Re: [TLS] Redefine Finished message for TLS 1.3 ?

Bodo Moeller <bmoeller@acm.org> Sun, 15 November 2009 19:53 UTC

Return-Path: <bmoeller@acm.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 563CB3A680D for <tls@core3.amsl.com>; Sun, 15 Nov 2009 11:53:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.959
X-Spam-Level:
X-Spam-Status: No, score=-99.959 tagged_above=-999 required=5 tests=[AWL=-0.124, BAYES_40=-0.185, HELO_EQ_DE=0.35, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p2tNq5p17ucw for <tls@core3.amsl.com>; Sun, 15 Nov 2009 11:53:49 -0800 (PST)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by core3.amsl.com (Postfix) with ESMTP id 93FAB3A67FF for <tls@ietf.org>; Sun, 15 Nov 2009 11:53:34 -0800 (PST)
Received: from [192.168.1.3] (c-76-102-12-92.hsd1.ca.comcast.net [76.102.12.92]) by mrelayeu.kundenserver.de (node=mreu2) with ESMTP (Nemesis) id 0Ls5Ln-1ODZgJ02SV-013lYs; Sun, 15 Nov 2009 20:53:17 +0100
From: Bodo Moeller <bmoeller@acm.org>
To: mrex@sap.com
In-Reply-To: <200911151931.nAFJVpK3016250@fs4113.wdf.sap.corp>
References: <200911151931.nAFJVpK3016250@fs4113.wdf.sap.corp>
Message-Id: <23C64282-8C42-45AA-A730-4E5376D55EA9@acm.org>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Sun, 15 Nov 2009 11:53:13 -0800
X-Mailer: Apple Mail (2.936)
X-Provags-ID: V01U2FsdGVkX19JHXkwmJOUIo9PSKooiu6LM70PK3bkyl7aG4v 6ZDTTpfANKWFBtU2n0IIWmpk8Miua6A9Qtx8xtu3A12eNJ+ZR7 ZmszK2FcSUOO4HZXC87Ew==
Cc: tls@ietf.org
Subject: Re: [TLS] Redefine Finished message for TLS 1.3 ?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Nov 2009 19:53:50 -0000

On Nov 15, 2009, at 11:31 AM, Martin Rex wrote:
> Bodo Moeller wrote:

>> One way to avoid most of the overhead from the current ID would be to
>> keep the extension *always* empty.  If the client and server both  
>> send
>> it during any given handshake, then the Finished messages concluding
>> that handshake will be computed mostly in the standard way, but if
>> it's a renegotiation handshake, including the previous handshake's
>> Finished messages in the handshake_messages that will be hashed.
>> [Open question: Where should they go?  Maybe the easiest is to always
>> hash them at the end; client first, server second.]
>
> My suggestion: always after ServerHello.  At that point, servers
> and clients know whether they need to fallback to the old behaviour
> or not, provided that their policy/configuration should allow that.
>
> They should definitely go before the CertificateVerify message, so  
> that
> the signature with the client certificate is also securely
> cryptographically bound to the channel (I don't like the idea to
> have the CertificateVerify succeed on a MITM attack and only the  
> finished
> mac fail, if we can easily make both fail.

That's a very good point!

So we'd actually be changing the handshake_message definition not just  
for purposes of the Finished messages, but also for purposes of the  
CertificateVerify message.  We'd always pretend that the previous  
Finished messages occur in the present handshake after both Hello  
messages are done.

[Do you agree with "client Finished first, server Finished second"?   
This is the obvious order if the previous handshake was a full  
handshake -- in case if was an abbreviated handshake (i.e., resuming a  
session), however, these messages would actually have been exchanged  
in the opposite order.  *Not* following the original order in this  
case seems easier.]



>> The step up to TLS 1.3 will be easy: Just make the modified Finished
>> computation the default for the new protocol (i.e., no longer
>> requiring the extension-based negotiation).
>
> Correct!  There really is no need to keep the old, unprotected
> negotiation around in TLS v1.3.  If TLSv1.3 is proposed by the client
> and agreed to by the server, no additional signaling is necessary
> anymore.  This is why adding the verify_data to the handshake messages
> hashes (my suggestion, always after ServerHello)

By the way, it would even be possible to specify more signals that  
could be used to switch to this modified handshake_message (and thus,  
Finished.verify_data) specification.  If we assume that the extension  
is one way to enable this behavior, and the protocol version will be a  
second way, a magic ciphersuite number that new servers are expected  
to look out for could be a third option.

Bodo