Re: [TLS] New cached-info draft 09 posted
Martin Rex <mrex@sap.com> Tue, 13 July 2010 15:44 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 82FC23A67E3 for <tls@core3.amsl.com>; Tue, 13 Jul 2010 08:44:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.287
X-Spam-Level:
X-Spam-Status: No, score=-9.287 tagged_above=-999 required=5 tests=[AWL=0.962, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cIgqGdwe-T25 for <tls@core3.amsl.com>; Tue, 13 Jul 2010 08:44:39 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by core3.amsl.com (Postfix) with ESMTP id 380583A67D3 for <tls@ietf.org>; Tue, 13 Jul 2010 08:44:39 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id o6DFih6m014648 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 13 Jul 2010 17:44:43 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201007131544.o6DFigWr026771@fs4113.wdf.sap.corp>
To: marsh@extendedsubset.com
Date: Tue, 13 Jul 2010 17:44:42 +0200
In-Reply-To: <4C3C8473.4040808@extendedsubset.com> from "Marsh Ray" at Jul 13, 10 10:21:23 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] New cached-info draft 09 posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 15:44:40 -0000
Marsh Ray wrote:
>
> On 07/13/2010 09:27 AM, Stefan Santesson wrote:
> > Marsh,
> >
> > I would rather fix the issue with the following updated text:
> >
> > "The hash algorithm used to calculate hash values SHALL be the Finished
> > message hash algorithm of the handshake exchange from which the hashed
> > information was cached. The Finished message hash algorithm in this context
> > is the hash algorithm used to hash handshake messages in the calculation of
> > verify_data (i.e. Hash(handshake_messages) as defined in section 7.4.9 of
> > RFC 5246)."
> >
> > I see no reason to involve the PRF function here. It only adds unnecessary
> > complexity as far as I can see.
>
> Is this intended to be a TLS 1.2-only feature?
I do not see a convincing argument to cripple this extension to TLSv1.2,
The idea of TLS extensions is that they can be added to an existing
implementation of TLS, and the installed base of pre-TLSv1.2 is huge.
>
> If not, how is it to be interpreted for 1.0 and 1.1? They don't use this
> "Hash(handshake_messages)" definition because the unified hash mechanism
> was introduced in 1.2.
Spelling it out for all three existing TLS protocol versions might
avoid confusions and incorrect conclusions.
for TLSv1.0 & TLSv1.1 use SHA-1, for TLSv1.2 use SHA-256.
>
> To me, the PRF seems simpler because it's consistently defined in each
> TLS version.
How come?
>From the TLS spec:
P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
HMAC_hash(secret, A(2) + seed) +
HMAC_hash(secret, A(3) + seed) + ...
A(0) = seed
A(i) = HMAC_hash(secret, A(i-1))
There is neither a secret nor a seed involved in the cache identifier,
and we also do not need an arbitrary length output, so the PRF() looks
like a square peg to a round hole.
What we wanted is a hash over the omitted handshake data, not unlike
what the certificate URL extension does.
The original idea is about caching data from a previous handshake
(which shares some characteristics with TLS session caching) and
caching on one side only (which shares some characteristics
with the TLS session ticket extension). When used for caching
it is sufficient when the client learns the hash algorithm to use
on receipt of the ServerHello handshake message that creates
the cache entry.
-Martin
- [TLS] Second Last Call: draft-ietf-tls-rfc4366-bi… The IESG
- Re: [TLS] Second Last Call: draft-ietf-tls-rfc436… Paul Hoffman
- [TLS] New cached-info draft 09 posted Stefan Santesson
- Re: [TLS] New cached-info draft 09 posted Michael D'Errico
- Re: [TLS] New cached-info draft 09 posted Marsh Ray
- Re: [TLS] New cached-info draft 09 posted Michael D'Errico
- Re: [TLS] New cached-info draft 09 posted Marsh Ray
- Re: [TLS] New cached-info draft 09 posted Michael D'Errico
- Re: [TLS] New cached-info draft 09 posted Brian Smith
- Re: [TLS] New cached-info draft 09 posted Marsh Ray
- Re: [TLS] New cached-info draft 09 posted Stefan Santesson
- Re: [TLS] New cached-info draft 09 posted Marsh Ray
- Re: [TLS] New cached-info draft 09 posted Stefan Santesson
- Re: [TLS] New cached-info draft 09 posted Marsh Ray
- Re: [TLS] New cached-info draft 09 posted Martin Rex
- Re: [TLS] New cached-info draft 09 posted Stefan Santesson
- Re: [TLS] New cached-info draft 09 posted Marsh Ray
- Re: [TLS] New cached-info draft 09 posted Stefan Santesson
- Re: [TLS] New cached-info draft 09 posted Simon Josefsson
- Re: [TLS] New cached-info draft 09 posted Marsh Ray
- Re: [TLS] New cached-info draft 09 posted Michael D'Errico
- Re: [TLS] New cached-info draft 09 posted Simon Josefsson
- Re: [TLS] New cached-info draft 09 posted Stefan Santesson