Re: [TLS] Wrapping up cached info

Ben Laurie <benl@google.com> Mon, 17 May 2010 18:30 UTC

Return-Path: <benl@google.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0D7403A6AA8 for <tls@core3.amsl.com>; Mon, 17 May 2010 11:30:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.376
X-Spam-Level:
X-Spam-Status: No, score=-103.376 tagged_above=-999 required=5 tests=[BAYES_50=0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wFUq+5zeXhhE for <tls@core3.amsl.com>; Mon, 17 May 2010 11:29:59 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id CEE1F3A6A92 for <tls@ietf.org>; Mon, 17 May 2010 11:29:58 -0700 (PDT)
Received: from kpbe16.cbf.corp.google.com (kpbe16.cbf.corp.google.com [172.25.105.80]) by smtp-out.google.com with ESMTP id o4HITmQ9013309 for <tls@ietf.org>; Mon, 17 May 2010 11:29:49 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1274120989; bh=7wZDOZhTI1Rx8Zh3tq48/HK3X/U=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=E46yK3HfvdjJ/mYbrN2Mtk6LrBOQMQH3T7n0Ft3vDrP4ZueRawZaT5OoEHVnpE5QU HpYO3nokmijmdJRQacuOg==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=i3isw16q3Al+zSgFlvaqbakGBFYtp0G/gPij7MceZC/3YodzhTE+QIUCawP+utoiN T5RxUgYnBnkTDEgKnT6tQ==
Received: from gyg8 (gyg8.prod.google.com [10.243.50.136]) by kpbe16.cbf.corp.google.com with ESMTP id o4HITE9P013353 for <tls@ietf.org>; Mon, 17 May 2010 11:29:46 -0700
Received: by gyg8 with SMTP id 8so2373689gyg.26 for <tls@ietf.org>; Mon, 17 May 2010 11:29:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.150.118.14 with SMTP id q14mr7239040ybc.291.1274120986291; Mon, 17 May 2010 11:29:46 -0700 (PDT)
Received: by 10.150.188.9 with HTTP; Mon, 17 May 2010 11:29:46 -0700 (PDT)
In-Reply-To: <4BF187A0.3090408@extendedsubset.com>
References: <C816DA05.66DF%uri@ll.mit.edu> <4BF168A3.40409@extendedsubset.com> <AC1CFD94F59A264488DC2BEC3E890DE50A67C326@xmb-sjc-225.amer.cisco.com> <4BF176BF.8020000@extendedsubset.com> <20100517170810.GY9429@oracle.com> <AANLkTimyy-PoErKMSAnpjT3bZGi_GN2t4h61XsZNtqY_@mail.gmail.com> <4BF187A0.3090408@extendedsubset.com>
Date: Mon, 17 May 2010 19:29:46 +0100
Message-ID: <AANLkTin1mLU-jl8CaKUqTkQhJ5D_udvzkmR5DrOQPuAO@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Marsh Ray <marsh@extendedsubset.com>
Content-Type: multipart/alternative; boundary=000e0cd70ed0c9eeab0486ce681c
X-System-Of-Record: true
Cc: tls@ietf.org
Subject: Re: [TLS] Wrapping up cached info
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 May 2010 18:30:00 -0000

On 17 May 2010 19:14, Marsh Ray <marsh@extendedsubset.com> wrote:

> On 5/17/2010 12:17 PM, Ben Laurie wrote:
> >
> > Why is agility a problem, though - could we not say that any hash that is
> > currently required as a signature hash can be used, and identify the hash
> in
> > the extension message?
>
> Sure we could, but is it worth the cost?
>
> Client Hello and Server Hello offer one shot to negotiate the use of
> caching and the identifiers being used. Having it also negotiate the
> hash algorithm at the same time raises the difficulty a bit!
>

I am not suggesting negotiation, I am suggesting a statement. Since the hash
is already required elsewhere in the protocol, there is no need to
negotiate.


> As I see it, here are some challenges raised by hash agility:
>
> 1. TLS implementations will have to implement all the schemes or risk
> interoperability issues or at least missed caching opportunities.
>
> 2. Probably just one scheme will be used in practice anyway. It's likely
> not to be the most secure of the defined choices. The other schemes may
> get little testing.
>
> 3. Clients and servers will be required to maintain multiple hashes for
> every cacheable object.
>
> 4. Clients will likely have to send multiple hash formats until it sees
> what kinds the specific target server can work with.
>
> 5. The "cross-hashfn collision" attack must now be considered. E.g. a
> preimage of one hash fn could collide with a value from another, unless
> the algorithm id is somehow incorporated into the hash value itself.
>
> 6. Bad guy may be able to influence client and server to use his choice
> of hash functions for caching. He could inject phony failures for
> example. This could create a "weakest link" situation where the attacker
> can choose the weakest hash function among all supported alternatives.
>
> All in all, good clean fun. :-) I just don't want a reflexive "gotta
> have agility" to make the proposal inelegant and unwieldy so it has
> trouble gaining widespread acceptance.
>
> - Marsh
>