IETF Logo Mail Archive

Re: [TLS] Final (hopefully) issues with DTLS 1.2

Nikos Mavrogiannopoulos <nmav@gnutls.org> Mon, 23 May 2011 14:35 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 894F9E0792 for <tls@ietfa.amsl.com>; Mon, 23 May 2011 07:35:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gq+DW5EklqIZ for <tls@ietfa.amsl.com>; Mon, 23 May 2011 07:35:38 -0700 (PDT)
Received: from mail-ww0-f42.google.com (mail-ww0-f42.google.com [74.125.82.42]) by ietfa.amsl.com (Postfix) with ESMTP id 55D3AE077A for <tls@ietf.org>; Mon, 23 May 2011 07:35:38 -0700 (PDT)
Received: by wwk4 with SMTP id 4so1518826wwk.1 for <tls@ietf.org>; Mon, 23 May 2011 07:35:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:message-id:date:from:user-agent :mime-version:to:subject:references:in-reply-to:x-enigmail-version :openpgp:content-type:content-transfer-encoding; bh=O/YVI2iDmxjrOTv5wwmvBNA3fOF8Mq7leHVxfHZHb0M=; b=ApSfiM8AdYgxgrExBkpW5tJTEDkw7u9RbSgO1I+xvgSKU0h4gDerTgBuQc3cJI5R03 2yiA8S0SGF19tAdcX3lW+ftWhKg8g25Y9QMSlFp/zXbTcvTOu7hFCUyijv6lc6WS76qf 8eYQdEpoXhJXwPXOmQSQI616a/wX2Lg+bIYQM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=V3pd00WvpStVfcF4gzkOEWL0QwgtekfyOxv1RheZkFeXSW8dlKH7/+ZGc7U+Ed1JAA Ex/PDcP7uzD+iis4TEHGYnwdVpZ9czfzFO9NG9hL10VoP8JYTHtl+g25C2yNyIRg1gG5 1iXyp1jSY4C2C+pIxYlaqLCc9FsxDrCkovoj8=
Received: by 10.227.37.14 with SMTP id v14mr2344350wbd.25.1306161337051; Mon, 23 May 2011 07:35:37 -0700 (PDT)
Received: from [10.100.2.14] (94-225-167-75.access.telenet.be [94.225.167.75]) by mx.google.com with ESMTPS id l24sm4132661wbc.13.2011.05.23.07.35.34 (version=SSLv3 cipher=OTHER); Mon, 23 May 2011 07:35:35 -0700 (PDT)
Sender: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Message-ID: <4DDA70B6.9030203@gnutls.org>
Date: Mon, 23 May 2011 16:35:34 +0200
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10
MIME-Version: 1.0
To: tls@ietf.org
References: <BANLkTikjMZpYm4Maef1wqnmH4RJ02-6t1g@mail.gmail.com>
In-Reply-To: <BANLkTikjMZpYm4Maef1wqnmH4RJ02-6t1g@mail.gmail.com>
X-Enigmail-Version: 1.1.2
OpenPGP: id=96865171
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Final (hopefully) issues with DTLS 1.2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 May 2011 14:35:45 -0000

On 05/23/2011 03:19 PM, Eric Rescorla wrote:

Hello,

> Record Sequence Number: When responding to a HelloVerifyRequest the
> client MUST use the same parameter values (version, random,
> session_id, cipher_suites, compression_method) as it did in the
> original ClientHello.  The server SHOULD use those values to generate
> its cookie and verify that they are correct upon cookie receipt.  The
> server MUST use the same version number in the HelloVerifyRequest
> that it would use when sending a ServerHello. Upon receipt of the
> ServerHello, the client MUST verify that the server version values
> match. In order to avoid

What is the rationale of this restriction? Given my points in
http://permalink.gmane.org/gmane.ietf.tls/8336
I believe interoperability will be harmed in the future as ciphersuites
are being deprecated or restricted to certain protocols.

> Finally, I've been rethinking the issue of the interaction of the 
> ChangeCipherSpec and the handshake sequence numbers. In Prague I 
> suggested not changing this and just putting a note in the spec that 
> one had to be careful, but at this point I am thinking it might be 
> better to simple suck up the change and put a message sequence
> number in the CCS. This removes the need to consult the handshake
> state machine in order to deal with reordering, though not in order
> to determine whether the CCS is at the appropriate place in the
> handshake (in order to detect misbehaving or malicious behavior
> early).  The downside for this is that it's a difference from TLS,
> but it seems like fairly easy code--though I admit I haven't tried to
> code it up. I don't think either way represents a security issue, but
> doing it this way means that we won't need to be as careful in the
> future about having the state machine be completely deterministic
> prior to the CCS, which seems like the Right Thing. Comments?

Which use-case are you trying to solve? Could an implementation solve
it using another way (what being careful would mean?).

A change like that to changecipherspec is not that trivial as it
actually convert it from a signaling message to a handshake message
(e.g. in my implementation changecipherspec is not parsed by the
handshake layer).

regards,
Nikos

v2.23.0 | Report a Bug | By Email