IETF Logo Mail Archive

Re: [TLS] simplistic renego protection

Martin Rex <mrex@sap.com> Wed, 18 November 2009 18:37 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B559C3A698D for <tls@core3.amsl.com>; Wed, 18 Nov 2009 10:37:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.049
X-Spam-Level:
X-Spam-Status: No, score=-6.049 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wDrI-TYmamXa for <tls@core3.amsl.com>; Wed, 18 Nov 2009 10:37:38 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id A5E333A6828 for <tls@ietf.org>; Wed, 18 Nov 2009 10:37:36 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id nAIIbXBu028004 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 18 Nov 2009 19:37:33 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911181837.nAIIbXJu009133@fs4113.wdf.sap.corp>
To: mike-list@pobox.com
Date: Wed, 18 Nov 2009 19:37:33 +0100
In-Reply-To: <4B0421D0.50509@pobox.com> from "Michael D'Errico" at Nov 18, 9 08:33:20 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] simplistic renego protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2009 18:37:38 -0000

Michael D'Errico wrote:
> 
> > 2) Is that we seem to agree that TLS 1.3 will have an updated finished
> > calculation anyway, not requiring the use of extensions. If we define that
> > "future" finished calculation now and use it in the simplistic approach,
> > then that would actually be closer to future versions of TLS, compared with
> > an extension approach.
> 
> This is one of the reasons I so dislike RI.  The alternative presented
> modifies the Finished calculation in a way that is forward-compatible;
> it can be the default for future TLS versions, and that is the way it
> is implemented in my code now.  If people don't like adding the previous
> verify_data to the stream of handshake messages so it gets hashed along
> with the rest, then please suggest a better way.
> 
> One note: at first I didn't like the idea of inserting the verify_data
> immediately after the ServerHello, but when I implemented it, that was
> actually the most natural place to put it.

For the client, it is _the_ position where it reliably is in the posession
of the Server.Finished from the previous TLS handshake. (Think of
optimizing an renegotiation in order to protect the client identity,
where one wants to piggy back the ClientHello of the immediate
renegotiation onto the Client.Finished message.

Does anyone remeber that the TLS WG gave the advice to people asking
for identity protection to perform an initial client-anonymous
TLS handshake directly followed by a renegotiation with client-cert
authentication?

(a related discussion what about gss-api authentication
 around 20-dec-2006, Subject: [TLS] Comments on TLS identity protection)


-Martin

v2.23.0 | Report a Bug | By Email