Re: [TLS] Call for adoption: draft-bhargavan-tls-session-hash

Michael StJohns <> Mon, 21 July 2014 17:35 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 535141A01C8 for <>; Mon, 21 Jul 2014 10:35:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id L5_CVBlBtQQV for <>; Mon, 21 Jul 2014 10:34:57 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7379D1A01AC for <>; Mon, 21 Jul 2014 10:34:57 -0700 (PDT)
Received: by with SMTP id k15so5258526qaq.38 for <>; Mon, 21 Jul 2014 10:34:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=mDfuWDTqx42iaYcW1lng8zzUvkGReL+IZsF4sBa1lI0=; b=g4RhyKER9OcHcLmotg6NiZH9kJz/tJjmtdKGqr2699IIBfPYM/F6HrVwmsRGOZgxBr JRQBWJ89xjv0pIARYyeeODDlPof/9eChLam4MfMgAbEo9pYFkOsqPO3AAlJ8kqVHPoEU S4h2HGAm6Dp+FqL6k79PW62VoNqrnHo3b09rNVe0xOsMNXF995doSGCXcSfpjQTNb9ra w9znNscu9TXYNZZncPc5zNCGMdG97LYRxN4911YtmoxmTl2LiecJ0kZJ1Oi1pF3wkvCj 3z6VeckK6OxexNzbBELhS7KHTIVYNu6fNw5d6ydKHSmULfCqDVckA76f/lOsLI2f0lVj vgLQ==
X-Gm-Message-State: ALoCoQnAKdTEQU26nfAQTf4w8SDNyPvVWx9VheCl87yMuExMLRPyYCpiY1rA9MMtHVaX6JzABgkQ
X-Received: by with SMTP id l33mr41855142qgf.72.1405964096229; Mon, 21 Jul 2014 10:34:56 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:144:dc9a:60e2:4cde:74a0? ([2001:67c:370:144:dc9a:60e2:4cde:74a0]) by with ESMTPSA id 106sm3163355qgo.16.2014. for <> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 21 Jul 2014 10:34:55 -0700 (PDT)
Message-ID: <>
Date: Mon, 21 Jul 2014 13:34:51 -0400
From: Michael StJohns <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Call for adoption: draft-bhargavan-tls-session-hash
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 21 Jul 2014 17:35:00 -0000

On 7/21/2014 11:08 AM, Sean Turner wrote:
> At the TLS interim meeting held Sunday the 20th of July 2014, we discussed adopting the following draft:
> There was consensus to adopt it with the stipulation that the Signaling Cipher Suite Value (SCSV) be removed.  Please indicate whether you object to adoption (and why) by July 25, 2014.
> spt
> PS Stay tuned for an early code point assignment thread.
> _______________________________________________
> TLS mailing list

How does this work with 1rtt?

E.g. the first message sent from the client side includes the 
ClientHello and embedded extension containing the ClientKeyExchange.  As 
I read this, the hash would then only cover that message.  (E.g. it says 
"up to and including ClientKeyExchange").

> When a full handshake takes place, we define
>           session_hash = Hash(handshake_messages)
>     where "handshake_messages" refers to all handshake messages sent or
>     received, starting at client hello up to and including the Client Key
>     Exchange message, including the type and length fields of the
>     handshake messages.  This is the concatenation of all the exchanged
>     Handshake structures, as defined in Section 7.4 of [RFC5246].

To be honest, I'm not a big fan of this approach as it requires the 
derivation of the master secret to be deferred until all the other 
exchanges are done and that seems to be counter to the move towards 
fewer round trips and prevents the ability to encrypt any of the 
handshake messages.

Or did I miss something here?

I would note that the attack on RSA encrypted secrets is not applicable 
to TLS1.3 as Key Transport as a pre-master mechanism is being removed.   
More detail expanding the DHE  (and ECDHE) attack would be useful.