Re: [TLS] Computation of static secret in anonymous DH

Nico Williams <nico@cryptonector.com> Fri, 26 June 2015 18:41 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 170841A92DE for <tls@ietfa.amsl.com>; Fri, 26 Jun 2015 11:41:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N7Bta-t1XX8n for <tls@ietfa.amsl.com>; Fri, 26 Jun 2015 11:41:32 -0700 (PDT)
Received: from homiemail-a110.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 161421A90E2 for <tls@ietf.org>; Fri, 26 Jun 2015 11:41:32 -0700 (PDT)
Received: from homiemail-a110.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a110.g.dreamhost.com (Postfix) with ESMTP id 87FB020058D39; Fri, 26 Jun 2015 11:41:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=+vct5GPTwpv4Lw pV8QJLLuAUEA4=; b=d6FRxyyYcWJPW99kvG0lHiT9ofv2pGVx1G8DtROk54Y9KA +YNE5S1cmbp0W3MxOpo/EtikBykdCTh9A9k2WeDqGLVdFatBOLxH8+G0MkdXcJjX gDB6L++A79UgVZ083vGe9fI0saMPKPE55FedxZTOmnUl8Jwtd9LS8QaEpaLUQ=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a110.g.dreamhost.com (Postfix) with ESMTPA id F2CC420058D37; Fri, 26 Jun 2015 11:41:30 -0700 (PDT)
Date: Fri, 26 Jun 2015 13:41:29 -0500
From: Nico Williams <nico@cryptonector.com>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20150626184128.GG6117@localhost>
References: <2AA11887-2F82-48EF-BD45-4D85CFA83847@qut.edu.au> <20150617082529.GA17280@LK-Perkele-VII> <CABcZeBNzzfxo+xQRrS=7-7C65kr3DqtJ5BHqTnt0mC8v-oFuUw@mail.gmail.com> <20150617150505.GA19959@LK-Perkele-VII> <CABcZeBN8m6f=F14Qx1QctMCoF7_LYNrf9D3HstoTZsK2orS1SA@mail.gmail.com> <20150626085008.GA25187@LK-Perkele-VII> <CABcZeBMHim=qBw9L_PG3C4+E=N6n=AdV1AoWN+_19zi84cJJgQ@mail.gmail.com> <20150626165415.GA28534@LK-Perkele-VII> <CABcZeBOTMHVRNi-7JhKEz6KUt=U79SgiKPAmyqUeF3JauUt3Fw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CABcZeBOTMHVRNi-7JhKEz6KUt=U79SgiKPAmyqUeF3JauUt3Fw@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/vZloHxvKBFcQwSqSPk_Ixzocbf8>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Computation of static secret in anonymous DH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2015 18:41:33 -0000

On Fri, Jun 26, 2015 at 10:08:55AM -0700, Eric Rescorla wrote:
> On Fri, Jun 26, 2015 at 9:54 AM, Ilari Liusvaara <
> ilari.liusvaara@elisanet.fi> wrote:
> > On Fri, Jun 26, 2015 at 05:55:21AM -0700, Eric Rescorla wrote:
> > > On Fri, Jun 26, 2015 at 1:50 AM, Ilari Liusvaara <
> > > ilari.liusvaara@elisanet.fi> wrote:
> > > > 4) Why is finished independent of ES (IIRC, it did depend on it
> > > > in earlier version)?
> > >
> > > i'm going to refer these to Hugo, as they were his suggestion.
> >
> > Also, TLS 1.2 had tls-unique also be secret (but one would have to
> > really misuse it for that to matter). With finished just depending on
> > SS, secrecy might fail.
> 
> As I understand it, there are cryptographic logic reasons for this (again,
> I'll defer to Hugo here). Maybe we should just define a new value
> for TLS-Unique based on the exporter secrets?

tls-unique depends on the Finished message strongly binding the entire
transcript up to that point.  I find this elegant (despite the
resumption problem, which anyways, should be fixed by the session hash)
and easy to understand and analyze.

If the Finished message no longer has this property in 1.3 then that's a
problem for tls-unique, and we'd have to fix one or the other.  Surely
1.3 will have some handshake message that binds the transcript, and why
that wouldn't be the Finished message is beyond me (but I am missing a
lot of the 1.3 context, so please forgive and inform me).

It would be better though to move the responsibility for defining
tls-unique to the TLS 1.3 spec even if tls-unique remains unchanged.
That way 1.3 and/or future versions of TLS can specify different
constructions of tls-unique.

Nico
--