IETF Logo Mail Archive

Re: [TLS] client and server verify_data in

Martin Rex <mrex@sap.com> Fri, 13 November 2009 22:23 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D42753A69A6 for <tls@core3.amsl.com>; Fri, 13 Nov 2009 14:23:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.173
X-Spam-Level:
X-Spam-Status: No, score=-6.173 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GGI0AwP9UAs2 for <tls@core3.amsl.com>; Fri, 13 Nov 2009 14:23:24 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id C91AD3A6952 for <tls@ietf.org>; Fri, 13 Nov 2009 14:23:23 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id nADMNoAB004123 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 13 Nov 2009 23:23:50 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911132223.nADMNo52013257@fs4113.wdf.sap.corp>
To: rdugal@certicom.com
Date: Fri, 13 Nov 2009 23:23:50 +0100
In-Reply-To: <7E1DF37F1F42AB4E877E492C308E6AC402430344@XCH57YKF.rim.net> from "Robert Dugal" at Nov 13, 9 02:28:53 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] client and server verify_data in
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Nov 2009 22:23:24 -0000

Robert Dugal wrote:
> 
> A co-worker an I have been discussing the draft and have some concerns
> about sending client and server verify_data in the extension.
> 
> This data is not normally sent in the clear and I am wondering if this
> will provide additional data that can be used to mount some other form
> of attack.   

This particular issue is a misunderstanding of how this extension works.

The TLS Renegotiation_Info contains the verify_data of the
client.finished (ExtendedClientHello) and
client.finished | server.finished (ExtendedServerHello)

_ONLY_ on the renegotiation handshake, which happens under the
protection of the active TLS session.  The very same verify_data
was actually transferred under exactly this same protection as
the very first message.


As described in my recent proposal, it is not necessary to
send this data at all.  Just devise a different instruction
to have TLS at either end include its local copy of this
previous handshake verify_data in the handshake message hash
that goes into the Finished calculation of the new handshake
(as well as the VerifyCertificate calculation when client-cert is used)
and you get the same effect with respect to including the
previous session in the authentication of the new session.

-Martin

v2.23.0 | Report a Bug | By Email