Re: [TLS] New Cached info draft

Stefan Santesson <stefan@aaa-sec.com> Wed, 31 March 2010 23:38 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 922343A68E8 for <tls@core3.amsl.com>; Wed, 31 Mar 2010 16:38:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.738
X-Spam-Level:
X-Spam-Status: No, score=-1.738 tagged_above=-999 required=5 tests=[AWL=0.381, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f1TzU6SW7z0X for <tls@core3.amsl.com>; Wed, 31 Mar 2010 16:38:22 -0700 (PDT)
Received: from s87.loopia.se (s87.loopia.se [194.9.95.115]) by core3.amsl.com (Postfix) with ESMTP id 836733A6827 for <tls@ietf.org>; Wed, 31 Mar 2010 16:38:22 -0700 (PDT)
Received: from s57.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 15A65381134 for <tls@ietf.org>; Thu, 1 Apr 2010 01:39:02 +0200 (CEST)
Received: (qmail 41457 invoked from network); 31 Mar 2010 23:38:52 -0000
Received: from 213-64-142-247-no153.business.telia.com (HELO [192.168.1.16]) (stefan@fiddler.nu@[213.64.142.247]) (envelope-sender <stefan@aaa-sec.com>) by s57.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <mrex@sap.com>; 31 Mar 2010 23:38:52 -0000
User-Agent: Microsoft-Entourage/12.24.0.100205
Date: Thu, 01 Apr 2010 01:38:50 +0100
From: Stefan Santesson <stefan@aaa-sec.com>
To: <mrex@sap.com>, Brian Smith <brian@briansmith.org>
Message-ID: <C7D9A9AA.9CAC%stefan@aaa-sec.com>
Thread-Topic: [TLS] New Cached info draft
Thread-Index: AcrRK1CgdVrEfSfO+USKtQo8LIKEwQ==
In-Reply-To: <201003311947.o2VJlRQP004852@fs4113.wdf.sap.corp>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] New Cached info draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Mar 2010 23:38:23 -0000

On 10-03-31 8:47 PM, "Martin Rex" <mrex@sap.com>; wrote:

>> 
>> I can see that it might be useful for the client to cache one value of each
>> cached information item that were obtained during initial (unauthenticated,
>> unencrypted) handshakes plus another set of values per client certificate
>> that were obtained during renegotiation following client authentication.
>> However, in that case, the server probably wouldn't want the client to leak
>> the hash of its second certificate in subsequent initial (unauthenticated,
>> unencrypted) handshakes. It seems something about this should be added to
>> the security considerations of the draft.
> 
> 
> Interesting, I hadn't thought of this aspect.  I think that the
> caching extension (update of client cache, proposal of cached values)
> should apply to all full handshakes, which includes TLS renegotiations,
> this will likely make hashes from data exchanged on a confidential
> rengotiation handshake visible on new in-the-clear handshakes.
> 
> 
>> 
>> If there are other cases where it seems useful to have the client send
>> multiple hashes for the same information item, then those cases should also
>> be discussed before publication so that the security properties of that
>> those kind of usages can be analyzed. For example, I think it is a big
>> privacy problem to send a digest of a value obtained from one server to
>> another server.
> 
> I mainly see a privacy problem for the client, similar to HTTP-Referers:
> or the browser cache.  Maybe a "Cache considerations" sections would
> be appropriate.

I'm still not sure what the threat is.

The client only gives away digest values. In order to know what data these
hash values represent, the "attacker" reasonably needs access to the cached
data.

I can't think of anything useful or serious the attacker can do with this.

/Stefan