IETF Logo Mail Archive

Re: [TLS] Quest for Unified Solution to TLS Renegotiation

"Blumenthal, Uri - 0662 - MITLL" <uri@ll.mit.edu> Sat, 28 November 2009 16:19 UTC

Return-Path: <uri@ll.mit.edu>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F0A8E3A68FF for <tls@core3.amsl.com>; Sat, 28 Nov 2009 08:19:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.544
X-Spam-Level:
X-Spam-Status: No, score=-6.544 tagged_above=-999 required=5 tests=[AWL=0.054, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UQHWgb-xcOWi for <tls@core3.amsl.com>; Sat, 28 Nov 2009 08:19:07 -0800 (PST)
Received: from ll.mit.edu (LLMAIL1.LL.MIT.EDU [129.55.12.41]) by core3.amsl.com (Postfix) with ESMTP id 467393A68DF for <tls@ietf.org>; Sat, 28 Nov 2009 08:19:05 -0800 (PST)
Received: (from smtp@localhost) by ll.mit.edu (8.12.10/8.8.8) id nASGIvfc024732 for <tls@ietf.org>; Sat, 28 Nov 2009 11:18:57 -0500 (EST)
Received: from lle2k7-hub01.llan.ll.mit.edu( ), claiming to be "LLE2K7-HUB01.mitll.ad.local" via SMTP by llpost, id smtpdAAAh7aiXS; Sat Nov 28 11:14:50 2009
Received: from LLE2K7-BE01.mitll.ad.local ([ ]) by LLE2K7-HUB01.mitll.ad.local ([ ]) with mapi; Sat, 28 Nov 2009 11:14:50 -0500
From: "Blumenthal, Uri - 0662 - MITLL" <uri@ll.mit.edu>
To: "'tls@ietf.org'" <tls@ietf.org>
Date: Sat, 28 Nov 2009 11:14:49 -0500
Thread-Topic: [TLS] Quest for Unified Solution to TLS Renegotiation
Thread-Index: AcpwCHl+fe77d4nPSbyXK9RmfejFsQAPW98v
Message-ID: <90E934FC4BBC1946B3C27E673B4DB0E4A7EE853F4B@LLE2K7-BE01.mitll.ad.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Subject: Re: [TLS] Quest for Unified Solution to TLS Renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Nov 2009 16:19:08 -0000

I'm OK with it.


----- Original Message -----
From: tls-bounces@ietf.org <tls-bounces@ietf.org>
To: tls@ietf.org <tls@ietf.org>
Sent: Sat Nov 28 03:54:46 2009
Subject: Re: [TLS] Quest for Unified Solution to TLS Renegotiation

Yoav Nir wrote:
> On Nov 26, 2009, at 8:11 PM, Blumenthal, Uri - 0662 - MITLL wrote:
>> On 11/26/09  12:23 , "David-Sarah Hopwood" <david-sarah@jacaranda.org>
>> wrote:
>>> Blumenthal, Uri - 0662 - MITLL wrote:
>>>> Yes, previous_verify_data MUST be a part of the input to the PRF. What Yoav
>>>> Nir said (XOR-ing it with the master_secret), should work (out of hand -
>>>> anybody sees a problem with it?).
>>>
>>> The previous_verify_data is not necessarily secret, so this requires the
>>> PRF to be secure against related-key attack. The particular PRFs used in
>>> SSLv3 and TLS 1.0 to 1.2 should be secure in that sense, but (if we
>>> decide to use this approach) I still prefer what I suggested before:
>>>
>>>    verify_data =
>>>      PRF(master_secret, finished_label, Hash(handshake_messages)
>>>                                         + previous_verify_data)
>>>        [0..verify_data_length-1];
>>>
>>> which uses the PRF in a more conventional way.

I no longer think we should use this approach; the arguments in favour
of encoding the previous_verify_data in handshake_messages (see below)
are compelling.

[reordered]
>> As for SSLv3 - SMNP (Simply Not My Problem :). Would be nice to
>> address it as well, but I'd rather not bend over backwards to also
>> fix SSLv3.

SSLv3 is easy enough to fix without bending over backwards.

> I don't see why my suggestion [XORing the master_secret with the
> previous_verify_data when computing the new hashes] doesn't hold for
> SSLv3 as well.

It does, but the specification complexity is on the high side, given that
the computations would need to be spelled out for SSLv3 and TLS separately,
as well as changing CertificateVerify. Nelson's point about hardware
security modules is another reason not to do this.

Adding the previous_verify_data into handshake_messages is preferable
because:
 - it treats SSLv3 and TLS entirely uniformly;
 - there is no problem with hardware security modules;
 - the use of hashing APIs is unchanged (unlike the suggestion to
   chain all messages in the previous session before those in the
   current session);
 - it automatically causes the previous_verify_data to be included
   in the data signed by CertificateVerify, when used.

The obvious place to put it is just after ServerHello, since that is
before CertificateVerify and is the first point at which both sides
know that this session is renegotiated.

The theoretical attacks that I was worried about are solved by using
the encoding starting with bytes {20, 0, 0, 0} described in my
followup to Eric Rescorla (subject "Verify data in the RI extension" --
it doesn't seem to be in the archive yet).

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

v2.23.0 | Report a Bug | By Email