[TLS] question on draft-ietf-tls-session-hash-03

Tony Hansen <tony@att.com> Tue, 24 February 2015 14:22 UTC

Return-Path: <tony@att.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 89C311A06E9 for <tls@ietfa.amsl.com>; Tue, 24 Feb 2015 06:22:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id CH9Fe8yNc7lr for <tls@ietfa.amsl.com>; Tue, 24 Feb 2015 06:22:18 -0800 (PST)
Received: from nbfkord-smmo05.seg.att.com (nbfkord-smmo05.seg.att.com []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B36671A1B28 for <tls@ietf.org>; Tue, 24 Feb 2015 06:22:17 -0800 (PST)
Received: from unknown [] (EHLO alpi154.enaf.aldc.att.com) by nbfkord-smmo05.seg.att.com(mxl_mta-7.2.4-5) over TLS secured channel with ESMTP id 9198ce45.0.4804050.00-2308.13501176.nbfkord-smmo05.seg.att.com (envelope-from <tony@att.com>); Tue, 24 Feb 2015 14:22:17 +0000 (UTC)
X-MXL-Hash: 54ec891916b2bd2a-d73f2f8f1393e75fe7b6b9b96859bb79434f17ce
Received: from enaf.aldc.att.com (localhost []) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id t1OEMG9j004861 for <tls@ietf.org>; Tue, 24 Feb 2015 09:22:16 -0500
Received: from alpi133.aldc.att.com (alpi133.aldc.att.com []) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id t1OEMErx004858 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <tls@ietf.org>; Tue, 24 Feb 2015 09:22:15 -0500
Received: from alpi153.aldc.att.com (alpi153.aldc.att.com []) by alpi133.aldc.att.com (RSA Interceptor) for <tls@ietf.org>; Tue, 24 Feb 2015 14:22:02 GMT
Received: from aldc.att.com (localhost []) by alpi153.aldc.att.com (8.14.5/8.14.5) with ESMTP id t1OEM2LP019388 for <tls@ietf.org>; Tue, 24 Feb 2015 09:22:02 -0500
Received: from dns.maillennium.att.com (maillennium.att.com []) by alpi153.aldc.att.com (8.14.5/8.14.5) with ESMTP id t1OELsO0018940 for <tls@ietf.org>; Tue, 24 Feb 2015 09:21:55 -0500
Received: from tonys-macbook-pro.local (unknown[](untrusted sender)) by maillennium.att.com (mailgw1) with ESMTP id <20150224142153gw1000ceehe>; Tue, 24 Feb 2015 14:21:54 +0000
X-Originating-IP: []
Message-ID: <54EC8900.5000904@att.com>
Date: Tue, 24 Feb 2015 09:21:52 -0500
From: Tony Hansen <tony@att.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: karthikeyan.bhargavan@inria.fr, antoine.delignat-lavaud@inria.fr, alfredo.pironti@inria.fr, agl@google.com, maray@microsoft.com
Content-Type: multipart/alternative; boundary="------------080302070509060407060902"
X-RSA-Inspected: yes
X-RSA-Classifications: public
X-AnalysisOut: [v=2.0 cv=EtBlW1gA c=1 sm=1 a=VXHOiMMwGAwA+y4G3/O+aw==:17 a]
X-AnalysisOut: [=mJp9S24oyUUA:10 a=6ASjcdcU7ckA:10 a=BLceEmwcHowA:10 a=zQP]
X-AnalysisOut: [7CpKOAAAA:8 a=0HtSIViG9nkA:10 a=48vgC7mUAAAA:8 a=9OSF2Kd-Z]
X-AnalysisOut: [6BqDURrM8wA:9 a=QEXdDO2ut3YA:10 a=DMp7b8H8LvoYi-Xz2IQA:9 a]
X-AnalysisOut: [=_W_S_7VecoQA:10]
X-Spam: [F=0.2000000000; CM=0.500; S=0.200(2014051901)]
X-MAIL-FROM: <tony@att.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/y8FeB2uvV6_Z802dQz6lh4OQcho>
Cc: tls@ietf.org
Subject: [TLS] question on draft-ietf-tls-session-hash-03
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Feb 2015 14:22:19 -0000

I have a question on draft-ietf-tls-session-hash-03. In the description 
I see:

    As described in [TRIPLE-HS  <https://tools.ietf.org/html/draft-ietf-tls-session-hash-03#ref-TRIPLE-HS>], in both the RSA and DHE key exchanges,
    an active attacker can synchronize two TLS sessions so that they
    share the same "master_secret".  For an RSA key exchange where the
    client is unauthenticated, this is achieved as follows.  Suppose a
    client, C, connects to a malicious server, A.  A then connects to a
    server, S, and completes both handshakes.  For simplicity, assume
    that C and S only use RSA ciphersuites.  (Note that C thinks it is
    connecting to A and is oblivious of S's involvement.)

My question is on the parenthetical comment at the end. I'll repeat it 
here, expanding C, S and A into CLIENT, SERVER and ATTACKER, respectively:

					(Note that CLIENT thinks it is
    connecting to ATTACKER and is oblivious of SERVER's involvement.)

Am I wrong in thinking that A and S are reversed here, and this should read:

					(Note that CLIENT thinks it is
    connecting to SERVER and is oblivious of ATTACKER's involvement.)

Or, removing the expansion:

					(Note that C thinks it is
    connecting to S and is oblivious of A's involvement.)

That is, ATTACKER A is the malicious man in the middle that the client 
is not aware of. (For that matter, the server is also probably oblivious 
of A's involvement.)

     Tony Hansen