Re: [TLS] Redefine Finished message for TLS 1.3 ?

Bodo Moeller <bmoeller@acm.org> Sun, 15 November 2009 19:14 UTC

Return-Path: <bmoeller@acm.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D9E453A68C3 for <tls@core3.amsl.com>; Sun, 15 Nov 2009 11:14:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.082
X-Spam-Level:
X-Spam-Status: No, score=-100.082 tagged_above=-999 required=5 tests=[AWL=-0.433, BAYES_50=0.001, HELO_EQ_DE=0.35, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DZMe2yLIpfyI for <tls@core3.amsl.com>; Sun, 15 Nov 2009 11:14:49 -0800 (PST)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by core3.amsl.com (Postfix) with ESMTP id 37B9F28C0DB for <tls@ietf.org>; Sun, 15 Nov 2009 11:13:57 -0800 (PST)
Received: from [192.168.1.3] (c-76-102-12-92.hsd1.ca.comcast.net [76.102.12.92]) by mrelayeu.kundenserver.de (node=mreu1) with ESMTP (Nemesis) id 0Lv6ko-1O9znb24n4-010SnI; Sun, 15 Nov 2009 20:13:51 +0100
From: Bodo Moeller <bmoeller@acm.org>
To: Nelson B Bolyard <nelson@bolyard.me>
In-Reply-To: <4AFF0153.3090005@bolyard.me>
References: <20091112181844.GE1105@Sun.COM> <200911122036.nACKa96m016227@fs4113.wdf.sap.corp> <20091112203847.GL1105@Sun.COM> <20091113082235.C55F469F381@kilo.networkresonance.com> <20091113164608.GT1105@Sun.COM> <4AFF0153.3090005@bolyard.me>
Message-Id: <3EFE80FB-AB07-4BB3-ABDD-E836D27B7E54@acm.org>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Sun, 15 Nov 2009 11:13:46 -0800
X-Mailer: Apple Mail (2.936)
X-Provags-ID: V01U2FsdGVkX19NGDnbKM6dCB/5iwL7RGDvX7oWP4HXWUTNYM9 xJNUhn/abH3hcF4r/0yxn5pebQ1bRmRibCjcwUzYQFmNn6nSt+ u3zxt5GHiQFRhmOmcobNA==
Cc: tls@ietf.org
Subject: Re: [TLS] Redefine Finished message for TLS 1.3 ?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Nov 2009 19:14:51 -0000

On Nov 14, 2009, at 11:13 AM, Nelson B Bolyard wrote:
> On 2009-11-13 08:46 PDT, Nicolas Williams wrote:

>>
>> The post with message-ID <20091113005419.GQ1105@Sun.COM>, subject
>> "Comments on draft-rescorla-tls-renegotiate", sent at 18:54:19 -0600
>> yesterday most certainly described no Hello extensions, only a  
>> Finished
>> message verify_data computation change.
>
> EKR and Marsh Ray and some others will recall that I proposed  
> essentially
> the same proposal that Nico is now proposing in the meeting meeting in
> Mountain View on September 29, 2009 to which Marsh Ray invited EKR,  
> myself
> and numerous others from this working group.
>
> I proposed that a change in the computation of the TLS Finished  
> message
> to include some value derived from the master secret previously in  
> use on
> the connection before the current renegotiation (such as the Finished
> message contents or some other value "extracted" from the master  
> secret)
> would avoid the overhead of the new extensions on the wire.  My goal  
> was
> to avoid the extra bandwidth and memory cost of those extensions,  
> which
> might be deemed too costly in certain low memory or bandwidth  
> constrained
> applications.
>
> Others in the meeting responded that changing the definition of the
> computation of the Finished messages was a change to the base protocol
> specification (which adding an extension is not), and thus the change
> I proposed would make TLS become (say) TLS 1.3.

In that proposal, would there have been any explicit indicator sent by  
the client and server to indicate that they intend to use the the  
modified Finished message?


One way to avoid most of the overhead from the current ID would be to  
keep the extension *always* empty.  If the client and server both send  
it during any given handshake, then the Finished messages concluding  
that handshake will be computed mostly in the standard way, but if  
it's a renegotiation handshake, including the previous handshake's  
Finished messages in the handshake_messages that will be hashed.   
[Open question: Where should they go?  Maybe the easiest is to always  
hash them at the end; client first, server second.]

This has the same security properties as  draft-rescorla-tls- 
renegotiation-00.txt, but saves 40 plaintext bytes (or 28 over the  
obvious variant of that ID where you remove the non-functional  
overhead, i.e. the server's copy of the client's verify_data.)

The step up to TLS 1.3 will be easy: Just make the modified Finished  
computation the default for the new protocol (i.e., no longer  
requiring the extension-based negotiation).

Bodo