Re: [TLS] Computation of static secret in anonymous DH
Nico Williams <nico@cryptonector.com> Fri, 26 June 2015 18:41 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 170841A92DE for <tls@ietfa.amsl.com>; Fri, 26 Jun 2015 11:41:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N7Bta-t1XX8n for <tls@ietfa.amsl.com>; Fri, 26 Jun 2015 11:41:32 -0700 (PDT)
Received: from homiemail-a110.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 161421A90E2 for <tls@ietf.org>; Fri, 26 Jun 2015 11:41:32 -0700 (PDT)
Received: from homiemail-a110.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a110.g.dreamhost.com (Postfix) with ESMTP id 87FB020058D39; Fri, 26 Jun 2015 11:41:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=+vct5GPTwpv4Lw pV8QJLLuAUEA4=; b=d6FRxyyYcWJPW99kvG0lHiT9ofv2pGVx1G8DtROk54Y9KA +YNE5S1cmbp0W3MxOpo/EtikBykdCTh9A9k2WeDqGLVdFatBOLxH8+G0MkdXcJjX gDB6L++A79UgVZ083vGe9fI0saMPKPE55FedxZTOmnUl8Jwtd9LS8QaEpaLUQ=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a110.g.dreamhost.com (Postfix) with ESMTPA id F2CC420058D37; Fri, 26 Jun 2015 11:41:30 -0700 (PDT)
Date: Fri, 26 Jun 2015 13:41:29 -0500
From: Nico Williams <nico@cryptonector.com>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20150626184128.GG6117@localhost>
References: <2AA11887-2F82-48EF-BD45-4D85CFA83847@qut.edu.au> <20150617082529.GA17280@LK-Perkele-VII> <CABcZeBNzzfxo+xQRrS=7-7C65kr3DqtJ5BHqTnt0mC8v-oFuUw@mail.gmail.com> <20150617150505.GA19959@LK-Perkele-VII> <CABcZeBN8m6f=F14Qx1QctMCoF7_LYNrf9D3HstoTZsK2orS1SA@mail.gmail.com> <20150626085008.GA25187@LK-Perkele-VII> <CABcZeBMHim=qBw9L_PG3C4+E=N6n=AdV1AoWN+_19zi84cJJgQ@mail.gmail.com> <20150626165415.GA28534@LK-Perkele-VII> <CABcZeBOTMHVRNi-7JhKEz6KUt=U79SgiKPAmyqUeF3JauUt3Fw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABcZeBOTMHVRNi-7JhKEz6KUt=U79SgiKPAmyqUeF3JauUt3Fw@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/vZloHxvKBFcQwSqSPk_Ixzocbf8>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Computation of static secret in anonymous DH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2015 18:41:33 -0000
On Fri, Jun 26, 2015 at 10:08:55AM -0700, Eric Rescorla wrote: > On Fri, Jun 26, 2015 at 9:54 AM, Ilari Liusvaara < > ilari.liusvaara@elisanet.fi> wrote: > > On Fri, Jun 26, 2015 at 05:55:21AM -0700, Eric Rescorla wrote: > > > On Fri, Jun 26, 2015 at 1:50 AM, Ilari Liusvaara < > > > ilari.liusvaara@elisanet.fi> wrote: > > > > 4) Why is finished independent of ES (IIRC, it did depend on it > > > > in earlier version)? > > > > > > i'm going to refer these to Hugo, as they were his suggestion. > > > > Also, TLS 1.2 had tls-unique also be secret (but one would have to > > really misuse it for that to matter). With finished just depending on > > SS, secrecy might fail. > > As I understand it, there are cryptographic logic reasons for this (again, > I'll defer to Hugo here). Maybe we should just define a new value > for TLS-Unique based on the exporter secrets? tls-unique depends on the Finished message strongly binding the entire transcript up to that point. I find this elegant (despite the resumption problem, which anyways, should be fixed by the session hash) and easy to understand and analyze. If the Finished message no longer has this property in 1.3 then that's a problem for tls-unique, and we'd have to fix one or the other. Surely 1.3 will have some handshake message that binds the transcript, and why that wouldn't be the Finished message is beyond me (but I am missing a lot of the 1.3 context, so please forgive and inform me). It would be better though to move the responsibility for defining tls-unique to the TLS 1.3 spec even if tls-unique remains unchanged. That way 1.3 and/or future versions of TLS can specify different constructions of tls-unique. Nico --
- [TLS] Computation of static secret in anonymous DH Douglas Stebila
- Re: [TLS] Computation of static secret in anonymo… Ilari Liusvaara
- Re: [TLS] Computation of static secret in anonymo… Eric Rescorla
- Re: [TLS] Computation of static secret in anonymo… Ilari Liusvaara
- Re: [TLS] Computation of static secret in anonymo… Eric Rescorla
- Re: [TLS] Computation of static secret in anonymo… Ilari Liusvaara
- Re: [TLS] Computation of static secret in anonymo… Eric Rescorla
- Re: [TLS] Computation of static secret in anonymo… Ilari Liusvaara
- Re: [TLS] Computation of static secret in anonymo… Eric Rescorla
- Re: [TLS] Computation of static secret in anonymo… Nico Williams
- Re: [TLS] Computation of static secret in anonymo… Eric Rescorla
- Re: [TLS] Computation of static secret in anonymo… Hugo Krawczyk
- Re: [TLS] Computation of static secret in anonymo… Eric Rescorla
- Re: [TLS] Computation of static secret in anonymo… Ilari Liusvaara
- Re: [TLS] Computation of static secret in anonymo… Eric Rescorla
- Re: [TLS] Computation of static secret in anonymo… Hubert Kario
- Re: [TLS] Computation of static secret in anonymo… Ilari Liusvaara
- Re: [TLS] Computation of static secret in anonymo… Nico Williams