Re: [TLS] New drafts: adding input to the TLS master secret

Eric Rescorla <ekr@networkresonance.com> Thu, 04 February 2010 05:03 UTC

Return-Path: <ekr@networkresonance.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E995728C101 for <tls@core3.amsl.com>; Wed, 3 Feb 2010 21:03:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.018
X-Spam-Level:
X-Spam-Status: No, score=0.018 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V4oxExSYvLd9 for <tls@core3.amsl.com>; Wed, 3 Feb 2010 21:03:47 -0800 (PST)
Received: from kilo.networkresonance.com (74-95-2-169-SFBA.hfc.comcastbusiness.net [74.95.2.169]) by core3.amsl.com (Postfix) with ESMTP id 16B283A6862 for <tls@ietf.org>; Wed, 3 Feb 2010 21:03:47 -0800 (PST)
Received: from kilo.local (localhost [127.0.0.1]) by kilo.networkresonance.com (Postfix) with ESMTP id 89EFF6E70AD; Wed, 3 Feb 2010 21:06:08 -0800 (PST)
Date: Wed, 03 Feb 2010 21:06:08 -0800
From: Eric Rescorla <ekr@networkresonance.com>
To: Marsh Ray <marsh@extendedsubset.com>
In-Reply-To: <4B68D672.2060609@extendedsubset.com>
References: <p0624089bc78922bdaddd@[10.20.30.158]> <87fx5jk8vp.fsf@mocca.josefsson.org> <p06240813c78e116da3f6@[75.101.18.87]> <001001caa442$beefbde0$3ccf39a0$@org> <p06240829c78e37e5a850@[75.101.18.87]> <001101caa44b$35f6f540$a1e4dfc0$@org> <p06240831c78e4f0e15ee@[75.101.18.87]> <4B68D672.2060609@extendedsubset.com>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Message-Id: <20100204050608.89EFF6E70AD@kilo.networkresonance.com>
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, tls@ietf.org
Subject: Re: [TLS] New drafts: adding input to the TLS master secret
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2010 05:03:48 -0000

At Tue, 02 Feb 2010 19:50:42 -0600,
Marsh Ray wrote:
> 
> Paul Hoffman wrote:
> > 
> > This proposed protocol change is only relevant to scenarios where
> > there is a cryptographic reason to mix inherently non-sensitive data
> > passed before the change_cipher_spec message into the master secret.
> 
> I don't get it. (Sorry I am a little dense sometimes)
> 
> You said the data is "not sensitive" and it is sent in plain text. So an
> attacker has it as soon as the endpoints do.
> 
> What does this accomplish over just hashing your extra data into the 28
> byte random field? (which would not require a new protocol structure)
> 
> 224 bits of from each endpoint ... is 448 bits really not enough entropy
> somehow? 448 bits ought to be enough for anybody :-)

Moreover, the the purpose of the random values is *not* to add extra
cryptographic strength, since they're not secret. Rather, it's to
ensure uniqueness of the handshake master secret even if the PMS is
repeated. However, the bound here is just the collision bound for the
random values, which doesn't require anything like 224 bits.

I'm not really against this extension, but I'm not aware of any
coherent security argument for it.

-Ekr