On Tue, Aug 11, 2015 at 11:29:12AM -0700, Martin Thomson wrote: > On 11 August 2015 at 11:25, Karthikeyan Bhargavan > <karthik.bharga...@gmail.com> wrote: > > No, a regular ECDSA certificate would do. > > That is, the attack would work as long as > > - a client has an ECDSA certificate, and > > - it enables any static TLS_ECDH_* cipher suite, and > > - its ECDSA private key has been stolen (or chosen) by an attacker. > > I don't see how that would work. A client that understands the cert > to be ECDSA won't pair the key with the server's ECDH share, they will > sign the session transcript with it.
a) ECDSA certs are usable for ECDH (modulo KeyUsage) because there is no ECDSA-specific keytype in X.509. b) SSL v3.0 server PoP (still there in TLS v1.2) does not sign transcript but only the public key (only TLS 1.3 fixes this). Logjam, anyone? c) Non-signature client certs (like ECDH) don't have transcript signatures either. Attacker can just replay randoms and SKE, and then compute client- side PMS. Game Over, EMS will not save you. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
