Re: [TLS] make ChangeCipherSpec a handshake message
Hauke Mehrtens <hauke@hauke-m.de> Sun, 28 December 2014 17:48 UTC
Return-Path: <hauke@hauke-m.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A72331AD630 for <tls@ietfa.amsl.com>; Sun, 28 Dec 2014 09:48:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.562
X-Spam-Level:
X-Spam-Status: No, score=-1.562 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TwQ4wcXVrrgO for <tls@ietfa.amsl.com>; Sun, 28 Dec 2014 09:48:53 -0800 (PST)
Received: from hauke-m.de (hauke-m.de [5.39.93.123]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D549C1AD62E for <tls@ietf.org>; Sun, 28 Dec 2014 09:48:52 -0800 (PST)
Received: from [IPv6:2001:67c:20a1:1192:224:d7ff:fe5f:d4e4] (unknown [IPv6:2001:67c:20a1:1192:224:d7ff:fe5f:d4e4]) by hauke-m.de (Postfix) with ESMTPSA id 8CE542016F; Sun, 28 Dec 2014 18:48:51 +0100 (CET)
Message-ID: <54A04282.1050403@hauke-m.de>
Date: Sun, 28 Dec 2014 18:48:50 +0100
From: Hauke Mehrtens <hauke@hauke-m.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.3.0
MIME-Version: 1.0
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
References: <54A0389F.2070800@hauke-m.de> <20141228172056.GA31928@LK-Perkele-VII>
In-Reply-To: <20141228172056.GA31928@LK-Perkele-VII>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/3kdel6Es-h6EyFU_vpp9Z59jOIw
Cc: tls@ietf.org
Subject: Re: [TLS] make ChangeCipherSpec a handshake message
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Dec 2014 17:48:53 -0000
On 12/28/2014 06:20 PM, Ilari Liusvaara wrote: > On Sun, Dec 28, 2014 at 06:06:39PM +0100, Hauke Mehrtens wrote: >> Why is ChangeCipherSpec a special type and not just a handshake message? >> It is only send in the handshake and preceded and followed by handshake >> messages. >> >> DTLS has some functionality for reordering of handshake messages. All >> the handshake messages have a message_seq field which is used to bring >> the messages into the right order again and detect duplicates. The >> messages can get into the wrong order if they are send independently and >> not the hole flight in one turn. This gets even messier when the >> packages are getting retransmitted. When packages are getting >> retransmitted all packages from a flight are getting retransmitted even >> if just one of these packages were not received. With the message_seq >> field one can detect if this package was already received and what is >> the next package to handle. > > I think the plan is to rip out CCS entierely, that is, rely on handshake > state machine to initate the key transitions (which should make it more > difficult to get wrong). Removing CCS entirely is the best solution. I haven't seen any discussions about this plan. I just looked into the TLS 1.3 handshake in more detail and it should be pretty easy to detect where a CCS should be. As long as all handshakes are using ECDHE, DHE or something with a similar handshake I do not see a problem with just removing the CCS message, but when something like static PSK Cipher are getting added and the handshake is very different there it could cause some problem. (I haven't thought in detail about this) Actually in the DTLS implementation I worked on, I placed the CCS message more or less by guessing form the context. Hauke
- [TLS] make ChangeCipherSpec a handshake message Hauke Mehrtens
- Re: [TLS] make ChangeCipherSpec a handshake messa… Ilari Liusvaara
- Re: [TLS] make ChangeCipherSpec a handshake messa… Hauke Mehrtens