Re: [TLS] A crazy idea

Michael D'Errico <mike-list@pobox.com> Sun, 15 November 2009 04:49 UTC

Return-Path: <mike-list@pobox.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 040E93A6811 for <tls@core3.amsl.com>; Sat, 14 Nov 2009 20:49:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.579
X-Spam-Level:
X-Spam-Status: No, score=-2.579 tagged_above=-999 required=5 tests=[AWL=0.020, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f6Kir17rYEdZ for <tls@core3.amsl.com>; Sat, 14 Nov 2009 20:49:36 -0800 (PST)
Received: from sasl.smtp.pobox.com (a-pb-sasl-sd.pobox.com [64.74.157.62]) by core3.amsl.com (Postfix) with ESMTP id 33BDD3A67AC for <tls@ietf.org>; Sat, 14 Nov 2009 20:49:36 -0800 (PST)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id 4B2EA9E374 for <tls@ietf.org>; Sat, 14 Nov 2009 23:50:07 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=woCnzwBWXJaF 5JtLKaERDnmiDC4=; b=dTHhCatdqZEpmltDnRnekFU3IiXgZtvjHFSGFpRLn3Jo ufjB1uMSF02M+F+wVfdaOSrEAx9G7bzzxPVJaUoqg6MT4aGz4Ze3x8BR0QntY8iT fbZAbpxvVyW0aXNRVbaZcr7yDxrx+9r/DM0187jfcxfsNC027gVzmGxMMPOG6AI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=i91tyG 0DH8Ql+6mj0Su2HUUOBdlb0URt4xBh44OpYMjEkbcbv7YV2XWnTeq00E8E9sa0J5 3+hRAjS66ONBsdrDdnxskA11+VvilOEtMF6EPoeX4wzgnpx2Ryma8sN+WVBEMbs5 7zfNFLoKX3Uoyyqq7qwwlKRrbDaIyIeb21L08=
Received: from a-pb-sasl-sd.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id 4190E9E373 for <tls@ietf.org>; Sat, 14 Nov 2009 23:50:07 -0500 (EST)
Received: from administrators-macbook-pro.local (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTPSA id BEF2F9E372 for <tls@ietf.org>; Sat, 14 Nov 2009 23:50:06 -0500 (EST)
Message-ID: <4AFF88C2.3030807@pobox.com>
Date: Sat, 14 Nov 2009 20:51:14 -0800
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
References: <200911150230.nAF2USpK019975@fs4113.wdf.sap.corp> <4AFF6EFA.6080508@pobox.com> <4AFF7071.9050102@extendedsubset.com> <4AFF77B1.1000106@jacaranda.org> <4AFF7EC3.8060805@pobox.com> <4AFF80FA.90106@extendedsubset.com>
In-Reply-To: <4AFF80FA.90106@extendedsubset.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: 58C76580-D1A2-11DE-B98E-EF34BBB5EC2E-38729857!a-pb-sasl-sd.pobox.com
Subject: Re: [TLS] A crazy idea
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Nov 2009 04:49:37 -0000

There could be an initial roll-out of patched servers, configured to
respond to both patched and unpatched clients, but to not perform
renegotiation with unpatched clients.  Once sufficient time has
passed, patched clients can be rolled out, followed by turning off
compatibility mode in servers.

Clients that currently do not have reconnect logic would not need to
add it.

Mike


Marsh Ray wrote:
> Michael D'Errico wrote:
>> Here's a crazy idea: we could define a completely incompatible change
>> to the way Finished messages are calculated even on initial handshakes.
> 
> Or it could be as simple as flipping one bit in the verify_data.
> 
>> A client can initially try connecting using the new Finished message
>> calculation, and if that fails, fall back to the original (if it's
>> willing to risk talking to an unpatched server).
> 
> We can't change the app code.
> 
>> The server has the advantage of receiving the client's Finished message
>> before it needs to send its own, so it can compute both the new and the
>> old versions to see which the client supports.  Then it can decide
>> whether to continue with the handshake or abort.  This also thwarts any
>> tampering by a MITM since neither calculation would match if messages
>> were altered.
>>
>> For session resumption, each side would need to remember whether the
>> new or the old Finished calculation was used.
>>
>> Just throwing the idea out there....
> 
> We need all the ideas we can get.
> 
> Really, I think the harder problem is signaling in the initial hellos,
> particularly the server hello. We need one unambiguous bit in each
> direction, with a consistent default from unpatched endpoints.
> 
> - Marsh