IETF Logo Mail Archive

Re: [TLS] Draft status and updates

Eric Rescorla <ekr@rtfm.com> Wed, 02 December 2015 17:30 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4999C1ACAD5 for <tls@ietfa.amsl.com>; Wed, 2 Dec 2015 09:30:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.677
X-Spam-Level:
X-Spam-Status: No, score=-0.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_12=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qocRrJzAKaE7 for <tls@ietfa.amsl.com>; Wed, 2 Dec 2015 09:30:03 -0800 (PST)
Received: from mail-yk0-x232.google.com (mail-yk0-x232.google.com [IPv6:2607:f8b0:4002:c07::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5507F1AC419 for <tls@ietf.org>; Wed, 2 Dec 2015 09:30:03 -0800 (PST)
Received: by ykdr82 with SMTP id r82so54869922ykd.3 for <tls@ietf.org>; Wed, 02 Dec 2015 09:30:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=idRe9Dsu5GK2tHqLdMUbmMNPD/PUOW2wavbU4zd4WUM=; b=05IFHpzkL8Cfqpa0Hn0LlMnxENxEjUHNuO7Vg1p9PyGqodh8EDrLkETodUDy3oA7o1 CSKXnZy68AvLevPfxT8WMqiIGGvlrMioK9UVM5UIECYQhq2oLqjNK4tmLD3svWrWtb/5 fDpM2F++Nkh7FctJqwVwGfe+olezbddszLyzeQEvsfcbs4HVTus+02of6ybscUrLiZq4 4xu4f9x4RQiYDj3bE5Sg+cg3MQypjYkUhSZIgWKApnN+YgqlKorkfiDDoAfZOb4sEOZ/ 1sJXM31I057XNP+gMzdCon50e6jB1ZY4nDzsm7OA1Sd0ZNHLC2lniLls2HJAWTmvQi2i z6Wg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=idRe9Dsu5GK2tHqLdMUbmMNPD/PUOW2wavbU4zd4WUM=; b=aFhyCIngl6fJiP65IMIOtfES/B/oJXaNkZXh6NLgIlyKzgej9C2fKWAh+iClYwy3aW 7hLQlUJPZCnAKNCmzOKl3MDQWnkB+UZABw74FXX4tft0tPZ/G/v4DSLKC71DnL2a1r0j ePrx3Sb5qgSVmHb0nYetXooedKECMAdCTSAJNstAxvlV5O4Tr5ekPipij6tBhLa0jgf3 7aJn6RTj1w+XNQUJ8BxDqd6xMuMPm3CvQuOY/MsfifAo4LINANMtLnNjw7tIrv+hJ2Hm ZeG1Re0zAWUDj1nzaz9bxAln+pNsC74TixCoPprBNGoI7T9aC6CPSS9a42pse/87SitA k+LQ==
X-Gm-Message-State: ALoCoQlDIKZT6Vxy1g0n19WHJ+REgBLBmlwIPwuCUlZeoI4Yj1XrsD/SASxMkkvYK11vx1nHDk5N
X-Received: by 10.129.34.4 with SMTP id i4mr3071227ywi.155.1449077402612; Wed, 02 Dec 2015 09:30:02 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.249.197 with HTTP; Wed, 2 Dec 2015 09:29:23 -0800 (PST)
In-Reply-To: <20151202170845.GA25111@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABcZeBNxxC=uOg3bKtJP2bpMa9Z7En_RR2q3zn-qduse+Oh8-g@mail.gmail.com> <20151201185733.GB15222@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBNS1r2vjKhioOQdyHh9dgFhFmZL+-6qJQpn01Tqfw2a-g@mail.gmail.com> <20151202170845.GA25111@LK-Perkele-V2.elisa-laajakaista.fi>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 02 Dec 2015 09:29:23 -0800
Message-ID: <CABcZeBOy=Ank_Pdx05=gwXvku7EaCsi0cUpUP2m3aVYdwHN2MQ@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="001a11408678d603950525ed9f1a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/siKiQzhaCLpyAni1Lgn7baYp_jc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Draft status and updates
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 17:30:10 -0000

On Wed, Dec 2, 2015 at 9:08 AM, Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Tue, Dec 01, 2015 at 11:19:15AM -0800, Eric Rescorla wrote:
> >
> > 3. The server provides g^y in his ServerHello and then g^xy and g^xs
> > are jointly used to produce the traffic keys and also to form a MAC over
> > the handshake. As Hugo pointed out originally, this alone should
> > be sufficient to authenticate the server's side of the connection and
> > you could omit the server CertificateVerify (Hugo, please correct
> > me if I have misunderstood).
>
> Is it guaranteed that the groups are the same?
>

Yes, it's a requirement that the groups be the same. If the text doesn't
say that, it should.



> Even if it is, due to implementation bugs, bad idea to rely upon that.


Can you expand on this point? Is there a specific easy-to-make
implementation
error you are concerned with?



>
> > Trying to read between the lines, is your concern that the server is
> > now no longer explicitly signing over the ServerConfiguration in
> > its CertificateVerify [Note that the client continues to do so]? The idea
> > behind removing that was to make the 1-RTT part of the handshake
> > more uniform regardless of whether 0-RTT data was used.
> > I'm certainly open to putting that back in if it's needed, but can you
> > explain your concern in more detail?
>
> The concern is that attacker that has managed to inject g^s for
> known s is able to impersonate the server even through server certificate
> validation on subsequent connections (under some conditions).
>

I'm sorry, I'm still not following. All the data that the server sends is
tied to
g^y which is signed with the server's certificate, so even if s were
published,
the attacker should not be able to inject data which the client would
accept.

With that said, it's certainly true that if the attacker is able to
convince the
client that the server has a certain g^a where a is known to the attacker,
then the client has a problem because he will encrypt data *to* the
attacker in 0-RTT, so obviously we are assuming that the attacker does
not know s and cannot convince the client to accept a g^s of his
choice.


(Indirectly) signing g^s would prevent this.
>
> ... Funkily enough, this attack doesn't work against either tls-unique
> nor tls-extractor (however, those still fail nonce check with respect
> to SS)...


Do you think you could draw a ladder diagram that shows the attack you
are concerned about?

-Ekr






>
>
>
> -Ilari
>

v2.23.0 | Report a Bug | By Email