IETF Logo Mail Archive

Re: [TLS] TLS Digest, Vol 65, Issue 76

Ravi Ganesan <ravi@findravi.com> Fri, 18 December 2009 06:50 UTC

Return-Path: <ravi@findravi.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9B60A3A6A4A for <tls@core3.amsl.com>; Thu, 17 Dec 2009 22:50:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.176
X-Spam-Level:
X-Spam-Status: No, score=-2.176 tagged_above=-999 required=5 tests=[AWL=-0.800, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_66=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uOYw9G-Np8ss for <tls@core3.amsl.com>; Thu, 17 Dec 2009 22:50:23 -0800 (PST)
Received: from mail-pz0-f176.google.com (mail-pz0-f176.google.com [209.85.222.176]) by core3.amsl.com (Postfix) with ESMTP id A377B3A6A59 for <tls@ietf.org>; Thu, 17 Dec 2009 22:50:17 -0800 (PST)
Received: by pzk6 with SMTP id 6so2029128pzk.29 for <tls@ietf.org>; Thu, 17 Dec 2009 22:49:58 -0800 (PST)
MIME-Version: 1.0
Received: by 10.114.119.6 with SMTP id r6mr2397613wac.45.1261118998140; Thu, 17 Dec 2009 22:49:58 -0800 (PST)
In-Reply-To: <mailman.5706.1261104584.32729.tls@ietf.org>
References: <mailman.5706.1261104584.32729.tls@ietf.org>
Date: Thu, 17 Dec 2009 22:49:58 -0800
Message-ID: <3561bdcc0912172249i678bdbf5p89f1c3b3e8fd635@mail.gmail.com>
From: Ravi Ganesan <ravi@findravi.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="0016369208c4e75836047afb25d1"
Subject: Re: [TLS] TLS Digest, Vol 65, Issue 76
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2009 06:50:25 -0000

> I do agree with you there.  Unless the saved session mechanism also
> triggers the functionality and checks that a full handshake would, but
> I think that's too much to hope for.
>
> -Kyle H


I know everyone on this thread knows otherwise, but the way the terms get
used, can easily result in confusion between "full handshake", "abbreviated
handshake" and "renegotiated full handshake".  The attack only applies of
course to last category, and NOT to the abbreviated handshake.

To be pedantic, in the "full" handshake the two sides (or at least the
Server) prove identity to each other using their private keys and
certificates chaining to mutually trusted roots, and exchange the
"master_secret" which is really the "session key". This "master_secret" can
be used by the "abbreviated handshake" to create many (including parallel)
subsequent sessions with each party proving identity here by proving
possession of the session key (the "master secret"). During the abbreviated
handshake one simply CANNOT do all the checks in the full handshake, not
because the developer chose not to do it, but because there is no question
of public key credentials...the abbreviated handshake is relying purely on
the shared secret (via the server.verify and client.verify).

Sorry if this is so obvious to those on this thread, but a lot about SSL is
*not* obvious to the world at general, and unfortunately a number of people
are convinced that the attack discovered a flaw in session resumption or
opening parallel sessions using the abbreviated handshake. If it did, I
missed it perhaps.  If not, perhaps language in text clarifying this
'obvious' point might be useful.

Thanks,

Ravi
-- 
Ravi Ganesan
ravi@findravi.com
www.findravi.com

v2.23.0 | Report a Bug | By Email