[TLS] Abbreviated Handshake != Renegotiated Handshake

Ravi Ganesan <ravi@findravi.com> Sat, 19 December 2009 17:13 UTC

MIME-Version: 1.0
Date: Sat, 19 Dec 2009 09:13:14 -0800
Message-ID: <3561bdcc0912190913t7bf4ea3fkc3ec29117b268b96@mail.gmail.com>
From: Ravi Ganesan <ravi@findravi.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="0016e64b95b6c55414047b17f870"
Subject: [TLS] Abbreviated Handshake != Renegotiated Handshake
Precedence: list

>
>
> Ravi Ganesan wrote:
>
> > I know everyone on this thread knows otherwise, but the way the terms get
> > used, can easily result in confusion between "full handshake",
> "abbreviated
> > handshake" and "renegotiated full handshake".  The attack only applies of
> > course to last category, and NOT to the abbreviated handshake.
>
> Well, it also applies to a renegotiated abbreviated handshake (where a
> renegotiating handshake resumes an existing session). The spec should
> probably point out that this case is possible, and that exactly the same
> attacks and defences apply.
>
> David-Sarah Hopwood  ?  http://davidsarah.livejournal.com
>
>
This may be  my ignorance, but I assumed the purpose of renegotiation was a
fresh exchange of authentication and/or keying material. The renego for
instance can (infamously) require client-auth while the original did not. Or
switch ciphersuites.

The abbreviated handshake cannot achieve any of this. It does not involve
certs or ciphersuites.  I thought historically its purpose versus: the full
handshake exchanges the master-secret in the context of a particular
TCP-socket. If the Client wants to use that same master secret in the
context of a new ( or a million parallel) TCP sockets, then use the
abbreviated handshake (avoiding the PKI heavy lifting). The same thing
applies if the binding underneath is not TCP.  The abbreviated handshake
really has only one purpose in life -- it binds the new SSL session (say the
new TCP socket) to the old one, by each party proving knowledge of the
original master secret. (exactly what the renegotiated handshake chose not
to do).

Examples  would  be a messengering client that negotiates a full handshake
with a switch and then each time a new socket is opened for a new message
uses the abbreviated handshake. Or a page with many many SSL protected
objects that are independently retrieved.  So in this context a
"renegotiated abbreviated handshake" seems strange.

But regardless even if there is something in existence called a
"renegotiated abbreviated handshake", I think the distinction between
'abbreviated handshakes without renegoitation' which are very very widely
used should not be confused with 'renegotiated handshakes of any kind'.

It would be very helpful if the draft made this point.

[TLS] Abbreviated Handshake != Renegotiated Hands… Ravi Ganesan
Re: [TLS] Abbreviated Handshake != Renegotiated H… Marsh Ray
Re: [TLS] Abbreviated Handshake != Renegotiated H… Ravi Ganesan
Re: [TLS] Abbreviated Handshake != Renegotiated H… Michael D'Errico
Re: [TLS] Abbreviated Handshake != Renegotiated H… Eric Rescorla
Re: [TLS] Abbreviated Handshake != Renegotiated H… Ravi Ganesan
Re: [TLS] Abbreviated Handshake != Renegotiated H… Michael D'Errico
Re: [TLS] Abbreviated Handshake != Renegotiated H… Martin Rex
Re: [TLS] Abbreviated Handshake != Renegotiated H… David-Sarah Hopwood
Re: [TLS] Abbreviated Handshake != Renegotiated H… Ravi Ganesan
Re: [TLS] Abbreviated Handshake != Renegotiated H… Martin Rex