IETF Logo Mail Archive

Re: [TLS] Quest for Unified Solution to TLS Renegotiation

David-Sarah Hopwood <david-sarah@jacaranda.org> Sat, 28 November 2009 08:55 UTC

Return-Path: <djhopwood@googlemail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 25D123A67D3 for <tls@core3.amsl.com>; Sat, 28 Nov 2009 00:55:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kJr7mNClEnXY for <tls@core3.amsl.com>; Sat, 28 Nov 2009 00:55:03 -0800 (PST)
Received: from mail-ew0-f214.google.com (mail-ew0-f214.google.com [209.85.219.214]) by core3.amsl.com (Postfix) with ESMTP id B15A53A679C for <tls@ietf.org>; Sat, 28 Nov 2009 00:55:02 -0800 (PST)
Received: by ewy6 with SMTP id 6so1263106ewy.29 for <tls@ietf.org>; Sat, 28 Nov 2009 00:54:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type; bh=HGGWOglfeAoDIXw9/ztdFhfuAHTgux4sZf9fZPpbPPk=; b=rb0OmL/QbRUlS5Ocq/TviK1t6jNHgA0YHxUMGHq09c3uEaJ4CoqsNR/Ffmvb6QXqfD biLU5NiXwVyguc4s33SiW9bzl4cYx9QxceukjU/c0Jkrc6+S2RqIbiZGXO2lJbgJ+QuV 3Qdl3WEW9MQh0RHbG9IFu72COEEQDc1kDEcsQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type; b=x/n8f4RKvHXeTt7jJF54uRmU9Euf9x9PxsicSsaZdA9gsLDnU516w3MxXlqrYNFGge ts5t3Cx8sUDj/9xYAwRMZWevm8WdMzwZNG65QWLltQl5ryruc/85VYdyVQ96AQvmVFKr 6kul3PU9lNRaTHiObKAD0eEDSUsiLH1XHgHLM=
Received: by 10.216.86.211 with SMTP id w61mr601777wee.6.1259398493340; Sat, 28 Nov 2009 00:54:53 -0800 (PST)
Received: from ?192.168.0.2? (5adcc5d2.bb.sky.com [90.220.197.210]) by mx.google.com with ESMTPS id i6sm5642252gve.16.2009.11.28.00.54.51 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 28 Nov 2009 00:54:52 -0800 (PST)
Sender: David-Sarah Hopwood <djhopwood@googlemail.com>
Message-ID: <4B10E556.1050802@jacaranda.org>
Date: Sat, 28 Nov 2009 08:54:46 +0000
From: David-Sarah Hopwood <david-sarah@jacaranda.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: tls@ietf.org
References: <C7342F07.6C8C%uri@ll.mit.edu> <32C4392B-749C-47D7-B625-C769A18DE9DE@checkpoint.com>
In-Reply-To: <32C4392B-749C-47D7-B625-C769A18DE9DE@checkpoint.com>
X-Enigmail-Version: 0.96.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------enigF6F6FB90D8197A967A56960A"
Subject: Re: [TLS] Quest for Unified Solution to TLS Renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Nov 2009 08:55:04 -0000

Yoav Nir wrote:
> On Nov 26, 2009, at 8:11 PM, Blumenthal, Uri - 0662 - MITLL wrote:
>> On 11/26/09  12:23 , "David-Sarah Hopwood" <david-sarah@jacaranda.org>
>> wrote:
>>> Blumenthal, Uri - 0662 - MITLL wrote:
>>>> Yes, previous_verify_data MUST be a part of the input to the PRF. What Yoav
>>>> Nir said (XOR-ing it with the master_secret), should work (out of hand -
>>>> anybody sees a problem with it?).
>>>
>>> The previous_verify_data is not necessarily secret, so this requires the
>>> PRF to be secure against related-key attack. The particular PRFs used in
>>> SSLv3 and TLS 1.0 to 1.2 should be secure in that sense, but (if we
>>> decide to use this approach) I still prefer what I suggested before:
>>>
>>>    verify_data =
>>>      PRF(master_secret, finished_label, Hash(handshake_messages)
>>>                                         + previous_verify_data)
>>>        [0..verify_data_length-1];
>>>
>>> which uses the PRF in a more conventional way.

I no longer think we should use this approach; the arguments in favour
of encoding the previous_verify_data in handshake_messages (see below)
are compelling.

[reordered]
>> As for SSLv3 - SMNP (Simply Not My Problem :). Would be nice to
>> address it as well, but I'd rather not bend over backwards to also
>> fix SSLv3.

SSLv3 is easy enough to fix without bending over backwards.

> I don't see why my suggestion [XORing the master_secret with the
> previous_verify_data when computing the new hashes] doesn't hold for
> SSLv3 as well.

It does, but the specification complexity is on the high side, given that
the computations would need to be spelled out for SSLv3 and TLS separately,
as well as changing CertificateVerify. Nelson's point about hardware
security modules is another reason not to do this.

Adding the previous_verify_data into handshake_messages is preferable
because:
 - it treats SSLv3 and TLS entirely uniformly;
 - there is no problem with hardware security modules;
 - the use of hashing APIs is unchanged (unlike the suggestion to
   chain all messages in the previous session before those in the
   current session);
 - it automatically causes the previous_verify_data to be included
   in the data signed by CertificateVerify, when used.

The obvious place to put it is just after ServerHello, since that is
before CertificateVerify and is the first point at which both sides
know that this session is renegotiated.

The theoretical attacks that I was worried about are solved by using
the encoding starting with bytes {20, 0, 0, 0} described in my
followup to Eric Rescorla (subject "Verify data in the RI extension" --
it doesn't seem to be in the archive yet).

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

v2.23.0 | Report a Bug | By Email