IETF Logo Mail Archive

Re: [TLS] TLS Extensions: Omitting Handshake Messages

Eric Rescorla <ekr@rtfm.com> Tue, 07 November 2017 22:47 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 838AB1294BC for <tls@ietfa.amsl.com>; Tue, 7 Nov 2017 14:47:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EsdAWZsiEJBP for <tls@ietfa.amsl.com>; Tue, 7 Nov 2017 14:47:19 -0800 (PST)
Received: from mail-yw0-x233.google.com (mail-yw0-x233.google.com [IPv6:2607:f8b0:4002:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F1361294E8 for <tls@ietf.org>; Tue, 7 Nov 2017 14:47:19 -0800 (PST)
Received: by mail-yw0-x233.google.com with SMTP id t11so745285ywg.12 for <tls@ietf.org>; Tue, 07 Nov 2017 14:47:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3Dl+tOszhkxkZ4khgr7OQ4Oo71qTaBVxQ/3PETQ3rBA=; b=ZOcn79n1MJrmNnDB44vGlhXROVe/sHWJEt8RPDHZkryUpDO3KuY+dCcEWFi7Meh+Ja MvDRUbbMtwfw84zrjcJktiVT+UOYqmi5YRFqHuksXZoCp6DIKScyT5w7phzr2+oImMFJ oKUpuFCV6xsebUadinfu8HaTACMdRTgdDvqCQJjoWpOhtY6y3GwKV5X+eeRc+2gw5ZBq //xw0r/9wOnpQyePWG9HsVFz7JOia68s8cytgY/RW73RO04NCFZzplEGEKQe4DGK8POR C3/owBQZlC/HLRGocbrQ54DMrV9Wy+MRh/HPioIciPGyWqBgWVfSwWowBxl1+L0l/dMK Ghyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3Dl+tOszhkxkZ4khgr7OQ4Oo71qTaBVxQ/3PETQ3rBA=; b=uHGyM6rtFF0NsfZsNWhQrdNr5/wHcQhq+qdLqQQn6wMxVphUlbBEdJcE/lLzTiA7Xt Qc2h82WluJTLdd+B2RfMdLmfiBuwJp2VfxAm8Sk/rWHSAl25ltA31gCivQrjg/zQPX/Q b2vdEyKK3JVKppMdswRLsaaxmRjCq2zlbYJ6fNBlaIwx85T+ITagGHq5U3A5jYP+DKRH mlT+xXbJ+HKNmrJTyOrEA1mVTys70/m2yU771MGgTiF1TgPBj5M0CLQoAWmo+z/f7Lcg V4fhcVa+MwkZpd76faYOnXvCbNwHIej9gdvnEIJVzedoP6Uucuvn+UoRtKOuzv3nIQ18 Rg/Q==
X-Gm-Message-State: AJaThX6rRa5Rzl5eSpQ7+9he1Q8f9uFsc9pnrDJ/xQNx/ykkUBZSrApY PcLXSM+LfgknoIoa+qF5L93MrDdhHofOFelZZh7+XhCZ
X-Google-Smtp-Source: ABhQp+QdyV6feUQ2aUYq8R/yNdeoSB7bXIXJTBISmElDwmndJxNxzT3TZ6sxXqXMcuY8+Rf4bRH6I1k8k/hoQKN1wnc=
X-Received: by 10.129.36.1 with SMTP id k1mr184362ywk.485.1510094838500; Tue, 07 Nov 2017 14:47:18 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.61.12 with HTTP; Tue, 7 Nov 2017 14:46:37 -0800 (PST)
In-Reply-To: <CAGbWB+hJ6y4KAh=6fAKJTU3v0coN1RWDqweh8ZwCPh1vmO_RmA@mail.gmail.com>
References: <CAGbWB+hddVX5sNFdjRCia84X2h29acMbfjeM1fapOQk2TvEDCA@mail.gmail.com> <CABcZeBOepA9J8GPZZHPXRv5rUPmeZ8TXFhe7gJGaeWvEi+41Zw@mail.gmail.com> <CAGbWB+hJ6y4KAh=6fAKJTU3v0coN1RWDqweh8ZwCPh1vmO_RmA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 07 Nov 2017 14:46:37 -0800
Message-ID: <CABcZeBMVMiP7xwjOw5TeReq4v6C2ewGTUX-r6iFGjPeB5cnbfw@mail.gmail.com>
To: Illya Gerasymchuk <giluxonchik@gmail.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a1142e4cc6d2417055d6c5a95"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/EKJUz-CA3wxt7sqIRP-IL4Rlm-4>
Subject: Re: [TLS] TLS Extensions: Omitting Handshake Messages
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Nov 2017 22:47:22 -0000

On Tue, Nov 7, 2017 at 2:40 PM, Illya Gerasymchuk <giluxonchik@gmail.com>
wrote:

> Thank you very much for your answer. So just to be clear, hypothetically,
> it would be possible to define an extension for TLS 1.2 that *converts
> it to TLS 1.3 completely*, correct?
>

Well, this is effectively the syntax that TLS 1.3 with PR 1091 uses, except
that it's called "supported_versions".



> For example, would it be possible, to have an extension called *TLS_1.2_TO_TLS_1.3
> *that would define the full handshake to be the following, *and still be
> TLS 1.2 compliant?* (I just copied the full hadshake from the TLS 1.3
> draft and added the text in bold):
>

This seems like a philosophical question.




> To give you a little more background for my motivation behind this, the
> topic for my master thesis is "TLS For IOT", the goal of which is to define
> a new version of TLS protocol, which would be usable on low-power,
> low-energy devices, *while remaining backwards compatible with regular
> TLS.*
>

Well, backward compatible here typically would mean "you can send a
ClientHello to the server and it won't choke", and this would be true for
both your proposal and TLS 1.3. Any other questions about compliance kind
of seem like standards lawyering.

-Ekr




But would that still be considered *TLS Extension Compliant*? (if I can
> remove some of the messages not marked as optional in the spec, such as
> *ServerHelloDone*, then the answer would be yes). The answer to this
> question conditions whether I would need to define 2 separate protocols:
> one for TLS 1.2, one for TLS 1.3 or if I potentially can just define the
> same protocol that could be used by clients and servers supporting both:
> TLS 1.2 and TLS 1.3, by the means of an extension. My main goals would be
> to limit the number of messages sent, the amount of transmitted data, as
> well as use lighter algorithms. Quite a few of the ideas I had initially
> are already implemented in TLS 1.3, so I wanted to migrate a lot of those
> to clients and servers that only support TLS 1.2. I've been reading a lot
> of RFC's and papers about the work done on this topic, but I haven't found
> any of them that does such a thing specifically (removing any of the
> messages not marked as optional).
>
> I'm well aware that I need to be extremely careful when removing messages
> or making any significant changes to the protocol.
>



>
> Thank you,
>
> - Illya
>
> On Tue, Nov 7, 2017 at 5:56 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>>
>> On Tue, Nov 7, 2017 at 6:15 AM, Illya Gerasymchuk <giluxonchik@gmail.com>
>> wrote:
>>
>>> Greetings,
>>>
>>> I've been reading though various RFCs and couldn't find a definite
>>> answer to my question: can a negotiated TLS extension skip some of the TLS
>>> Handshake messages and still be compliant with the TLS specification? My
>>> goal is to develop a new version of TLS (as part of my Master Thesis work),
>>> while preferably, staying backwards-compatible.
>>>
>>> Here, I will be specifically talking about TLS 1.2, defined in RFC 5246.
>>> Below is a message flow for the full handshake (taken directly from RFC
>>> 5246):
>>>
>>>   Client                                          Server
>>>   ------                                          ------
>>>
>>>   ClientHello                  -------->
>>>                                                         ServerHello
>>>                                                         Certificate*
>>>
>>> ServerKeyExchange*
>>>
>>> CertificateRequest*
>>>                                       <--------      ServerHelloDone
>>>   Certificate*
>>>   ClientKeyExchange
>>>   CertificateVerify*
>>>   [ChangeCipherSpec]
>>>   Finished                       -------->
>>>
>>> [ChangeCipherSpec]
>>>                                       <--------        Finished
>>>   Application Data          <------->       Application Data
>>>
>>>
>>> * (asterisk) Indicates optional or situation-dependent messages that are
>>> not always sent.
>>> Now, I do know that it's perfect legal for a TLS extension to modify the
>>> structure of some message or add a new message, but I'm not sure if one of
>>> the messages, not defined as optional/situation-dependent can be omitted.
>>>
>>> Let me give you a concrete example. Let's say I create a new extension
>>> called *XYZ*. The client and the server negotiate that extension in the
>>> their extended hello messages. Would it be legal for the *XYZ*
>>> extension to mandate the server not to send the *ServerHelloDone*
>>> message? As far as I understood, this is not legal.
>>>
>>
>> You certainly can use extensions to indicate that a new message is to be
>> sent, so I don't think it would be necessarily be prohibited to have it
>> remove a message, though I can't offhand think of an example of where we do
>> so.
>>
>>
>> RFC 5245 Section 4.4.1.4 states that:
>>>
>>> "it would be technically possible to use extensions to change major aspects
>>> of the design of TLS; for example the design of cipher suite
>>> negotiation.  This is not recommended; it would be more appropriate to
>>> define a new version of TLS -- particularly since the TLS handshake
>>> algorithms have specific protection against version rollback attacks
>>> based on the version number, and the possibility of version rollback
>>> should be a significant consideration in any major design change"
>>>
>>
>> To be honest, this mostly seems aspirational :)
>>
>>
>> I would assume, however, that those major aspects do no include omitting
>>> messages not marked as optional/situation-dependent in the spec.
>>>
>>> Both, TLS 1.2 and TLS 1.3 draft specs mention REQUIRED/MUST in the
>>> section describing the ClientHello. There are no REQUIRED mentions in other
>>> messages though. You do have the following for the Finished: "A Finished
>>> message is always sent immediately after a change cipher spec message to
>>> verify that the key exchange and authentication processes were successful."
>>> , so things like these lead me to believe that the messages not explicitly
>>> marked as optional, are in fact, required.
>>>
>>
>> They're required absent some extension and you would have to be pretty
>> careful with changes which moved them.
>>
>> -Ekr
>>
>>
>>>
>>>
>>> Thank you.
>>>
>>>
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>>>
>>>
>>
>

v2.23.0 | Report a Bug | By Email