Re: [TLS] Collisions (Re: Nico's suggestions - Re: Consensus Call:

Stefan Santesson <stefan@aaa-sec.com> Tue, 11 May 2010 15:46 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 148F53A6995 for <tls@core3.amsl.com>; Tue, 11 May 2010 08:46:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.2
X-Spam-Level:
X-Spam-Status: No, score=0.2 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, HELO_EQ_SE=0.35, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bz9K6vpL7dRV for <tls@core3.amsl.com>; Tue, 11 May 2010 08:46:09 -0700 (PDT)
Received: from s87.loopia.se (s87.loopia.se [194.9.94.112]) by core3.amsl.com (Postfix) with ESMTP id 111823A68C7 for <tls@ietf.org>; Tue, 11 May 2010 08:46:08 -0700 (PDT)
Received: from s57.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id C90F02AC63B for <tls@ietf.org>; Tue, 11 May 2010 17:46:00 +0200 (CEST)
Received: (qmail 3174 invoked from network); 11 May 2010 15:45:54 -0000
Received: from 77-44-20-79.xdsl.business-dsl.co.uk (HELO [42.33.36.86]) (stefan@fiddler.nu@[77.44.20.79]) (envelope-sender <stefan@aaa-sec.com>) by s57.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <Nicolas.Williams@oracle.com>; 11 May 2010 15:45:54 -0000
User-Agent: Microsoft-Entourage/12.24.0.100205
Date: Tue, 11 May 2010 16:45:51 +0200
From: Stefan Santesson <stefan@aaa-sec.com>
To: Nicolas Williams <Nicolas.Williams@oracle.com>, Martin Rex <mrex@sap.com>
Message-ID: <C80F3A3F.AB88%stefan@aaa-sec.com>
Thread-Topic: [TLS] Collisions (Re: Nico's suggestions - Re: Consensus Call:
Thread-Index: AcrxIQhcGLPHIQYwnUSfI4LJh/emKg==
In-Reply-To: <20100511152153.GF9429@oracle.com>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Cc: paul.hoffman@vpnc.org, tls@ietf.org
Subject: Re: [TLS] Collisions (Re: Nico's suggestions - Re: Consensus Call:
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2010 15:46:10 -0000

Wouldn't this be solved automatically if the cache is flushed upon failure?

/Stefan


On 10-05-11 5:21 PM, "Nicolas Williams" <Nicolas.Williams@oracle.com> wrote:

> On Tue, May 11, 2010 at 03:39:50PM +0200, Martin Rex wrote:
>> Nicolas Williams wrote:
>>> Well...  Many applications might not.  Can the handshake be retried
>>> transparently to the application?  Or will the application have to
>>> close() its socket and re-connect()?
>> 
>> Re-thinking this scenario, I do not think that is a workable approach.
>> 
>> The reason why I originally asked for using a (sha-1) hash value over the
>> replaced data instead of a simple, server-assigned identifier,
>> was robustness.  Going through a handshake failure is _NOT_ an option.
> 
> That's what I expect as well, that handshake failure is not transparent
> to _all_ applications, and that any retry logic will have to be in the
> application.  That makes this protocol a bit problematic -- failures
> will be rare, no doubt, so rare that we might not care, but when they
> happen the application won't know that the failure is not permanent.
> For browsers that may not be a problem (the user will just reload); for
> non-browser apps (and scripts running in the browser!) this could be a
> problem.
> 
>> I wanted to avoid the cache of the server and client to get out-of-sync,
>> and the use of a sha-1 hash value over the real data instead of that
>> data should be sufficiently robust so that the server will send the
>> real data in case the clients cached value differs from what the
>> server would normally send.
> 
> I don't see how to recover from collisions, transparently to apps,
> without either adding round-trips, which is supposed to be a big no-no,
> or making handshakes retriable (I'm assuming they aren't).
> 
>> It is generally impossible to recover from a TLS handshake failure.
> 
> Well, the app can retry.
> 
> Also, StartTLS protocols might be able to retry without the application
> having to disconnect/reconnect.
> 
>> It normally requires closure of the existing connection and opening
>> of a new connection because it is completely unspecified how to
>> recover from a TLS handshake failure on a connection (and how to
>> clear the network pipe from unprocessed data from the previous handshake).
> 
> It's easy to clear the "pipe" since the records have lengths.
> 
>> If a client-side proxy traversal is involved, a full app-level proxy
>> handshake is required.  If proxy traversal requires an OTP authentication,
>> it will be completely impossible without user interaction.
> 
> Is there such a thing as proxies that require OTP for authentication?
> 
> Nico