th5/testdata/Server-TLSv12-CipherSuiteCertPreferenceECDSA

86 lines
6.3 KiB
Plaintext
Raw Permalink Normal View History

>>> Flow 1 (client to server)
00000000 16 03 01 00 a7 01 00 00 a3 03 03 7e 8a c0 04 93 |...........~....|
00000010 7a be 32 5c b3 38 83 b1 ec d0 31 8d a1 61 f3 2b |z.2\.8....1..a.+|
00000020 b2 6a 0d 08 71 41 fb 20 c2 46 0c 00 00 38 c0 2c |.j..qA. .F...8.,|
00000030 c0 30 00 9f cc a9 cc a8 cc aa c0 2b c0 2f 00 9e |.0.........+./..|
00000040 c0 24 c0 28 00 6b c0 23 c0 27 00 67 c0 0a c0 14 |.$.(.k.#.'.g....|
00000050 00 39 c0 09 c0 13 00 33 00 9d 00 9c 00 3d 00 3c |.9.....3.....=.<|
00000060 00 35 00 2f 00 ff 01 00 00 42 00 0b 00 04 03 00 |.5./.....B......|
00000070 01 02 00 0a 00 0a 00 08 00 1d 00 17 00 19 00 18 |................|
00000080 00 0d 00 20 00 1e 06 01 06 02 06 03 05 01 05 02 |... ............|
00000090 05 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 |................|
000000a0 02 02 02 03 00 16 00 00 00 17 00 00 |............|
>>> Flow 2 (server to client)
crypto/ecdsa: make Sign safe with broken entropy sources ECDSA is unsafe to use if an entropy source produces predictable output for the ephemeral nonces. E.g., [Nguyen]. A simple countermeasure is to hash the secret key, the message, and entropy together to seed a CSPRNG, from which the ephemeral key is derived. Fixes #9452 -- This is a minimalist (in terms of patch size) solution, though not the most parsimonious in its use of primitives: - csprng_key = ChopMD-256(SHA2-512(priv.D||entropy||hash)) - reader = AES-256-CTR(k=csprng_key) This, however, provides at most 128-bit collision-resistance, so that Adv will have a term related to the number of messages signed that is significantly worse than plain ECDSA. This does not seem to be of any practical importance. ChopMD-256(SHA2-512(x)) is used, rather than SHA2-256(x), for two sets of reasons: *Practical:* SHA2-512 has a larger state and 16 more rounds; it is likely non-generically stronger than SHA2-256. And, AFAIK, cryptanalysis backs this up. (E.g., [Biryukov] gives a distinguisher on 47-round SHA2-256 with cost < 2^85.) This is well below a reasonable security-strength target. *Theoretical:* [Coron] and [Chang] show that Chop-MD(F(x)) is indifferentiable from a random oracle for slightly beyond the birthday barrier. It seems likely that this makes a generic security proof that this construction remains UF-CMA is possible in the indifferentiability framework. -- Many thanks to Payman Mohassel for reviewing this construction; any mistakes are mine, however. And, as he notes, reusing the private key in this way means that the generic-group (non-RO) proof of ECDSA's security given in [Brown] no longer directly applies. -- [Brown]: http://www.cacr.math.uwaterloo.ca/techreports/2000/corr2000-54.ps "Brown. The exact security of ECDSA. 2000" [Coron]: https://www.cs.nyu.edu/~puniya/papers/merkle.pdf "Coron et al. Merkle-Damgard revisited. 2005" [Chang]: https://www.iacr.org/archive/fse2008/50860436/50860436.pdf "Chang and Nandi. Improved indifferentiability security analysis of chopMD hash function. 2008" [Biryukov]: http://www.iacr.org/archive/asiacrypt2011/70730269/70730269.pdf "Biryukov et al. Second-order differential collisions for reduced SHA-256. 2011" [Nguyen]: ftp://ftp.di.ens.fr/pub/users/pnguyen/PubECDSA.ps "Nguyen and Shparlinski. The insecurity of the elliptic curve digital signature algorithm with partially known nonces. 2003" New tests: TestNonceSafety: Check that signatures are safe even with a broken entropy source. TestINDCCA: Check that signatures remain non-deterministic with a functional entropy source. Updated "golden" KATs in crypto/tls/testdata that use ECDSA suites. Change-Id: I55337a2fbec2e42a36ce719bd2184793682d678a Reviewed-on: https://go-review.googlesource.com/3340 Reviewed-by: Adam Langley <agl@golang.org>
2015-01-27 07:00:21 +00:00
00000000 16 03 03 00 31 02 00 00 2d 03 03 00 00 00 00 00 |....1...-.......|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
crypto/ecdsa: make Sign safe with broken entropy sources ECDSA is unsafe to use if an entropy source produces predictable output for the ephemeral nonces. E.g., [Nguyen]. A simple countermeasure is to hash the secret key, the message, and entropy together to seed a CSPRNG, from which the ephemeral key is derived. Fixes #9452 -- This is a minimalist (in terms of patch size) solution, though not the most parsimonious in its use of primitives: - csprng_key = ChopMD-256(SHA2-512(priv.D||entropy||hash)) - reader = AES-256-CTR(k=csprng_key) This, however, provides at most 128-bit collision-resistance, so that Adv will have a term related to the number of messages signed that is significantly worse than plain ECDSA. This does not seem to be of any practical importance. ChopMD-256(SHA2-512(x)) is used, rather than SHA2-256(x), for two sets of reasons: *Practical:* SHA2-512 has a larger state and 16 more rounds; it is likely non-generically stronger than SHA2-256. And, AFAIK, cryptanalysis backs this up. (E.g., [Biryukov] gives a distinguisher on 47-round SHA2-256 with cost < 2^85.) This is well below a reasonable security-strength target. *Theoretical:* [Coron] and [Chang] show that Chop-MD(F(x)) is indifferentiable from a random oracle for slightly beyond the birthday barrier. It seems likely that this makes a generic security proof that this construction remains UF-CMA is possible in the indifferentiability framework. -- Many thanks to Payman Mohassel for reviewing this construction; any mistakes are mine, however. And, as he notes, reusing the private key in this way means that the generic-group (non-RO) proof of ECDSA's security given in [Brown] no longer directly applies. -- [Brown]: http://www.cacr.math.uwaterloo.ca/techreports/2000/corr2000-54.ps "Brown. The exact security of ECDSA. 2000" [Coron]: https://www.cs.nyu.edu/~puniya/papers/merkle.pdf "Coron et al. Merkle-Damgard revisited. 2005" [Chang]: https://www.iacr.org/archive/fse2008/50860436/50860436.pdf "Chang and Nandi. Improved indifferentiability security analysis of chopMD hash function. 2008" [Biryukov]: http://www.iacr.org/archive/asiacrypt2011/70730269/70730269.pdf "Biryukov et al. Second-order differential collisions for reduced SHA-256. 2011" [Nguyen]: ftp://ftp.di.ens.fr/pub/users/pnguyen/PubECDSA.ps "Nguyen and Shparlinski. The insecurity of the elliptic curve digital signature algorithm with partially known nonces. 2003" New tests: TestNonceSafety: Check that signatures are safe even with a broken entropy source. TestINDCCA: Check that signatures remain non-deterministic with a functional entropy source. Updated "golden" KATs in crypto/tls/testdata that use ECDSA suites. Change-Id: I55337a2fbec2e42a36ce719bd2184793682d678a Reviewed-on: https://go-review.googlesource.com/3340 Reviewed-by: Adam Langley <agl@golang.org>
2015-01-27 07:00:21 +00:00
00000020 00 00 00 00 00 00 00 00 00 00 00 00 c0 0a 00 00 |................|
00000030 05 ff 01 00 01 00 16 03 03 02 0e 0b 00 02 0a 00 |................|
00000040 02 07 00 02 04 30 82 02 00 30 82 01 62 02 09 00 |.....0...0..b...|
00000050 b8 bf 2d 47 a0 d2 eb f4 30 09 06 07 2a 86 48 ce |..-G....0...*.H.|
00000060 3d 04 01 30 45 31 0b 30 09 06 03 55 04 06 13 02 |=..0E1.0...U....|
00000070 41 55 31 13 30 11 06 03 55 04 08 13 0a 53 6f 6d |AU1.0...U....Som|
00000080 65 2d 53 74 61 74 65 31 21 30 1f 06 03 55 04 0a |e-State1!0...U..|
00000090 13 18 49 6e 74 65 72 6e 65 74 20 57 69 64 67 69 |..Internet Widgi|
000000a0 74 73 20 50 74 79 20 4c 74 64 30 1e 17 0d 31 32 |ts Pty Ltd0...12|
000000b0 31 31 32 32 31 35 30 36 33 32 5a 17 0d 32 32 31 |1122150632Z..221|
000000c0 31 32 30 31 35 30 36 33 32 5a 30 45 31 0b 30 09 |120150632Z0E1.0.|
000000d0 06 03 55 04 06 13 02 41 55 31 13 30 11 06 03 55 |..U....AU1.0...U|
000000e0 04 08 13 0a 53 6f 6d 65 2d 53 74 61 74 65 31 21 |....Some-State1!|
000000f0 30 1f 06 03 55 04 0a 13 18 49 6e 74 65 72 6e 65 |0...U....Interne|
00000100 74 20 57 69 64 67 69 74 73 20 50 74 79 20 4c 74 |t Widgits Pty Lt|
00000110 64 30 81 9b 30 10 06 07 2a 86 48 ce 3d 02 01 06 |d0..0...*.H.=...|
00000120 05 2b 81 04 00 23 03 81 86 00 04 00 c4 a1 ed be |.+...#..........|
00000130 98 f9 0b 48 73 36 7e c3 16 56 11 22 f2 3d 53 c3 |...Hs6~..V.".=S.|
00000140 3b 4d 21 3d cd 6b 75 e6 f6 b0 dc 9a df 26 c1 bc |;M!=.ku......&..|
00000150 b2 87 f0 72 32 7c b3 64 2f 1c 90 bc ea 68 23 10 |...r2|.d/....h#.|
00000160 7e fe e3 25 c0 48 3a 69 e0 28 6d d3 37 00 ef 04 |~..%.H:i.(m.7...|
00000170 62 dd 0d a0 9c 70 62 83 d8 81 d3 64 31 aa 9e 97 |b....pb....d1...|
00000180 31 bd 96 b0 68 c0 9b 23 de 76 64 3f 1a 5c 7f e9 |1...h..#.vd?.\..|
00000190 12 0e 58 58 b6 5f 70 dd 9b d8 ea d5 d7 f5 d5 cc |..XX._p.........|
000001a0 b9 b6 9f 30 66 5b 66 9a 20 e2 27 e5 bf fe 3b 30 |...0f[f. .'...;0|
000001b0 09 06 07 2a 86 48 ce 3d 04 01 03 81 8c 00 30 81 |...*.H.=......0.|
000001c0 88 02 42 01 88 a2 4f eb e2 45 c5 48 7d 1b ac f5 |..B...O..E.H}...|
000001d0 ed 98 9d ae 47 70 c0 5e 1b b6 2f bd f1 b6 4d b7 |....Gp.^../...M.|
000001e0 61 40 d3 11 a2 ce ee 0b 7e 92 7e ff 76 9d c3 3b |a@......~.~.v..;|
000001f0 7e a5 3f ce fa 10 e2 59 ec 47 2d 7c ac da 4e 97 |~.?....Y.G-|..N.|
00000200 0e 15 a0 6f d0 02 42 01 4d fc be 67 13 9c 2d 05 |...o..B.M..g..-.|
00000210 0e bd 3f a3 8c 25 c1 33 13 83 0d 94 06 bb d4 37 |..?..%.3.......7|
00000220 7a f6 ec 7a c9 86 2e dd d7 11 69 7f 85 7c 56 de |z..z......i..|V.|
00000230 fb 31 78 2b e4 c7 78 0d ae cb be 9e 4e 36 24 31 |.1x+..x.....N6$1|
00000240 7b 6a 0f 39 95 12 07 8f 2a 16 03 03 00 b6 0c 00 |{j.9....*.......|
00000250 00 b2 03 00 1d 20 2f e5 7d a3 47 cd 62 43 15 28 |..... /.}.G.bC.(|
00000260 da ac 5f bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 |.._.).0.........|
00000270 99 5f 58 cb 3b 74 06 03 00 8a 30 81 87 02 42 01 |._X.;t....0...B.|
00000280 ed a6 35 6b 28 3f cc 4a 66 c1 21 a0 ba e3 a2 c2 |..5k(?.Jf.!.....|
00000290 3b 45 41 87 9b c4 5d 01 b7 8b 01 89 b4 b1 16 99 |;EA...].........|
000002a0 72 e2 94 6d 24 f2 9f be 6a 8b 9b b5 c7 9c cb 65 |r..m$...j......e|
000002b0 38 ab 29 de 38 e5 64 4c 0b 75 67 c9 9d 5b dc 37 |8.).8.dL.ug..[.7|
000002c0 86 02 41 33 ac b4 ff f3 db f7 2c c9 0b 43 8a 62 |..A3......,..C.b|
000002d0 df 9d b9 c5 50 0b 8c f1 da 40 b1 ba a8 41 99 66 |....P....@...A.f|
000002e0 1b e8 a0 20 0b 4f 0d 1e 55 12 c5 a2 a3 89 88 a0 |... .O..U.......|
000002f0 9f 91 b9 73 9b b1 19 95 d6 53 3a b3 d7 5d 73 5c |...s.....S:..]s\|
00000300 c4 d6 6a 1a 16 03 03 00 04 0e 00 00 00 |..j..........|
>>> Flow 3 (client to server)
00000000 16 03 03 00 25 10 00 00 21 20 5e 83 48 ba 4f 66 |....%...! ^.H.Of|
00000010 74 7d 8a c6 53 d2 a9 cf 68 f1 50 f4 2a 06 74 ef |t}..S...h.P.*.t.|
00000020 07 57 b0 f9 3e 1a 49 98 52 44 14 03 03 00 01 01 |.W..>.I.RD......|
00000030 16 03 03 00 40 1a b1 de ad 95 eb 28 ed 07 ce fe |....@......(....|
00000040 8b 8a fc 9a 24 a8 c3 d4 2f 27 20 52 9d 47 ac 45 |....$.../' R.G.E|
00000050 cc 66 c0 a4 03 cb 49 3c 93 05 3c 3e 64 91 d6 5c |.f....I<..<>d..\|
00000060 f9 73 1b 18 54 0b 67 c7 97 53 c8 7d 72 18 ab 47 |.s..T.g..S.}r..G|
00000070 98 32 54 4c ff |.2TL.|
>>> Flow 4 (server to client)
00000000 14 03 03 00 01 01 16 03 03 00 40 00 00 00 00 00 |..........@.....|
00000010 00 00 00 00 00 00 00 00 00 00 00 21 f3 63 c9 0a |...........!.c..|
00000020 7e 39 23 21 2d 2b 4b 72 47 65 30 b4 43 21 d1 d7 |~9#!-+KrGe0.C!..|
00000030 4f fa 00 65 a1 95 fd 62 2c d3 4d 7d 30 d7 fd eb |O..e...b,.M}0...|
00000040 64 08 41 d6 70 ab cf 9d 75 c5 e1 17 03 03 00 40 |d.A.p...u......@|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 50 e5 5e 3a c1 2a 71 0a ba eb 40 74 f1 70 0d 0a |P.^:.*q...@t.p..|
00000070 e1 86 22 fd 13 de e8 8f a0 d3 22 a8 62 76 ca fa |..".......".bv..|
00000080 5f 63 95 ba bb e2 f3 b3 ef 5b d8 bf 56 0b 60 53 |_c.......[..V.`S|
00000090 15 03 03 00 30 00 00 00 00 00 00 00 00 00 00 00 |....0...........|
000000a0 00 00 00 00 00 4d 2c 41 d8 4c 63 71 bd bc 83 5a |.....M,A.Lcq...Z|
000000b0 1b 2b b7 20 5b 14 51 d4 5b 38 4b fc 61 58 97 34 |.+. [.Q.[8K.aX.4|
000000c0 1a cf 08 f1 16 |.....|