IETF Logo Mail Archive

Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt

Nikos Mavrogiannopoulos <nmav@gnutls.org> Wed, 16 May 2012 20:01 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 767AA21F861C for <tls@ietfa.amsl.com>; Wed, 16 May 2012 13:01:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bRW8vU1g4ujB for <tls@ietfa.amsl.com>; Wed, 16 May 2012 13:01:53 -0700 (PDT)
Received: from mail-ee0-f44.google.com (mail-ee0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id 99BE821F85E6 for <tls@ietf.org>; Wed, 16 May 2012 13:01:53 -0700 (PDT)
Received: by eekd4 with SMTP id d4so359553eek.31 for <tls@ietf.org>; Wed, 16 May 2012 13:01:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; bh=MwVNneylJ5RqJZUakxOl/uqZyimcqejRqDJh0lIHaFs=; b=nN5QxHb1qlI8AgMwlThyvubZLZAZ0EinmFpGfKr6SjIjvwh/bChqYVzZSVvRNeq8vC PNcxWbkzmCK5f1RZnTIOSzsk5skUZ6ND/UiG+QIcqvZmoic2wdG3LO+yJxw5VITbgZbT 1UEjddYcC4ITsIjQ9ubK6JnctWZBTlbpFOWTU4ioBPp/yftOTUil95sQ/WKqrSaSxvBO QW/e7YPE+Rz8NK7WGrV5J8cf+ahkXTIQ/Tfr0KJR/QYElidDWaJBChZLnZRvamr3Si8S jHu6UTDSXab3mALDjqeS0ww6Tk7LU7xPyu22NZKkEfup42RcyDAA7z49whaDE7EhUTKL Z4rA==
Received: by 10.213.113.8 with SMTP id y8mr1751733ebp.101.1337198512811; Wed, 16 May 2012 13:01:52 -0700 (PDT)
Received: from [10.100.2.14] (d51A49E78.access.telenet.be. [81.164.158.120]) by mx.google.com with ESMTPS id z5sm17400495eem.3.2012.05.16.13.01.51 (version=SSLv3 cipher=OTHER); Wed, 16 May 2012 13:01:52 -0700 (PDT)
Sender: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Message-ID: <4FB407AA.7050400@gnutls.org>
Date: Wed, 16 May 2012 22:01:46 +0200
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.3) Gecko/20120329 Icedove/10.0.3
MIME-Version: 1.0
To: tls@ietf.org
References: <4FA401F7.5060003@extendedsubset.com> <CABcZeBP=09qyD4Nuw_i-7yM9EPzZY_sPm8jVcjTneJPknP1Lug@mail.gmail.com>
In-Reply-To: <CABcZeBP=09qyD4Nuw_i-7yM9EPzZY_sPm8jVcjTneJPknP1Lug@mail.gmail.com>
X-Enigmail-Version: 1.4.1
OpenPGP: id=96865171
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 May 2012 20:01:54 -0000

On 05/16/2012 07:54 PM, Eric Rescorla wrote:


> - You can fingerprint the server actively cheaply, so hiding that
>   information from a passive attacker doesn't buy you much.


You cannot always fingerprint the server cheaply. What if the server
presents different identities depending on where you connect from? In
that case passive protection of the server credentials is an advantage.

> - Fingerprinting the client is often possible if it does
>   any HTTP at all (just based on the client's HTTP headers).
>   Moreover, the cipher suite list is one of the most
>   powerful fingerprinting tools and that lives in
>   ClientHello, not ClientHello2.
> This leaves us with SNI and the client's certificate. SNI can often be


Also SRP and PSK usernames.

> Finally, we have the client certificate. The idea of protecting the
> client certificate has been discussed many times over the years, most
> recently in Paris. However, given the extremely low use of client
> certificates, the rather significant level of changes to the
> protocol to protect it, and the fact that all the proposed changes
> are vulnerable to active attack, these proposals seem of limited
> value.


Interestingly this proposal isn't vulnerable to active attacks. The
client only sends its certificate, encrypted, after the server has
presented a signed serverkeyexchange. If the client verifies that
serverkeyexchange on reception he can be sure that the only the
legitimate server knows the key to read it.

In any case certificates, and usernames typically contain e-mails and
that makes them a prime target for eavesdropping. Thus even protection
against passive attacks is an interesting property for several
use-cases.

> I don't see that this draft has a significantly different cost/benefit
> tradeoff. It's true that it protects more than the certificate,
> but (a) it still doesn't protect against active attack (b) most
> of the data it protects can be inferred by other means and (c)
> it does a lot more damage to the TLS state machine in the process.


I believe (a) isn't true. (c) is an unfortunate side-effect and by
checking the EH protocol closely, several things could be simplified
if TLS had privacy features designed in from the beginning.

My opinion is that a redesign of TLS is needed to account for privacy
as this draft does. I see this draft being as the first steps for TLS
1.3 which should include privacy protection by default. Dismissing it
without suggesting an alternative plan seems like a step backwards for
TLS and privacy.

regards,
Nikos

v2.23.0 | Report a Bug | By Email