IETF Logo Mail Archive

Re: [TLS] Renegotiation: trying to summarize

Andrei Popov <Andrei.Popov@microsoft.com> Thu, 19 June 2014 23:19 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17CED1A04C8 for <tls@ietfa.amsl.com>; Thu, 19 Jun 2014 16:19:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7zbR8k15Xnn6 for <tls@ietfa.amsl.com>; Thu, 19 Jun 2014 16:19:32 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0238.outbound.protection.outlook.com [207.46.163.238]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60B271A0496 for <tls@ietf.org>; Thu, 19 Jun 2014 16:19:32 -0700 (PDT)
Received: from BY2PR03MB427.namprd03.prod.outlook.com (10.141.141.146) by BY2PR03MB428.namprd03.prod.outlook.com (10.141.141.151) with Microsoft SMTP Server (TLS) id 15.0.954.9; Thu, 19 Jun 2014 23:19:31 +0000
Received: from BY2PR03MB427.namprd03.prod.outlook.com ([10.141.141.146]) by BY2PR03MB427.namprd03.prod.outlook.com ([10.141.141.146]) with mapi id 15.00.0954.000; Thu, 19 Jun 2014 23:19:30 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Martin Thomson <martin.thomson@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Renegotiation: trying to summarize
Thread-Index: AQHPjBAD3pQReO/HX0e0rijhNJZiipt5DTYA
Date: Thu, 19 Jun 2014 23:19:30 +0000
Message-ID: <ca350126866c4b319c30ecbbc015ce69@BY2PR03MB427.namprd03.prod.outlook.com>
References: <CABkgnnU+9mBdqffcbrmcghH9b3cb_Qh2R-XGWSu6MwB-0y99Lg@mail.gmail.com>
In-Reply-To: <CABkgnnU+9mBdqffcbrmcghH9b3cb_Qh2R-XGWSu6MwB-0y99Lg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e0:ee43::3]
x-microsoft-antispam: BL:0; ACTION:Default; RISK:Low; SCL:0; SPMLVL:NotSpam; PCL:0; RULEID:
x-forefront-prvs: 02475B2A01
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(428001)(13464003)(51444003)(377454003)(199002)(189002)(101416001)(81542001)(31966008)(99286002)(2656002)(105586002)(83072002)(85306003)(106116001)(85852003)(76576001)(15975445006)(79102001)(95666004)(74662001)(80022001)(74502001)(64706001)(87936001)(20776003)(21056001)(86362001)(33646001)(4396001)(92566001)(76482001)(77982001)(46102001)(19580395003)(19580405001)(99396002)(83322001)(81342001)(50986999)(76176999)(54356999)(74316001)(24736002)(106276001); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB428; H:BY2PR03MB427.namprd03.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Ji0Tx0CUFieVM1G_jCwkZpEFeOY
Subject: Re: [TLS] Renegotiation: trying to summarize
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jun 2014 23:19:37 -0000

This is a good summary, thanks Martin. It also seems that #1 and #2 break (or significantly complicate) existing TLS client auth scenarios, while #3 and #4 allow these client auth scenarios.

Cheers,

Andrei

-----Original Message-----
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Martin Thomson
Sent: Thursday, June 19, 2014 3:44 PM
To: tls@ietf.org
Subject: [TLS] Renegotiation: trying to summarize

It's been a long thread, I think a recap is in order.  Here's the options I've seen thus far:

1. Remove renegotiation entirely

Brian Smith proposed this.  Arguments for are its beautiful simplicity and the fact that it ensures that you limit the time that a single session (and the corresponding keys) live.  Arguments against are that it doesn't allow for long-lived connections; and we've evidence (thanks David) that suggests that rekeying on very short timescales is interesting to some TLS users, misguided or not.

2. Remove renegotiation and replace it with a key refresh

This is what I've proposed, though the details could easily be different (e.g., you could do a new DH exchange for maximal PFS, or you could invent a new message type).  The advantage over #1 is that you can have a much longer connection lifetime.  That could equally be considered a disadvantage.

3. End TLS and use the same L4 for a new session

Here we effectively end TLS, but keep the TCP connection (or
equivalent) around for use in a new TLS session.  In some versions, this has an "end TLS" message that signals the end of the old session.
In others, starting a new handshake terminates the old session implicitly.

Some have suggested that it be phrased in API terms as a new connection, that the application needs to request a new connection to get the handshake to happen.  In others, this is just a different spin on renegotiation, with a little dead air while everything is changed out.  In the latter case, I don't see how this is any different to retaining renegotiation.  The former seems like an optimization of #1.

4. It ain't broke, don't fix it

The general thread here is that any problems are either fictional, or the result of problems in the TLS API or the application that uses it.


In short, I think that #1 and #2 suggest that there is a potential problem if session properties can change; #3 and #4 reject that thesis.

You could treat the 1&2 vs. 3&4 as the high order bit.  Then, you either choose to limit the lifetime of sessions (#1) or go long (#2).
Alternatively, you decide whether to break sessions apart (#3) or keep the old renegotiation scheme (#4).  On the other hand, 3 could looks a lot like an optimization of #1, though it might suggest the potential to get things wrong.

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email