IETF Logo Mail Archive

Re: [TLS] WGLC for draft-ietf-tls-cached-info-19

Sean Turner <turners@ieca.com> Tue, 15 September 2015 20:24 UTC

Return-Path: <turners@ieca.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64F251ACEBC for <tls@ietfa.amsl.com>; Tue, 15 Sep 2015 13:24:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z5Veiala1_Ko for <tls@ietfa.amsl.com>; Tue, 15 Sep 2015 13:24:19 -0700 (PDT)
Received: from gateway26.websitewelcome.com (gateway26.websitewelcome.com [192.185.26.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E77141ACEB2 for <tls@ietf.org>; Tue, 15 Sep 2015 13:24:18 -0700 (PDT)
Received: by gateway26.websitewelcome.com (Postfix, from userid 1000) id 6FF47CA208439; Tue, 15 Sep 2015 15:24:18 -0500 (CDT)
Received: from gator3286.hostgator.com (gator3286.hostgator.com [198.57.247.250]) by gateway26.websitewelcome.com (Postfix) with ESMTP id 5A7F1CA207983 for <tls@ietf.org>; Tue, 15 Sep 2015 15:24:18 -0500 (CDT)
Received: from [75.144.26.38] (port=49867 helo=[10.0.0.131]) by gator3286.hostgator.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.85) (envelope-from <turners@ieca.com>) id 1Zbwm0-000MXK-Ue; Tue, 15 Sep 2015 15:24:17 -0500
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Sean Turner <turners@ieca.com>
In-Reply-To: <55DB489C.80505@gmx.net>
Date: Tue, 15 Sep 2015 13:24:13 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <52059B88-E78B-4E99-9B96-5BC549F04DF9@ieca.com>
References: <CAOgPGoBivgXGKpZH=4mSkrVaKyg9YPi05rphs3VOcvuiFfPzrg@mail.gmail.com> <CABkgnnU++z-r3m2p-+k-6i8BwE5o9wXULS0RVJfCG1+nmkY13Q@mail.gmail.com> <55DB489C.80505@gmx.net>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
X-Mailer: Apple Mail (2.1878.6)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator3286.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source-IP: 75.144.26.38
X-Exim-ID: 1Zbwm0-000MXK-Ue
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: ([10.0.0.131]) [75.144.26.38]:49867
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 2
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IzMjg2Lmhvc3RnYXRvci5jb20=
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/6ybVhXIhmbIKrsM8mXzxcun8mMA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] WGLC for draft-ietf-tls-cached-info-19
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2015 20:24:21 -0000

Hannes,

Go ahead and post the -20 version so we can get this ball rolling.

spt

On Aug 24, 2015, at 09:38, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:

> Hi Martin,
> 
> thanks for your review.
> 
> On 08/06/2015 10:33 PM, Martin Thomson wrote:
>> I've read this draft before, but this is considerably different to
>> what I read, and I haven't been following the discussion, so consider
>> this as a review with fresh eyes.
>> 
>> First the high points.  I think that this is useful, the right scope,
>> and reasonably well formulated.  I have a couple of minor points
>> 
>> Figure 2 is in error: it shows CertificateRequest instead of Certificate.
> 
> Good catch. A copy-and-paste error.
> 
>> 
>> I'd like to see the document explicitly note that msg_type and length
>> from the handshake message are not covered by the hash.  The
>> description of what is covered is a little too terse (and badly
>> formatted).
> 
> There are multiple message type / message length fields included in the
> message and I am not sure which of those you rare referring to.
> 
> The msg_type and msg_length from the record layer is not part of the
> fingerprint calculation. The spec only focuses on the certificate
> message in Section 4.1 and the CertificateRequest message in Section
> 4.2. These message do, however, also contain length information.
> 
> I included an example into the document. See Appendix A:
> https://github.com/hannestschofenig/tschofenig-ids/blob/master/tls-cached-info/draft-ietf-tls-cached-info-20.txt
> 
>> 
>> I'm not sure that I like the lack of both negotiation and signaling
>> for the hashes that are used here.
> 
> We had a negotiation capability in earlier versions of the document but
> it appeared to be an overkill.
> 
> What is there now is essentially an indication of the hash algorithm
> based on what the client presents with the CachedInformationType
> structure. If you need support for a new algorithm then add a new type
> (and the implementation). We could make it easier to add new algorithms
> (via the expert review process). We could also register another
> algorithm already now, if found necessary.
> 
>> Though I think the chances of a
>> collision being found, or that a collision would lead to an attack,
>> are slim, I would rather see this use the PRF hash so we have at least
>> that much flexibility.
> 
> While there is indeed a possibility for hash collisions those will still
> lead to a failed exchange since the TLS server will not possess the
> correct private key that corresponds to the cached certificate.
> 
>> If the current design is retained, I would
>> like to see a little discussion of this in the document.  A little
>> analysis of the properties we expect the hash to provide would also be
>> good.
>> 
>> I think that truncated hashes might be advantageous from the server
>> side.  Given that the server only uses hashes to identify which of the
>> offered (available, known?) cached information is in use, is there any
>> reason you can't save additional space by arbitrarily truncating the
>> hash?  In many cases I would imagine that the client would be offering
>> only one option and even if there were a small number of options
>> presented, a single byte would suffice to disambiguate.
>> 
>> I'm trying to think why you might want the full-length hash on the
>> client side, but I believe that the only problem there is that there
>> might be a collision between the certificates that a server might
>> offer if you truncate too aggressively.  The connection still relies
>> on the server presenting proof of knowledge of a key that the client
>> extracts from a certificate bound to the server identity, so I believe
>> that it would be equally secure if you removed all mention of
>> certificates from the protocol.  And that makes me nervous, because
>> I'm fairly sure that Karthik will tell me that I'm wrong very shortly;
>> since we've put in a lot of work to cover key fields in the handshake
>> hash, and I'm concerned that this could be exploited somehow.
>> 
>> The more I think about this, the more I think that we need a little
>> more analysis on this point (i.e., what properties the hash function
>> needs to provide and why).  If it has already happened, mention of
>> that in the security considerations is needed.
>> 
>> (I think that truncation on the server side is safe if the client uses
>> a strong hash function to identify the certificate, but I'm frequently
>> wrong about these things.)
>> 
> There are three designs possible for referencing the cached state, namely
> 
> 1) The client creates the reference.
> 
> This is the current approach. The client creates a reference (via the
> use of the hash function) and tells the server that it has seen certain
> parameters before and that there is no need to re-transmit them.
> 
> 2) The server creates the reference.
> 
> In this design the server allocates the reference and sends it to the
> client. The client
> 
> 3) There is no reference at all.
> 
> The client just tells the server not to send certain payloads because it
> has cached something already previously. While the server does not get
> told what has been cached the worst thing that can happen is that the
> exchange fails (in which case the client has to fall back to a full
> exchange).
> 
> Which approach do you prefer? We had various iterations of this
> throughout the lifetime of the document.
> 
> Independently of these three approaches it is certainly true that fewer
> bytes transmitted over the wire are preferable.
> 
> Ciao
> Hannes
> 
>> 
>> On 6 August 2015 at 10:24, Joseph Salowey <joe@salowey.net> wrote:
>>> Hi Folks,
>>> 
>>> This is the Working Group last call for draft-ietf-tls-cached-info-19.  This
>>> document has undergone modification since last WGLC so another WGLC is
>>> appropriate.  This document is a dependency for the DICE working group
>>> TLS/DTLS profile. Please send your comments to the TLS list by September 2,
>>> 2015.
>>> 
>>> Thanks,
>>> 
>>> J&S
>>> 
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>>> 
>> 
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email