>
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>