Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard
mrex@sap.com (Martin Rex) Fri, 23 January 2015 19:31 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7585C1ACEDD for <tls@ietfa.amsl.com>; Fri, 23 Jan 2015 11:31:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.151
X-Spam-Level:
X-Spam-Status: No, score=-5.151 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p3ixFul54hCe for <tls@ietfa.amsl.com>; Fri, 23 Jan 2015 11:31:46 -0800 (PST)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3AD81A212A for <tls@ietf.org>; Fri, 23 Jan 2015 11:31:45 -0800 (PST)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 81BDC3A44D; Fri, 23 Jan 2015 20:31:43 +0100 (CET)
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 7843542D73; Fri, 23 Jan 2015 20:31:43 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 7251A1B117; Fri, 23 Jan 2015 20:31:43 +0100 (CET)
In-Reply-To: <54C1B2EC.2060507@metaparadigm.com>
To: Michael Clark <michael@metaparadigm.com>
Date: Fri, 23 Jan 2015 20:31:43 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150123193143.7251A1B117@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/-I1yEJ0SNlQ3cUl7HKq-c5VrOOw>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jan 2015 19:31:48 -0000
Michael Clark wrote: > > 4). MUST Include the entire handshake record layer rather than > content in the veryify_data hash Excuse me while I panic. There seems to be a complete misunderstanding of the TLS protocol. The TLS record protocol was *INTENTED* to be independent of the protocol inside (handshake, appdata, alerts, ccs). > --- a/draft-ietf-tls-tls13.md > +++ b/draft-ietf-tls-tls13.md > @@ -2674,7 +2674,7 @@ Structure of this message: > > > verify_data > -: PRF(hs_master_secret, finished_label, Hash(handshake_messages)) > +: PRF(hs_master_secret, finished_label, Hash(handshake_records)) > [0..verify_data_length-1]; This would be totally wrong. The TLS record layer protocol was designed to be independent of the protocols within ON PURPOSE. In particular, the TLS record protocol is independent from the protocol within about fragmenting and coalescing data. Look at the TLS protocol handshake flowchart: https://tools.ietf.org/html/rfc2246#page-31 Client Server ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data How the TLS record layer packages the initial response from the server to the client into TLS records, is entirely up to the TLS record layer and irrelevant to the computation of handshake message hash and the TLS finished handshake messages: ServerHello Certificate* ServerKeyExchange* CertificateRequest* ServerHelloDone i.e. whether each handshake message is packaged into a seperate TLS record, whether some or all of them are stuffed into one record -- and where exactly the fragmentation will occur if the maximum TLS plaintext size (2^14 = 16384 bytes) is reached, is entirely at the discretion of the TLS record layer, and the TLS handshake protocol engine does not know or care about it. This complete independence is likely also the reason why ChangeCipherSpec is a seperate content type (this forces flushing of the record layer buffers, because the record layer might want to coalesce handshake messages, e.g. in the abbreviated handshake for the server response: Client Server ClientHello --------> ServerHello [ChangeCipherSpec] <-------- Finished While this might not be an issue for TLSv1.3 when Renegotiation is dropped -- completely ignoring additional HelloRequests from the server would not be possible if the handshake message hash would cover *EVERYTHING* rather than only the handshake messages that belong to the current handshake. -Martin
- [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-0… The IESG
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Salz, Rich
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Stephen Farrell
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Stephen Farrell
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Hanno Böck
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Yuhong Bao
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Adam Langley
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Andrei Popov
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Watson Ladd
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Brian Smith
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Jeffrey Walton
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Yoav Nir
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Eric Rescorla
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Salz, Rich
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Colm MacCárthaigh
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Yuhong Bao
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Salz, Rich
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Brian Smith
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Salz, Rich
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Xiaoyin Liu
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Yoav Nir
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Xiaoyin Liu
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Yoav Nir
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Xiaoyin Liu
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael D'Errico
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- [TLS] advertizing the minimum TLS supported versi… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Jeffrey Walton
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] advertizing the minimum TLS supported v… Michael Clark
- Re: [TLS] advertizing the minimum TLS supported v… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Hubert Kario
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Henrik Grubbström
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Henrik Grubbström
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Dave Garrett
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Eric Rescorla
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Henrik Grubbström
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Stephen Farrell
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex