Re: [TLS] Verify data in the RI extension?
Yoav Nir <ynir@checkpoint.com> Thu, 26 November 2009 08:51 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F0A343A6A1D for <tls@core3.amsl.com>; Thu, 26 Nov 2009 00:51:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.535
X-Spam-Level:
X-Spam-Status: No, score=-2.535 tagged_above=-999 required=5 tests=[AWL=0.064, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rZ4VS7IILr1a for <tls@core3.amsl.com>; Thu, 26 Nov 2009 00:51:23 -0800 (PST)
Received: from dlpdemo.checkpoint.com (dlpdemo.checkpoint.com [194.29.32.54]) by core3.amsl.com (Postfix) with ESMTP id A5F873A63EC for <tls@ietf.org>; Thu, 26 Nov 2009 00:51:22 -0800 (PST)
X-CheckPoint: {4B0E3DC1-1-14201DC2-FFFF}
Received: by dlpdemo.checkpoint.com (Postfix, from userid 105) id 543EF29C008; Thu, 26 Nov 2009 10:51:16 +0200 (IST)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by dlpdemo.checkpoint.com (Postfix) with ESMTP id 2124629C002; Thu, 26 Nov 2009 10:51:16 +0200 (IST)
X-CheckPoint: {4B0E3DC0-0-14201DC2-FFFF}
Received: from il-ex01.ad.checkpoint.com (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id nAQ8pFGo024759; Thu, 26 Nov 2009 10:51:15 +0200 (IST)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Thu, 26 Nov 2009 10:51:21 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Stefan Santesson <stefan@aaa-sec.com>
Date: Thu, 26 Nov 2009 10:51:11 +0200
Thread-Topic: [TLS] Verify data in the RI extension?
Thread-Index: AcpudZ/T2dP4yiUOQNiqr1jShi/VuQ==
Message-ID: <9923D81D-BABA-4897-A0E3-6938FFB70045@checkpoint.com>
References: <C733FAC4.6B2F%stefan@aaa-sec.com>
In-Reply-To: <C733FAC4.6B2F%stefan@aaa-sec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Verify data in the RI extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2009 08:51:24 -0000
On Nov 26, 2009, at 10:28 AM, Stefan Santesson wrote: > Eric and all, > > On 09-11-25 11:35 PM, "Eric Rescorla" <ekr@networkresonance.com> wrote: > >> What about not putting the verify data in the extension? >> I think that issue is separable from the question of how we signal >> support, so would like to deal with it separately. > > I would like to elaborate my support for an RI with absent verify data. > > The major argument I have seen for including verify data in the RI extension > is that it would allow us to preserve the current Finished calculation. This > will allow us to use more of the current implementation code and provide a > more clean design. > > I think these to a major extent are valid arguments, but I find the opposing > arguments even more convincing. These are: > > > 1) Empty RI It's good security design > > If you want to make sure two parties agree on a value that they have derived > from a previous state, in order to bind to the previous state, then why > would you exchange that value before doing the check? > > On the contrary, I find it to be good security design not to exchange that > value as it: > > 1) Reduce information leakage to an attacker > 2) Increase the security assumptions that can be made based on a proof of > matching values (good Finished messages). > > Even if there are no attack today to exploit the information leakage and > exchanging the values allows secure design, I still find it valuable to > apply the best possible security design to reduce the chance of future > problems. Agree > 2) Better migration path towards future > > If we would design TLS 1.3, then would we send this data in the handshake, > or would we not? > > I suspect we would not, due to argument 1) > Exchanging this value serves no purpose other than saving a few lines of > code changes from TLS 1.2. > > Consequently, if we design an updated Finished calculation now, we can keep > that in TLS 1.3 and just remove the signaling we now add for SSLv3 -> TLS > 1.2. Agree > 3) Less likely to cause implementation problems > > This is just my guessing based on what I have heard. > But if the client verify data is provided in RI, then it is not enough to > recognize the extension. It is now also necessary to parse it, extract the > data and to use it in a critical security check. > > I can't really judge how likely this is to cause more implementation > problems or even implementations that appears to do the security check > against previous handshakes, but actually just feeds it into the finished > calculation blindly. > > But it feels like good design to eliminate/reduce this type of problems if > possible. Especially if it is better security design at reasonable cost. As far as implementation complexity, it's a wash. You have to have some long-term "state", which now must include the old verify_data. There's no way around that. It's not that much different to add this to the calculation of the Finished message, either in concatenation to the handshake messages, or instead of the finished label, as it is to compare it to the contents of the RI extension. There is the risk that an implementer who hasn't been following this list might fail to verify the data in the extension. Googling 'security bug "fails to verify"' returns 34,000 hits, suggesting that this is a valid concern.
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- [TLS] Avoiding first use of RI in ClientHello Eric Rescorla
- Re: [TLS] Avoiding first use of RI in ClientHello Stefan Santesson
- Re: [TLS] Avoiding first use of RI in ClientHello Dr Stephen Henson
- Re: [TLS] Avoiding first use of RI in ClientHello Robert Relyea
- Re: [TLS] Avoiding first use of RI in ClientHello Eric Rescorla
- Re: [TLS] Avoiding first use of RI in ClientHello Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Avoiding first use of RI in ClientHello peter.robinson
- Re: [TLS] Avoiding first use of RI in ClientHello Min Huang
- Re: [TLS] Verify data in the RI extension? Yoav Nir
- Re: [TLS] Avoiding first use of RI in ClientHello Pasi.Eronen
- Re: [TLS] Avoiding first use of RI in ClientHello Pasi.Eronen
- [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Avoiding first use of RI in ClientHello Eric Rescorla
- [TLS] Perhaps there's another way. Was: Verify da… Marsh Ray
- Re: [TLS] Perhaps there's another way. Was: Verif… Dr Stephen Henson
- Re: [TLS] Avoiding first use of RI in ClientHello Stefan Santesson
- [TLS] What would be the point of removing signall… David-Sarah Hopwood
- Re: [TLS] Perhaps there's another way. Was: Verif… Marsh Ray
- Re: [TLS] Perhaps there's another way. Was: Verif… Dr Stephen Henson
- Re: [TLS] What would be the point of removing sig… Stefan Santesson
- Re: [TLS] What would be the point of removing sig… Marsh Ray
- Re: [TLS] What would be the point of removing sig… Bodo Moeller
- Re: [TLS] Perhaps there's another way. Was: Verif… Nelson B Bolyard
- Re: [TLS] What would be the point of removing sig… Nelson B Bolyard
- Re: [TLS] What would be the point of removing sig… Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Simon Josefsson
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Nikos Mavrogiannopoulos
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Avoiding first use of RI in ClientHello Bodo Moeller
- Re: [TLS] Verify data in the RI extension? Bodo Moeller
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] What would be the point of removing sig… David-Sarah Hopwood
- Re: [TLS] What would be the point of removing sig… David-Sarah Hopwood
- Re: [TLS] What would be the point of removing sig… David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Bodo Moeller
- Re: [TLS] What would be the point of removing sig… Bodo Moeller
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Marsh Ray
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Yoav Nir