IETF Logo Mail Archive

[TLS] Perhaps there's another way. Was: Verify data in the RI extension?

Marsh Ray <marsh@extendedsubset.com> Thu, 26 November 2009 17:10 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7A37C3A6920 for <tls@core3.amsl.com>; Thu, 26 Nov 2009 09:10:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.465
X-Spam-Level:
X-Spam-Status: No, score=-2.465 tagged_above=-999 required=5 tests=[AWL=0.134, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C92RVRbx-uoS for <tls@core3.amsl.com>; Thu, 26 Nov 2009 09:10:41 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 3B9763A6A96 for <tls@ietf.org>; Thu, 26 Nov 2009 09:10:41 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1NDhrV-0003FL-Vc; Thu, 26 Nov 2009 17:10:34 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id B34A2603A; Thu, 26 Nov 2009 17:10:31 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX18D+Mqm3jLnwQtjggLRRQ8Wr0SilXF11Ek=
Message-ID: <4B0EB686.4090905@extendedsubset.com>
Date: Thu, 26 Nov 2009 11:10:30 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <C733FAC4.6B2F%stefan@aaa-sec.com> <9923D81D-BABA-4897-A0E3-6938FFB70045@checkpoint.com>
In-Reply-To: <9923D81D-BABA-4897-A0E3-6938FFB70045@checkpoint.com>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: [TLS] Perhaps there's another way. Was: Verify data in the RI extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2009 17:10:45 -0000

Yoav Nir wrote:
> 
> As far as implementation complexity, it's a wash. You have to have
> some long-term "state", which now must include the old verify_data.
> There's no way around that.

Perhaps, but that state does not need to be more that a bit or two in
each direction for the signaling.

State derived from the previous handshake is already available at both
endpoints. It is not necessary to carry over more!

This state currently resides in:
    client write MAC secret
    server write MAC secret
    client write key
    server write key

These secure entropy within these parameters are considered sufficient
to protect all the application data, why aren't they good enough to
establish continuity-of-identity across the renegotiation?

Seems to me the MAC_secret is better than the Finished message if for no
other reason than it's 20 bytes instead of 12. Currently, all this
hard-won entropy is discarded at the CCS. A tragedy!

My proposal:

At the CCS, instead of replacing the client/server MAC secret data,
simply XOR-merge the incoming values with the previous ones.

* A one-line software change.
* Easy even in hardware.
* Preserves more entropy.
* No changes to PRF.

Please actively attempt to shoot it down.

- Marsh

v2.23.0 | Report a Bug | By Email