Re: [TLS] renego, patricide, putting out to stud, etc.

Ravi Ganesan <ravi@findravi.com> Thu, 31 December 2009 23:43 UTC

Return-Path: <ravi@findravi.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 19EF33A6917 for <tls@core3.amsl.com>; Thu, 31 Dec 2009 15:43:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.005
X-Spam-Level:
X-Spam-Status: No, score=-2.005 tagged_above=-999 required=5 tests=[AWL=-0.029, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KW7sjiWR2U1z for <tls@core3.amsl.com>; Thu, 31 Dec 2009 15:43:14 -0800 (PST)
Received: from mail-pw0-f50.google.com (mail-pw0-f50.google.com [209.85.160.50]) by core3.amsl.com (Postfix) with ESMTP id C05DB3A6919 for <tls@ietf.org>; Thu, 31 Dec 2009 15:43:14 -0800 (PST)
Received: by pwi20 with SMTP id 20so8813502pwi.29 for <tls@ietf.org>; Thu, 31 Dec 2009 15:42:50 -0800 (PST)
MIME-Version: 1.0
Received: by 10.115.151.5 with SMTP id d5mr13755385wao.204.1262302970807; Thu, 31 Dec 2009 15:42:50 -0800 (PST)
In-Reply-To: <4B3D0388.7010709@jacaranda.org>
References: <3561bdcc0912302220t7fad9ccfqf5103e6f120288ba@mail.gmail.com> <4B3D0388.7010709@jacaranda.org>
Date: Thu, 31 Dec 2009 15:42:50 -0800
Message-ID: <3561bdcc0912311542i1f2172c1na34e298d102d4408@mail.gmail.com>
From: Ravi Ganesan <ravi@findravi.com>
To: David-Sarah Hopwood <david-sarah@jacaranda.org>
Content-Type: multipart/alternative; boundary=0016e64eeb642c84db047c0ed015
Cc: tls@ietf.org
Subject: Re: [TLS] renego, patricide, putting out to stud, etc.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Dec 2009 23:43:16 -0000

>> OK, but that's a fairly complicated way of describing the semantics. Also
>> you used the term "session" to describe the nodes:

It is somewhat complicated, but I think it is the minimum needed. I just
feel getting into connections, sessions, channels, all words which carry
unintended baggage, does not seem to be working.  Just consider if I am the
Client and you are the Server, and we open a thingy (call it A) communicate
for a while. Use A to spawn two more thingys in parallel using abbreviated
handshakes (B and C). Then do a renego using full handshake on B (gives us
D). D then spawns two more thingys using abbreviated handshakes (E and F). F
happens to do a renego using a full handshakes to spawn G. In the meanwhile
we do a full handshake renego on A, and then.... you are asked to explain in
retrospect exactly what on earth happened. If you use my approach of tagging
each of the nodes A,B,C,D,E, F and G with the six variables (session-id,
master-secret, client-random, server-random, auth knowledge and RI), and
show which of them change from parent to child, you will end up with a
compact tree with the properties I mentioned.

But of course I am biased, I feel it is limiting to use words that limit TLS
to "sockets" or "connections", needlessly.  For instance  what does a
connection mean if the binding is not TCP? e.g.  EKR's work on UDP, mine on
HTTP, Gajek et al on SOAP).
This bias aside, however, I think the tree with its state transitions is
useful even for regular TLS. Especially since we are keeping chained hashes
around.


Message: 1
> Date: Wed, 30 Dec 2009 16:46:49 -0800
> From: Ravi Ganesan <ravi@findravi.com>
> Subject: Re: [TLS] sessions, contexts, etc.
> To: tls@ietf.org
> Message-ID:
>        <3561bdcc0912301646p65923143t1b138fb17b75d9@mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Does something along these lines work as a pedagogical device? Nodes
> characterized by the parameters of relevance. A root node, three types of
> ways to spawn a child node. What a child inherits from parent, etc...
>
> At the end of a TLS handshake, the Client and the Server share six key
> pieces of information:
> (i) a session-id  /*Public information */
> (ii) a shared master-secret /*Secret. Known only to Client and Server */
> (iii) the client-random and /* May be public or secret */
> (iv) the server-random.  /*May be public or secret*/
> (v) authentication knowledge /* Namely, the Client MAY know that is has
> authenticated the Server (in practice this almost always is true). The
> Server MAY know that it has authenticated the Client (relatively rare in
> practice, but an important sub-category).
> (vi) renegotiation-information /*The newly introduced RI field at the end
> of
> the handshake. */
>
>
> When the  Client and a Server share NONE of the above six pieces of data,
> the Client will typically initiate a completely fresh session using the
> FULL
> handshake.  Such a session is called a ROOT session. A Client and a Server
> who have completed a ROOT session can engage in further handshakes to
> create
> new sessions, which in turn can create further sessions. Treating each
> session as a node in a graph we can get a tree rooted at the ROOT.
>
> Each node can spawn a child node using three different techniques as
> follows:
>
> i) A node can create a child-node by performing an abbreviated handshake.
> Such an abbreviated-child inherits the session-id, the shared master-secret
> and the authentication-knowledge, from its parent (these CANNOT change). It
> gets new client-random, server-random and starts afresh with
> renegotiation-information.  This technique of spawning a child node is
> usually used for efficiency considerations (abbrv. handshake requires no
> PKI
> operations, which is why it cannot be used to update
> authentication-knowledge of the other end either).  The creation of such a
> child-node does NOT result in the previous node becoming inactive.
>
> ii) A node can create a child node by performing renegotiation, followed by
> a full handshake. Such a full-renego-child, starts afresh with new values
> for all of the first five parameters. The only parameter which keeps it
> tied
> to this tree is the renegotiation-information, which is derived from the
> handshake and the parent-node's renegotiation-information. The primary
> use-case for this technique is  to update authentication-knowledge of the
> Server (i.e. does it know who the Client is?).  The creation of such a
> child
> node means the parent node can no longer be used.
>
> iii) A node can create a child node by performing renegotiation followed by
> an abbreviated handshake. Such a abbrv-renego-child inherits the
> session-id,
> shared-master-secret and authentication-information of its parent. There is
> a new client-random and server-random, and as in a full-renego-child, the
> renegotiation-information is derived from the handshake and the the
> renegotiation-information of its parent.  I do not know why this use-case
> exists; the encryption/hashing keys change but it is questionable if that
> adds any protection. The creation of such a child node means the parent
> node
> can no longer be used.
>
> Observe that each of the different child nodes can give birth to any of the
> other three types of children.
>
>