Re: [TLS] Justification

Nicolas Williams <Nicolas.Williams@oracle.com> Mon, 17 May 2010 15:53 UTC

Return-Path: <Nicolas.Williams@oracle.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 98FE83A698B for <tls@core3.amsl.com>; Mon, 17 May 2010 08:53:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.294
X-Spam-Level:
X-Spam-Status: No, score=-5.294 tagged_above=-999 required=5 tests=[AWL=1.304, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b3PW6gnlxW6K for <tls@core3.amsl.com>; Mon, 17 May 2010 08:53:48 -0700 (PDT)
Received: from rcsinet10.oracle.com (rcsinet10.oracle.com [148.87.113.121]) by core3.amsl.com (Postfix) with ESMTP id 7F7283A6A8D for <tls@ietf.org>; Mon, 17 May 2010 08:52:09 -0700 (PDT)
Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id o4HFpj41018506 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 17 May 2010 15:51:49 GMT
Received: from acsmt354.oracle.com (acsmt354.oracle.com [141.146.40.154]) by acsinet15.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id o4HF8Hd2022296; Mon, 17 May 2010 15:51:44 GMT
Received: from abhmt002.oracle.com by acsmt354.oracle.com with ESMTP id 247244641274111497; Mon, 17 May 2010 08:51:37 -0700
Received: from oracle.com (/129.153.128.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 17 May 2010 08:51:35 -0700
Date: Mon, 17 May 2010 10:51:24 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: Stefan Santesson <stefan@aaa-sec.com>
Message-ID: <20100517155122.GW9429@oracle.com>
References: <20100517152011.GR9429@oracle.com> <C8172EDC.ADF2%stefan@aaa-sec.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <C8172EDC.ADF2%stefan@aaa-sec.com>
User-Agent: Mutt/1.5.20 (2010-03-02)
X-Auth-Type: Internal IP
X-Source-IP: acsinet15.oracle.com [141.146.126.227]
X-CT-RefId: str=0001.0A090202.4BF16616.00FB:SCFMA922111,ss=1,fgs=0
Cc: Simon Josefsson <simon@josefsson.org>, "Kemp, David P." <DPKemp@missi.ncsc.mil>, tls@ietf.org
Subject: Re: [TLS] Justification
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 May 2010 15:53:49 -0000

On Mon, May 17, 2010 at 05:35:24PM +0200, Stefan Santesson wrote:
> On 10-05-17 5:20 PM, "Nicolas Williams" <Nicolas.Williams@oracle.com> wrote:
> > The key problem with this
> > extension is that the cached objects aren't bound into the handshake.
> > IMO regardless of how the cached object IDs are obtained, whether by
> > SHA-1 hashing, FNV-1a hashing, server-assigned IDs, or URIs, the object
> > data must be bound into the handshake.
> 
> How can the cached data NOT be bound to the handshake if they are hashed
> with a secure hash which in turn are included in the finished calculation?

They are certainly NOT bound if we use FNV-1a, which is the proposal on
the table.

Plus, if we agree that we need this binding and we want to keep the
current proposal more or less as-is, then we'll need hash agility, which
complicates the protocol.

I'd rather we do something along these lines instead:

 - use FNV-1a (or whatever) to _name_ the objects by checksum;

 - locally hash all the objects' data using the (rather, a) hash
   function used by TLS's Finished message computation and add this hash
   as an input to the Finished message computation:

    - this could be done without modifying the Finished message
      computation by adding a message bearing the hash of all cached
      objects' data to be sent before the first Finished message (then,
      by virtue of being a handshake message, this new message will be
      bound into the Finished messages).

On collision the handshake then fails.  The client should cache
handshake failure information so that on retry it can forgo caching and
then detect collisions.

Nico
--