Re: [TLS] Analysis of Interop scenarios TLS extension RI w/MCSV
Martin Rex <mrex@sap.com> Thu, 10 December 2009 00:18 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7C7103A68C1 for <tls@core3.amsl.com>; Wed, 9 Dec 2009 16:18:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.193
X-Spam-Level:
X-Spam-Status: No, score=-6.193 tagged_above=-999 required=5 tests=[AWL=0.056, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id grv32i6bjntx for <tls@core3.amsl.com>; Wed, 9 Dec 2009 16:18:51 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 5FE573A684F for <tls@ietf.org>; Wed, 9 Dec 2009 16:18:51 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nBA0Ia1F010514 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 10 Dec 2009 01:18:36 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200912100018.nBA0IZN8018573@fs4113.wdf.sap.corp>
To: marsh@extendedsubset.com
Date: Thu, 10 Dec 2009 01:18:34 +0100
In-Reply-To: <4B201B0E.2080600@extendedsubset.com> from "Marsh Ray" at Dec 9, 9 03:47:58 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Analysis of Interop scenarios TLS extension RI w/MCSV
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2009 00:18:52 -0000
Marsh Ray wrote: > > > The purpose of the MCSV is: > > > > - provide interop with installed base of old, extensions-intolerant > > servers (original&correct SSLv3 and "defective" TLSv1.0) > > > > - provide protection from downgrade attacks (extension-less > > ClientHello or SSLv2 ClientHello) > > > > - provide protection in backwards interop scenarios (renegotiation > > requested by old servers). > > It will never be safe to conduct renegotiation with a remote party in > the absence of negotiated RI. As I wrote a while ago, the name "TLS_RENEGO_PROTECTION_REQUEST" was chosen _not_ as a requst for secure renegotiation (which it is NOT), but as a request for _protection_ from the vulnerability through old TLS renegotiation. There are two different issues that the fix needs to provide: - secure renegotiation between updated clients and servers directly talking to each other - protection from MitM attacks in all 3 attack scenarios - protection from MitM attacks for communication between updated clients and updated servers even when both allow old renegotiation for backwards interop. The secure renegotiation is provided by "authenticating" the verify data from the previous finished messages. TLS extension RI performs the authentication with memcmp() on data exchanged through a TLS extension in the renegotiation handshake. The protection is provided through negotiating/signaling with the peer that one is updated. TLS extension RI does both with the same piece of data in the handshake message (TLS extension RI), and it seems that some people fail to understand the difference between the two things. Previously, I wrote that draft-mrex-tls-secure-renegotiation-03.txt is a "nanny spec", because it does _not_only_ describes how to perform secure renegotiation, but it _also_ describes how to implement backwards interop securely. This discussion here sugggests that this difference is unclear to at least some people, and therefore should be better explained in the draft-ietf-tls-renegotiation-02 as well! -Martin
- [TLS] Analysis of Interop scenarios TLS extension… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… Marsh Ray
- Re: [TLS] Analysis of Interop scenarios TLS exten… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… Michael Gray
- Re: [TLS] Analysis of Interop scenarios TLS exten… Marsh Ray
- Re: [TLS] Analysis of Interop scenarios TLS exten… Dieter Bratko
- Re: [TLS] Analysis of Interop scenarios TLS exten… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… Marsh Ray
- Re: [TLS] Analysis of Interop scenarios TLS exten… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… Nelson B Bolyard
- Re: [TLS] Analysis of Interop scenarios TLS exten… Nelson B Bolyard
- Re: [TLS] Analysis of Interop scenarios TLS exten… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… Nelson B Bolyard
- Re: [TLS] Analysis of Interop scenarios TLS exten… David-Sarah Hopwood
- Re: [TLS] Analysis of Interop scenarios TLS exten… Michael Gray
- Re: [TLS] Analysis of Interop scenarios TLS exten… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… Marsh Ray
- Re: [TLS] Analysis of Interop scenarios TLS exten… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… David-Sarah Hopwood
- Re: [TLS] Analysis of Interop scenarios TLS exten… tom.petch
- Re: [TLS] Analysis of Interop scenarios TLS exten… Nelson B Bolyard
- Re: [TLS] Analysis of Interop scenarios TLS exten… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… Nelson B Bolyard
- Re: [TLS] Analysis of Interop scenarios TLS exten… Steve Checkoway
- [TLS] Black hole was Re: Analysis of Interop scen… tom.petch
- Re: [TLS] Analysis of Interop scenarios TLS exten… Michael Gray
- Re: [TLS] Analysis of Interop scenarios TLS exten… David-Sarah Hopwood
- Re: [TLS] Analysis of Interop scenarios TLS exten… Michael Gray
- Re: [TLS] Analysis of Interop scenarios TLS exten… Pasi.Eronen
- Re: [TLS] Black hole was Re: Analysis of Interop … Martin Rex
- Re: [TLS] Black hole was Re: Analysis of Interop … Pasi.Eronen
- Re: [TLS] Black hole was Re: Analysis of Interop … Martin Rex
- Re: [TLS] Black hole was Re: Analysis of Interop … Bill Frantz
- Re: [TLS] Analysis of Interop scenarios TLS exten… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… Marsh Ray