Re: [TLS] Another IRINA bug in TLS

Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr> Thu, 21 May 2015 11:04 UTC

Return-Path: <antoine@delignat-lavaud.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74BB11ACD9D for <tls@ietfa.amsl.com>; Thu, 21 May 2015 04:04:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.321
X-Spam-Level:
X-Spam-Status: No, score=0.321 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RAZOR2_CHECK=0.922, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qq7WKXE8Sr5F for <tls@ietfa.amsl.com>; Thu, 21 May 2015 04:04:49 -0700 (PDT)
Received: from argon.maxg.info (argon.maxg.info [IPv6:2001:41d0:2:7f22::1]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B2081ACD9A for <tls@ietf.org>; Thu, 21 May 2015 04:04:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=delignat-lavaud.fr; s=dkim; h=Content-Type:In-Reply-To:References:Subject:To:MIME-Version:From:Date:Message-ID; bh=B2r8Zv7FCl2fxVn8fu2Qb1MkjRH74VIg9/9DUUtzudM=; b=YUY4ItJJpf3D9DXdX/2L+xv6uvQn8b2W2vLBLguyvdUxL3gk81EYs7dkri52wIypu2Q05Jq6bdSaeCRyI2JNwkKdduJ/mrC4j3rDoWvoS0sWdoYKoL7PbDDcBhf1pZQr29K8yZGjevJdOXZmgesZhw60W0lcQm8sbUgq6Idp4AFw6TPLSEcGLyeBinR9NGYJvhYZaCuic/1+PrH9fM0EKA+zTEVRwsNGzWfgA6LgJDPILkQHNolb2T3+ohdhHQoJyUayMBhEdJEUDG9vNDTDHDdcryfqOLb0O9oVzWPtVLitYZnj15Pskf1A6S3n/H0MkRNqUgxrIqG80edj7BYBQQ==;
Received: from localhost (authenticated.user.IP.removed [::1]) by argon.maxg.info with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (envelope-from <antoine@delignat-lavaud.fr>) id 1YvOHP-0005ln-RF for tls@ietf.org; Thu, 21 May 2015 13:04:47 +0200
Message-ID: <555DBBC6.9040504@delignat-lavaud.fr>
Date: Thu, 21 May 2015 13:04:38 +0200
From: Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: tls@ietf.org
References: <CACsn0ckaML0M_Foq9FXs5LA2dRb1jz+JDX7DUej_ZbuSkUB=tQ@mail.gmail.com> <20150520145925.GA17676@LK-Perkele-VII>
In-Reply-To: <20150520145925.GA17676@LK-Perkele-VII>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms090000030608040101010207"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/wRVqDq7QDmI4jETv4U02rf3Al_c>
Subject: Re: [TLS] Another IRINA bug in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 11:04:51 -0000

Le 5/20/2015 4:59 PM, Ilari Liusvaara a écrit :
> On Wed, May 20, 2015 at 10:05:25AM -0400, Watson Ladd wrote:
>> https://weakdh.org/
>>
>> Transcript hashing will solve this problem.
> AFAICT, extended_master_secret won't save you from this.

This is correct. Unfortunately, the realization that the signature on 
the ServerKeyExchange message suffers from the same weakness (it only 
covers nonce instead of current session-hash) as the master key 
derivation came a bit late into the session-hash draft standardization 
(however, browser vendors were given ample time to address this issue).

It is worth noting that Nikos had previously proposed to extend the 
context coverage of the SKE signature to prevent a cross-ciphersuite attack.

It is not clear at this point whether draft-ietf-tls-session-hash can be 
extended to replace nonces with the current session-hash in the SKE 
signature without causing standardization issues.

Antoine