IETF Logo Mail Archive

Re: [TLS] Abbreviated Handshake != Renegotiated Handshake

Marsh Ray <marsh@extendedsubset.com> Sat, 19 December 2009 19:00 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A2EAF3A67DB for <tls@core3.amsl.com>; Sat, 19 Dec 2009 11:00:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.592
X-Spam-Level:
X-Spam-Status: No, score=-2.592 tagged_above=-999 required=5 tests=[AWL=0.007, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kzzd7yyslsgW for <tls@core3.amsl.com>; Sat, 19 Dec 2009 11:00:38 -0800 (PST)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id 24E333A672E for <tls@ietf.org>; Sat, 19 Dec 2009 11:00:38 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1NM4XO-0005P5-Ge; Sat, 19 Dec 2009 19:00:22 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 8F8526678; Sat, 19 Dec 2009 19:00:21 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1++rK0pCo1VSg2bW+phYOeGSpxrMrOILXY=
Message-ID: <4B2D22C6.9090109@extendedsubset.com>
Date: Sat, 19 Dec 2009 13:00:22 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Ravi Ganesan <ravi@findravi.com>
References: <3561bdcc0912190913t7bf4ea3fkc3ec29117b268b96@mail.gmail.com>
In-Reply-To: <3561bdcc0912190913t7bf4ea3fkc3ec29117b268b96@mail.gmail.com>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] Abbreviated Handshake != Renegotiated Handshake
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Dec 2009 19:00:39 -0000

Ravi Ganesan wrote:
> 
>     Well, it also applies to a renegotiated abbreviated handshake (where a
>     renegotiating handshake resumes an existing session). The spec should
>     probably point out that this case is possible, and that exactly the same
>     attacks and defences apply.
> 
>     David-Sarah Hopwood  ?  http://davidsarah.livejournal.com
> 
> 
> This may be  my ignorance, but I assumed the purpose of renegotiation
> was a fresh exchange of authentication and/or keying material.

Forget 'purpose', that's largely an application layer thing.

The TLS spec defines mechanisms: what MAY, SHOULD, and MUST happen.

Whether it's freshening keys, changing auth, etc. what others do with a
basic feature like renegotiation is up to them.

> The
> renego for instance can (infamously) require client-auth while the
> original did not. Or switch ciphersuites.

My belief is that that was one of the original intended purposes for
renegotiation: allow Netscape clients and servers to handle
per-directory client certificate and crypto configuration.

> The abbreviated handshake cannot achieve any of this. It does not
> involve certs or ciphersuites.

Sure, why not? Why couldn't a client offer resumption of a previously
client-authed session in response to a server-initiated renegotiation?

> I thought historically its purpose
> versus: the full handshake exchanges the master-secret in the context of
> a particular TCP-socket.

No, that's the mechanism.

> If the Client wants to use that same master
> secret in the context of a new ( or a million parallel) TCP sockets,
> then use the abbreviated handshake (avoiding the PKI heavy lifting).

Saving computation is probably the most common use of session resumption.

> The
> same thing applies if the binding underneath is not TCP.  The
> abbreviated handshake really has only one purpose in life -- it binds
> the new SSL session (say the new TCP socket) to the old one,

Sort of. If the resumption is successful, it ends up being just one
session which is instantiated on multiple connections.

I haven't heard anyone thinking of it so much in terms of "binding" two
TCP connections. Since you can't usually guarantee that session
resumption will be successful, application protocols usually don't give
it any semantic meaning.

> by each
> party proving knowledge of the original master secret. (exactly what the
> renegotiated handshake chose not to do).

A renegotiation handshake can resume a session if client and server
agree on it.

> Examples  would  be a messengering client that negotiates a full
> handshake with a switch and then each time a new socket is opened for a
> new message uses the abbreviated handshake. Or a page with many many SSL
> protected objects that are independently retrieved.  So in this context
> a "renegotiated abbreviated handshake" seems strange.

It's not clear what the use case is for doing session resumption on a
renegotiation.

But it really just falls naturally out of the basic design of TLS. The
spec doesn't have to call it out as a special case.

> But regardless even if there is something in existence called a
> "renegotiated abbreviated handshake", I think the distinction between
> 'abbreviated handshakes without renegoitation' which are very very
> widely used should not be confused with 'renegotiated handshakes of any
> kind'.

Nowhere in the draft does it talk about "abbreviated handshakes".
Whether or not a handshake is "abbreviated" has absolutely nothing to do
with whether or not it is an initial or a renegotiation handshake.

You could just as easily single out some other protocol feature, say
Diffie-Hellman key exchange, and say there's an under-appreciated
distinction between initial DH handshakes and every other kind of handshake.

> It would be very helpful if the draft made this point.

The bug and the fix are about renegotiation and have absolutely nothing
to do with session resumption. Nevertheless, we already reiterate this
point a couple of times in the draft.

http://www.ietf.org/id/draft-ietf-tls-renegotiation-02.txt:

"The above rules apply even when TLS session resumption is used."

"... with every ClientHello, including ClientHellos where session
resumption is being offered."

- Marsh

v2.23.0 | Report a Bug | By Email