IETF Logo Mail Archive

Re: [TLS] Verify data in the RI extension?

Martin Rex <mrex@sap.com> Fri, 27 November 2009 15:51 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EC7123A6970 for <tls@core3.amsl.com>; Fri, 27 Nov 2009 07:51:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.188
X-Spam-Level:
X-Spam-Status: No, score=-6.188 tagged_above=-999 required=5 tests=[AWL=0.061, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YKFRA0t6q4HL for <tls@core3.amsl.com>; Fri, 27 Nov 2009 07:51:47 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id E9D3F3A6925 for <tls@ietf.org>; Fri, 27 Nov 2009 07:51:46 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id nARFpdQ5020871 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 27 Nov 2009 16:51:39 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911271551.nARFpcgv003797@fs4113.wdf.sap.corp>
To: ekr@networkresonance.com
Date: Fri, 27 Nov 2009 16:51:38 +0100
In-Reply-To: <20091127151113.BDEF16C3795@kilo.networkresonance.com> from "Eric Rescorla" at Nov 27, 9 07:11:12 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Verify data in the RI extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Nov 2009 15:51:48 -0000

Eric Rescorla wrote:
> 
> This isn't to say that one couldn't design a mechanism that didn't
> carry the signaling data over the wire--one obviously could. 
> However, when I look back over the 50 or so messages that were
> sent to the list yesterday, a large fraction of them are various
> tweaks on exactly how incorporate that data, which suggests to
> me that this approach isn't at all easy to reason about.

We just carry the original handshake messages and be done with it.

As David outlined stripping the original message header from
the verify_data wasn't such a good idea, because it opens a
theoretical possibility of an attack.  Fine, we leave the
header on.

Messing around with the PRF, that is ideas from implementors
that never came in contact with FIPS 140-2 and interfaces to
crypto hardware and requirements around that.

And it would make everything much more complicated because of
the differences between SSLv3 and TLS. 

Adding the previous Finished messages at the very beginning of
the handshake message hash is less straight-forward.

When the client sends the renegotiation ClientHello, it must
have previously sent the Client.Finished, so we could add that,
however it may have not yet received the Server.Finished from
the previous handshake, so this must go into the handshake
message hash after ClientHello in order to be on the safe side.


-Martin

v2.23.0 | Report a Bug | By Email