Re: [TLS] Quest for Unified Solution to TLS Renegotiation
David-Sarah Hopwood <david-sarah@jacaranda.org> Sat, 28 November 2009 08:55 UTC
Return-Path: <djhopwood@googlemail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 25D123A67D3 for <tls@core3.amsl.com>; Sat, 28 Nov 2009 00:55:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kJr7mNClEnXY for <tls@core3.amsl.com>; Sat, 28 Nov 2009 00:55:03 -0800 (PST)
Received: from mail-ew0-f214.google.com (mail-ew0-f214.google.com [209.85.219.214]) by core3.amsl.com (Postfix) with ESMTP id B15A53A679C for <tls@ietf.org>; Sat, 28 Nov 2009 00:55:02 -0800 (PST)
Received: by ewy6 with SMTP id 6so1263106ewy.29 for <tls@ietf.org>; Sat, 28 Nov 2009 00:54:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type; bh=HGGWOglfeAoDIXw9/ztdFhfuAHTgux4sZf9fZPpbPPk=; b=rb0OmL/QbRUlS5Ocq/TviK1t6jNHgA0YHxUMGHq09c3uEaJ4CoqsNR/Ffmvb6QXqfD biLU5NiXwVyguc4s33SiW9bzl4cYx9QxceukjU/c0Jkrc6+S2RqIbiZGXO2lJbgJ+QuV 3Qdl3WEW9MQh0RHbG9IFu72COEEQDc1kDEcsQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type; b=x/n8f4RKvHXeTt7jJF54uRmU9Euf9x9PxsicSsaZdA9gsLDnU516w3MxXlqrYNFGge ts5t3Cx8sUDj/9xYAwRMZWevm8WdMzwZNG65QWLltQl5ryruc/85VYdyVQ96AQvmVFKr 6kul3PU9lNRaTHiObKAD0eEDSUsiLH1XHgHLM=
Received: by 10.216.86.211 with SMTP id w61mr601777wee.6.1259398493340; Sat, 28 Nov 2009 00:54:53 -0800 (PST)
Received: from ?192.168.0.2? (5adcc5d2.bb.sky.com [90.220.197.210]) by mx.google.com with ESMTPS id i6sm5642252gve.16.2009.11.28.00.54.51 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 28 Nov 2009 00:54:52 -0800 (PST)
Sender: David-Sarah Hopwood <djhopwood@googlemail.com>
Message-ID: <4B10E556.1050802@jacaranda.org>
Date: Sat, 28 Nov 2009 08:54:46 +0000
From: David-Sarah Hopwood <david-sarah@jacaranda.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: tls@ietf.org
References: <C7342F07.6C8C%uri@ll.mit.edu> <32C4392B-749C-47D7-B625-C769A18DE9DE@checkpoint.com>
In-Reply-To: <32C4392B-749C-47D7-B625-C769A18DE9DE@checkpoint.com>
X-Enigmail-Version: 0.96.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------enigF6F6FB90D8197A967A56960A"
Subject: Re: [TLS] Quest for Unified Solution to TLS Renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Nov 2009 08:55:04 -0000
Yoav Nir wrote: > On Nov 26, 2009, at 8:11 PM, Blumenthal, Uri - 0662 - MITLL wrote: >> On 11/26/09 12:23 , "David-Sarah Hopwood" <david-sarah@jacaranda.org> >> wrote: >>> Blumenthal, Uri - 0662 - MITLL wrote: >>>> Yes, previous_verify_data MUST be a part of the input to the PRF. What Yoav >>>> Nir said (XOR-ing it with the master_secret), should work (out of hand - >>>> anybody sees a problem with it?). >>> >>> The previous_verify_data is not necessarily secret, so this requires the >>> PRF to be secure against related-key attack. The particular PRFs used in >>> SSLv3 and TLS 1.0 to 1.2 should be secure in that sense, but (if we >>> decide to use this approach) I still prefer what I suggested before: >>> >>> verify_data = >>> PRF(master_secret, finished_label, Hash(handshake_messages) >>> + previous_verify_data) >>> [0..verify_data_length-1]; >>> >>> which uses the PRF in a more conventional way. I no longer think we should use this approach; the arguments in favour of encoding the previous_verify_data in handshake_messages (see below) are compelling. [reordered] >> As for SSLv3 - SMNP (Simply Not My Problem :). Would be nice to >> address it as well, but I'd rather not bend over backwards to also >> fix SSLv3. SSLv3 is easy enough to fix without bending over backwards. > I don't see why my suggestion [XORing the master_secret with the > previous_verify_data when computing the new hashes] doesn't hold for > SSLv3 as well. It does, but the specification complexity is on the high side, given that the computations would need to be spelled out for SSLv3 and TLS separately, as well as changing CertificateVerify. Nelson's point about hardware security modules is another reason not to do this. Adding the previous_verify_data into handshake_messages is preferable because: - it treats SSLv3 and TLS entirely uniformly; - there is no problem with hardware security modules; - the use of hashing APIs is unchanged (unlike the suggestion to chain all messages in the previous session before those in the current session); - it automatically causes the previous_verify_data to be included in the data signed by CertificateVerify, when used. The obvious place to put it is just after ServerHello, since that is before CertificateVerify and is the first point at which both sides know that this session is renegotiated. The theoretical attacks that I was worried about are solved by using the encoding starting with bytes {20, 0, 0, 0} described in my followup to Eric Rescorla (subject "Verify data in the RI extension" -- it doesn't seem to be in the archive yet). -- David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
- [TLS] Quest for Unified Solution to TLS Renegotia… Michael D'Errico
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Marsh Ray
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Stefan Santesson
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Eric Rescorla
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Hovav Shacham
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Eric Rescorla
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Yoav Nir
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Marsh Ray
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Stephen Farrell
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Yoav Nir
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Nelson B Bolyard
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Nelson B Bolyard
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Kyle Hamilton
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Eric Rescorla
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood