[TLS] Redefine Finished message for TLS 1.3 ?

Nelson B Bolyard <nelson@bolyard.me> Sat, 14 November 2009 19:10 UTC

Return-Path: <nelson@bolyard.me>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0C8463A67ED for <tls@core3.amsl.com>; Sat, 14 Nov 2009 11:10:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[AWL=-0.620, BAYES_00=-2.599, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tuQBTJGWRMzJ for <tls@core3.amsl.com>; Sat, 14 Nov 2009 11:10:49 -0800 (PST)
Received: from p3plsmtpa01-03.prod.phx3.secureserver.net (p3plsmtpa01-03.prod.phx3.secureserver.net [72.167.82.83]) by core3.amsl.com (Postfix) with SMTP id 1E9B83A67B0 for <tls@ietf.org>; Sat, 14 Nov 2009 11:10:48 -0800 (PST)
Received: (qmail 4948 invoked from network); 14 Nov 2009 19:11:19 -0000
Received: from unknown (24.5.142.42) by p3plsmtpa01-03.prod.phx3.secureserver.net (72.167.82.83) with ESMTP; 14 Nov 2009 19:11:19 -0000
Message-ID: <4AFF0153.3090005@bolyard.me>
Date: Sat, 14 Nov 2009 11:13:23 -0800
From: Nelson B Bolyard <nelson@bolyard.me>
Organization: Network Security Services
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1b1pre) Gecko/20081004 NOT Firefox/2.0 SeaMonkey/2.0a2pre
MIME-Version: 1.0
To: tls@ietf.org
References: <20091112181844.GE1105@Sun.COM> <200911122036.nACKa96m016227@fs4113.wdf.sap.corp> <20091112203847.GL1105@Sun.COM> <20091113082235.C55F469F381@kilo.networkresonance.com> <20091113164608.GT1105@Sun.COM>
In-Reply-To: <20091113164608.GT1105@Sun.COM>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Subject: [TLS] Redefine Finished message for TLS 1.3 ?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Nov 2009 19:10:50 -0000

On 2009-11-13 08:46 PDT, Nicolas Williams wrote:
> On Fri, Nov 13, 2009 at 10:22:35AM +0200, Eric Rescorla wrote:
>> At Thu, 12 Nov 2009 14:38:47 -0600, > Nicolas Williams wrote:
>>> Interestingly, that approach could even be used on initial
>>> connections to detect if the server will support secure
>>> re-negotiation _before_ the client ever tries it.
>>
>> I don't see that. AFAICT both your options involve the client
>> generating a hello extension, so this does affect the bits on the wire.
>> Obviously there are approaches which don't require that, but they don't
>> provide detection of server capabilities on initial negotiation. By
>> contrast your message of 1854 doesn't allow the client to probe the
>> server AFAICT.
> 
> The post with message-ID <20091113005419.GQ1105@Sun.COM>, subject
> "Comments on draft-rescorla-tls-renegotiate", sent at 18:54:19 -0600
> yesterday most certainly described no Hello extensions, only a Finished 
> message verify_data computation change.

EKR and Marsh Ray and some others will recall that I proposed essentially
the same proposal that Nico is now proposing in the meeting meeting in
Mountain View on September 29, 2009 to which Marsh Ray invited EKR, myself
and numerous others from this working group.

I proposed that a change in the computation of the TLS Finished message
to include some value derived from the master secret previously in use on
the connection before the current renegotiation (such as the Finished
message contents or some other value "extracted" from the master secret)
would avoid the overhead of the new extensions on the wire.  My goal was
to avoid the extra bandwidth and memory cost of those extensions, which
might be deemed too costly in certain low memory or bandwidth constrained
applications.

Others in the meeting responded that changing the definition of the
computation of the Finished messages was a change to the base protocol
specification (which adding an extension is not), and thus the change
I proposed would make TLS become (say) TLS 1.3.

The proposed new extension could be implemented as a patch to an extant
implementation of TLS 1.0, but an implementation of TLS 1.3 would presumably
require the implementation of all the changes in TLS 1.1 and
1.2 first, which would be a much bigger and slower undertaking for many
TLS implementations.

So, for the sake of hasty implementation, we abandoned the approach that
redefines the Finished message and went with the new extension.

But perhaps we should regard the new extension as a short term expedient,
and plan to change the definition of the Finished message in TLS 1.3,
so that the extension will no longer be necessary at some point in the
future (when TLS 1.3 has become common place, maybe 10 years hence).

Does the Working Group share interest in redefining the Finished message
computation for TLS 1.3?