Hi Christian,
could you provide a bit more background why you are working on such a
solution?
Ciao
Hannes
On 08/18/2016 07:47 PM, Christian Huitema wrote:
Daniel Kaiser and I are working on a “pairing” specification in the
context of DNS SD. Short Authentication Strings are one of the preferred
methods for verifying pairings. I would like to use TLS as much as
possible in the pairing protocol. EKR pointed me to the expired draft by
Ian Miers, Matthew Green and him:
https://tools.ietf.org/html/draft-miers-tls-sas-00. I am interested in
reviving that draft.
The draft implements a classic “coin flipping” protocol into TLS, using
a “commit before disclose” logic to prevent Nessie from hiding as an
MITM between Alice and Bob. From my superficial reading, this looks
fine. I could use a reference to
http://people.csail.mit.edu/shaih/pubs/hm96.pdf, both to explain why the
attack by Halevi and Micali does not apply to this particular construct,
and also to provide a 20 years old reference to similar algorithms,
which may be useful in this day and age.
One nit, though. If Nessie has infinite computing resource, she can
build a catalog of multiple random values that all hash to the same
string, and then use that catalog to work around the commitment
protocol. The scheme in the draft prevents that attack by using a hash
keyed with the master secret, which defeats catalog attacks, and also by
limiting the length of the nonce to be below the length of the hash,
which in theory prevents collision attacks. Explaining that would be neat.
As I said, I am interested in reviving that draft, and adapting it to
TLS 1.3. Does someone else share the feeling?
-- Christian Huitema
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
