Re: [TLS] Finished stuffing

Eric Rescorla <ekr@rtfm.com> Sat, 17 September 2016 21:44 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3136712B00C for <tls@ietfa.amsl.com>; Sat, 17 Sep 2016 14:44:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WnOnVgVt_dhR for <tls@ietfa.amsl.com>; Sat, 17 Sep 2016 14:44:31 -0700 (PDT)
Received: from mail-yb0-x229.google.com (mail-yb0-x229.google.com [IPv6:2607:f8b0:4002:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26478126D74 for <tls@ietf.org>; Sat, 17 Sep 2016 14:44:31 -0700 (PDT)
Received: by mail-yb0-x229.google.com with SMTP id i66so64331450yba.0 for <tls@ietf.org>; Sat, 17 Sep 2016 14:44:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=PpbQWoQIzTH3d2HYCulIB49BT9XbiRt2tvJL0M0iLDc=; b=r/KPXRBl2M55XIYqGu0sj6ixHvZB6HiXYp1Kg8kaSm68PP52nvS7sgGPsRNVyeb5VZ wAVyavlPMSQE3wTSVM1gB5VxvVknXMjhKFJ44of8GN+Ttbhqsf9X7IxKlwAMAM2f4qDG tsQH9dB5m/tEvBgCUlMlIk/LeF9xVavpAcTWqT+RSTHdPH7EZM26dodiaHi9zje9sySt TXLW34ULIc6XKpbuzVqqpX9/luLEkz7o4FX/6qsIWhMS0xa+Rc6Jly4m2khBAYrgIehh 83Q6/pn8bTW6kB499oXdR5of67f7gJsuyEzxzwNbZH20h0k06s/KOdmr54IBAev5lj/y OM/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=PpbQWoQIzTH3d2HYCulIB49BT9XbiRt2tvJL0M0iLDc=; b=G65qs87oGETVw8xwYT9dBY5BnfJkfN6icq4gNW8VXzO3SWuDDJLfnelYTiUvSe1784 zOgUP++X/KS0No7qcLJWta0pxo//xp39FVyD3ZOThR/R7U8tMIAIoCX7mjyUfp5qlJMo zSMdn8YWeh6Qkk1bhN9QRV7iaOKLDCoUrGr9/p+Pzt4uooKL+0so+hUrc2KqoyWWpHJh CbU1/acuOMc4DNA+aRlz8TwgEeoXbVoGVO+HOZFHd4tGfCuruBcXVsQwWStTB/SBGUKa j/CFSCJj2Lmaw21O6WT0OXAFW0zybyVhVTEGJPhVpWpoeFz4IXpZWnJgds8c/9KRbdA/ Ptdw==
X-Gm-Message-State: AE9vXwPRnSTpoC3G3WQDbRRqoA5eanIbOk0U0ypwZx9z77c9nYITTe1Id5sFf9oFWNCYAzkSnxB3BhbGXY86Pg==
X-Received: by 10.37.12.136 with SMTP id 130mr16032625ybm.161.1474148670324; Sat, 17 Sep 2016 14:44:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.160.10 with HTTP; Sat, 17 Sep 2016 14:43:49 -0700 (PDT)
In-Reply-To: <20160913191510.hfumchrmzvfplnlm@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABcZeBNqs+6SYsA9SnED8nWkUXifSPuF4gBdRG-gJamtWmxWNw@mail.gmail.com> <CABcZeBP890QrcbpGR9Ht2RkfHShavkkDmvvKPP+81x8Bz+SeDA@mail.gmail.com> <CAF8qwaCVyRrSm-XtL6Jd_VKD9qGmCJNFJW1GZVjmidsr3DnW_Q@mail.gmail.com> <CAOgPGoD8YEr=+c8eG+YZ=6nSvFB2uk7MiKNgN7Z=wg7ihAUhzg@mail.gmail.com> <e1048616-22f9-4f37-ee1c-712f97213e31@akamai.com> <20160909201903.t726g3tywns2pfuq@LK-Perkele-V2.elisa-laajakaista.fi> <599816da-8c60-938d-d6c0-3ec1510e2b96@akamai.com> <20160913191510.hfumchrmzvfplnlm@LK-Perkele-V2.elisa-laajakaista.fi>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 17 Sep 2016 14:43:49 -0700
Message-ID: <CABcZeBM7J8r2P2MoqLJ0UTKg7M1JDJ-_YN_KA-Tk=rz=KbgMaw@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="001a113e5f58d7a02c053cbafb3e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/26nSXSYlqfAWqHT0jchYQ2fbqEA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Finished stuffing
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Sep 2016 21:44:33 -0000

On Tue, Sep 13, 2016 at 12:15 PM, Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Tue, Sep 13, 2016 at 12:04:40PM -0500, Benjamin Kaduk wrote:
> >
> >
> > On 09/09/2016 03:19 PM, Ilari Liusvaara wrote:
> > > On Fri, Sep 09, 2016 at 02:50:59PM -0500, Benjamin Kaduk wrote:
> >
> > >> I have a slight (i.e., unjustified) preference for doing
> > >> ClientHello-with-block-of-zeros rather than prefix-of-ClientHello.
> (Is
> > >> there a reason to require this extension to be the last one with
> > >> block-of-zeros?  Clearly there is for prefix-of-ClientHello.)
> > > What about the case where client tries DHE-PSK and gets attempt
> > > rejected because of missing group (or because address verification)?
> > > 0-RTT is gone yes, but the PSK attempt isn't.
> > >
> > > What happens to the hash in this case?
> > >
> > >
> >
> > I feel like I must be missing something, but I don't really understand
> > the question.  (Sadly, waiting in the hope that someone else did
> > understand and would respond didn't work.)  The 0-RTT failed, so the
> > full handshake will have an actual Finished message, with a different
> > hash calculated (including over the "hello_finished" extension).  The
> > most plausible way I could interpret the question seems to be asking
> > about the lack of Hash(resumption_context) in the 1-RTT Finished, but
> > the security properties of that should be the same as for the
> > hello_finished, so I'm still puzzled.
> >
> > Sorry for being dense...
>
> I mean the following case (perhaps bit misconfigured server):
>
> Client: ClientHello(groups=23,24,29;PSK=foo;shares=23:bar,29:baz,.
> ..,finished=zot)
> Server: HelloRetryRequest(group=24)
> Client: ClientHello(groups=23,24,29;PSK=foo;shares=23:bar,29:baz,
> 24:quux,...,finished=???)
>
>
> What is the finished data calculated over in the second case?
>

In this case, I believe that the finished is computed over
"ClientHello(groups=23,24,29;PSK=foo;shares=23:bar,29:baz,24:quux,..."

But that the handshake transcript is computed over all of:
"Client: ClientHello(groups=23,24,29;PSK=foo;shares=23:bar,29:baz,.
..,finished=zot)
Server: HelloRetryRequest(group=24)
Client: ClientHello(groups=23,24,29;PSK=foo;shares=23:bar,29:baz,
24:quux,...,finished=???)"

-Ekr

-Ilari
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>