Daniel Kaiser and I are working on a "pairing" specification in the context of DNS SD. Short Authentication Strings are one of the preferred methods for verifying pairings. I would like to use TLS as much as possible in the pairing protocol. EKR pointed me to the expired draft by Ian Miers, Matthew Green and him: https://tools.ietf.org/html/draft-miers-tls-sas-00. I am interested in reviving that draft.
The draft implements a classic "coin flipping" protocol into TLS, using a "commit before disclose" logic to prevent Nessie from hiding as an MITM between Alice and Bob. From my superficial reading, this looks fine. I could use a reference to http://people.csail.mit.edu/shaih/pubs/hm96.pdf, both to explain why the attack by Halevi and Micali does not apply to this particular construct, and also to provide a 20 years old reference to similar algorithms, which may be useful in this day and age. One nit, though. If Nessie has infinite computing resource, she can build a catalog of multiple random values that all hash to the same string, and then use that catalog to work around the commitment protocol. The scheme in the draft prevents that attack by using a hash keyed with the master secret, which defeats catalog attacks, and also by limiting the length of the nonce to be below the length of the hash, which in theory prevents collision attacks. Explaining that would be neat. As I said, I am interested in reviving that draft, and adapting it to TLS 1.3. Does someone else share the feeling? -- Christian Huitema
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
