IETF Logo Mail Archive

Re: [TLS] simplistic renego protection

Martin Rex <mrex@sap.com> Mon, 16 November 2009 10:53 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D6F6028C139 for <tls@core3.amsl.com>; Mon, 16 Nov 2009 02:53:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.734
X-Spam-Level:
X-Spam-Status: No, score=-5.734 tagged_above=-999 required=5 tests=[AWL=0.515, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lp3fIf78Zwfr for <tls@core3.amsl.com>; Mon, 16 Nov 2009 02:53:12 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id BFFE128C137 for <tls@ietf.org>; Mon, 16 Nov 2009 02:53:11 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nAGAr2vD008321 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 16 Nov 2009 11:53:02 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911161053.nAGAr1DS020959@fs4113.wdf.sap.corp>
To: jsalowey@cisco.com
Date: Mon, 16 Nov 2009 11:53:00 +0100
In-Reply-To: <AC1CFD94F59A264488DC2BEC3E890DE5091A76B1@xmb-sjc-225.amer.cisco.com> from "Joseph Salowey" at Nov 15, 9 10:31:10 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] simplistic renego protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2009 10:53:12 -0000

Joseph Salowey wrote:
> > 
> > I really like to hear convincing arguments why we need the 
> > TLS extension in the renegotiation handshake, and why 
> > changing the definition for the handshake message hash 
> > instead is not a superior alternative.  In particular one 
> > that will grow naturally into future TLS revisions.
> 
> [Joe] TLS Extensions is the standard way to extend the protocol.  Using
> the ciphersuite field as a means to change the base protocol is a new
> extension mechanism.  I don't think this is a particularly good thing
> for TLS to grow into.  I don't see a reason to define a new extension
> mechanism when we can achieve what is necessary using the existing
> mechanism.   When TLS 1.2+x is defined in the future then it can address
> the renegotiation problem as necessary and the version field will signal
> the underlying changes.   


You do not seem to understand the TLS renegotiation problem at all.

We are NOT supposed to extend TLSv1.2, we are supposed to FIX
all protocol versions of TLS out there SSLv3->TLSv1.2.

The TLS extensions mechanism is completely irrelevant to the problem
and completely unnecessary for the fix.


Requiring people to implement generic TLS extensions, something
that was completely undefined even for TLSv1.0 and is still optional
in TLSv1.2, only to fix something that has nothing to do with
TLS extensions and can be fixed much more easily without TLS extensions
is a pretty bad idea and poor engineering.


Think about the lines of code for a client:

minimum:

1  Memorizing the verify_data from the last finished messages
   (extend the session structure to keep a copy)
   2x memcpy()
   one after creating client.finished and after verifying server.finished.

2  add the verify_data to the handshake message hash for renego
   1x if ()  plus 2x  add_to_handshake_message_hash(previous.verify_data)
   after processing server hello


extra: the handshake

3  add the fake ciphersuite ID to the clients ciphersuite list
   can be as simple as adding an entry to a statically comiled structure,
   but 5 statements to add it dynamically is still ok

4  check the ServerHello for the server-signal to decide wether to abort
   talking to an unpatched server
   1x if  ( ... server_version ...)  {  send_alert( ) ; goto error }


more extra: still talk to old servers if config permits it

5  config parsing

6  put a second condition into the if() in (2)



The TLS extensions stuff requires at least 3x the amount of code,
is a complete waste for the code and for the network bandwidth.


Just dump the completely unnecessary TLS extension gift wrapping
for the fix and get over it.


-Martin

v2.23.0 | Report a Bug | By Email