IETF Logo Mail Archive

Re: [TLS] First TLS cached information draft posted

Martin Rex <Martin.Rex@sap.com> Tue, 09 June 2009 12:23 UTC

Return-Path: <Martin.Rex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0C0683A659B for <tls@core3.amsl.com>; Tue, 9 Jun 2009 05:23:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Level:
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nwIVFRRVXUM2 for <tls@core3.amsl.com>; Tue, 9 Jun 2009 05:23:49 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id CDCD63A6E3D for <TLS@ietf.org>; Tue, 9 Jun 2009 05:23:48 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id n59CNr2D025304 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 9 Jun 2009 14:23:53 +0200 (MEST)
From: Martin Rex <Martin.Rex@sap.com>
Message-Id: <200906091223.n59CNqov028494@fs4113.wdf.sap.corp>
To: simon@josefsson.org
Date: Tue, 09 Jun 2009 14:23:52 +0200
In-Reply-To: <87ab4hisev.fsf@mocca.josefsson.org> from "Simon Josefsson" at Jun 9, 9 12:59:52 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal08
X-SAP: out
Cc: TLS@ietf.org
Subject: Re: [TLS] First TLS cached information draft posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jun 2009 12:23:50 -0000

Simon Josefsson wrote:
> 
> Martin Rex <Martin.Rex@sap.com> writes:
>
> >Simon Josefsson wrote: 
> >> 
> >> Good point, but how would a client know whether a server replaced the
> >> cached information with a hash or not if there is no signaling whether
> >> this happened or not?
> >
> > The client knows which Hash it would find, if the server would sent
> > the hash, so it could check for that.  Even a collision of the
> > hash and the original handshake data would not cause a problem
> > with this "heuristical" determination.
> >
> > I'm wondering about the following: we should give a strong recommendation
> > about the minimum size of an object in order for caching to make any
> > sense at all, like >= 2x the size of the hash.
> >
> > Maybe the minimum size should be rather 3x hash size, considering
> > the rest of the protocol overhead.
> 
> This seems like a good idea -- and it solves the problem in the client
> to identify whether the server replaced the data or not.  If the minimum
> size is 3x hash size, the client can look at the length of the data.  If
> it is longer than 3x hash size, it knows the server opted out from
> sending the hash.  If it is shorter than 3x hash size, it knows the
> server actually did replace the data with a hash value.

Not quite.

The caching extension is supposed to be generic, and the to-be-cached
real data may in some situations be quite short or even the same size
than the hash value (probably not for the server certificate caching,
but maybe for the list of certification authorities in the certificate
request message, which consists of distinguished names only, and
there could be just one very short DName (or none at all with TLS v1.1+)
 

> 
> It seems wasteful that the same hash value is sent back and forth
> _three_ times during a handshake, and possibly that could be optimized.
> But that would add complexity.

There are several conceivable approaches, so we might want to weigh
the pros and cons for them.

 - out-of-band signalling, i.e. in the Server-Hello extension
    (++)  no ambiguity about what is sent, no matter what is acutually
          used as replacement in the encoded handshake message
    (---) would require server to pre-compute hashes over parts of future
          tls handshake messages when composing Server-Hello

 - in-band-signalling, i.e. a combination of the Server-Hello acknowledgement
   for principle support of caching a particular piece of information of
   the (full) SSL handshake plus a replacement tag that the client can
   recognize for the cached piece of information within the SSL handshake
   message in case the hash provided by the client matches the hash over
   the data that the server would normally send.

    (++) smaller impact on the overall architecture of the TLS
         implementation, because there is no requirement to precompute
         a hash over parts of a future tls handshake message

    (-) requires a sort-of heuristic determination whether the data
        encoded in a handshake message is real data or the replacement
        tag--be it a fixed short tag or the hash (pre-requisite: the
        client asserted the hash for cached information in ClientHello
        and the server acknowledged support for this in ServerHello)


-Martin

v2.23.0 | Report a Bug | By Email