Re: [TLS] History of extensions

Martin Rex <mrex@sap.com> Thu, 12 November 2009 20:35 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 763F33A68FA for <tls@core3.amsl.com>; Thu, 12 Nov 2009 12:35:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.164
X-Spam-Level:
X-Spam-Status: No, score=-6.164 tagged_above=-999 required=5 tests=[AWL=0.085, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gz37CI0GM4G5 for <tls@core3.amsl.com>; Thu, 12 Nov 2009 12:35:42 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 5A3993A6956 for <tls@ietf.org>; Thu, 12 Nov 2009 12:35:42 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nACKaAkf016135 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 12 Nov 2009 21:36:10 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911122036.nACKa96m016227@fs4113.wdf.sap.corp>
To: Nicolas.Williams@sun.com
Date: Thu, 12 Nov 2009 21:36:09 +0100
In-Reply-To: <20091112181844.GE1105@Sun.COM> from "Nicolas Williams" at Nov 12, 9 12:18:45 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] History of extensions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2009 20:35:43 -0000

Nicolas Williams wrote:
> 
> And I should add that the re-negotiation channel binding can be achieved
> _without_ ServerHello extensions!  If that means improved odds for
> interop, then you should consider it.

They could have, from the beginning of SSLv3...


With other words:

Currently  Finished is defined for both, initial and renegotiate as:

      struct {
          opaque verify_data[verify_data_length];
      } Finished;

      verify_data
         PRF(master_secret, finished_label, Hash(handshake_messages))
            [0..verify_data_length-1];

      finished_label
         For Finished messages sent by the client, the string
         "client finished".  For Finished messages sent by the server,
         the string "server finished".


If the original design had instead distinguished initial and
renegotiation like this, the problem would not exist:


      verify_data for initial handshakes:
         PRF(master_secret, finished_label, Hash(handshake_messages))
            [0..verify_data_length-1];

      verify_data for renegotiation handshakes:
         PRF(master_secret, finished_label, verify_data_of_previous_session,
             Hash(handshake_messages)) [0..verify_data_length-1];


The whole effort with the TLS RI extension is to securely distinguish old from
updated communication peers--provided they do not choke on TLS extensions.

Forward signaling client->server that the client is updated through a
special ciphersuite ID in the ciphersuite list of the ClientHello
is still fairly easy and probably quite interoperable.

Backwards signaling server->client that the server is updated is
a little more difficult because one would have to repurpose an element
of the ServerHello.  If there really are SSL implemenations that fill
the unix_gmt_time with all random data (instead of just fuzzing the
lower bits of it), then that part requires a less "pure" approach.

Maybe by confiscating a currently unused bit of the more tightly
controlled value ranges of other members of the ServerHello handshake
message (server_version.major, cipher_suite or compression_method).

Of course, the server would then only signal back to use the
secure finished message calculation for renegotiation handshakes,
for which the client had indicate to understand that protocol
change by including that special ciphersuites ID in the
cipher_suites list of the ClientHello handshake message.


...but actually, we wanted to Last Call Eric's proposal, didn't we? 

-Martin