IETF Logo Mail Archive

Re: [TLS] Next Protocol Negotiation 03

George Kadianakis <desnacked@riseup.net> Fri, 27 April 2012 02:57 UTC

Return-Path: <desnacked@riseup.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D95FF11E8079 for <tls@ietfa.amsl.com>; Thu, 26 Apr 2012 19:57:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.525
X-Spam-Level:
X-Spam-Status: No, score=-3.525 tagged_above=-999 required=5 tests=[AWL=0.073, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NbY79vrBq0fp for <tls@ietfa.amsl.com>; Thu, 26 Apr 2012 19:57:44 -0700 (PDT)
Received: from mx1.riseup.net (mx1.riseup.net [204.13.164.18]) by ietfa.amsl.com (Postfix) with ESMTP id 1DDA311E8072 for <tls@ietf.org>; Thu, 26 Apr 2012 19:57:44 -0700 (PDT)
Received: from fruiteater.riseup.net (fruiteater-pn.riseup.net [10.0.1.74]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.riseup.net (Postfix) with ESMTPS id F1D625B3E0 for <tls@ietf.org>; Thu, 26 Apr 2012 19:57:43 -0700 (PDT)
Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: desnacked@riseup.net) with ESMTPSA id 0DBBE9BD
From: George Kadianakis <desnacked@riseup.net>
To: tls@ietf.org
User-Agent: Microsoft Outlook Express 6.00.2900.5843
Date: Fri, 27 Apr 2012 04:57:04 +0200
Message-ID: <87aa1xg9vj.fsf@riseup.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Virus-Scanned: clamav-milter 0.97.3 at mx1
X-Virus-Status: Clean
Subject: Re: [TLS] Next Protocol Negotiation 03
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Apr 2012 02:57:45 -0000

Adam Langley wrote:

> On Thu, Apr 26, 2012 at 1:21 PM, Martin Rex <mrex at sap.com> wrote:
> > Maybe we should define something similar for the encrypted part of
> > the handshake, so that we don't have to add new handshake messages
> > for every new feature?
> 
> Indeed, folks seem to be leaning towards wanting more generic support
> for extensions under encryption. Having a "client offers, server
> selects" extension exchange after the ChangeCipherSpecs is perfectly
> possible, although at the cost of precluding False Starting a full
> handshake. False Start isn't a real TLS feature of course, but we're
> currently pondering how much we want to be able to support it, and how
> much we want NPN under encryption.
> 
> Also, if there's a generic "secure" extension exchange after the CCS,
> it has the same concerns as False Start. i.e. an attacker can perform
> a downgrade attack on it. For False Start we say that if the
> ciphersuite isn't strong enough, we simply won't do it. But having a
> TLS feature switch on and off like that seems untenable.
> 
> So, in short, "still thinking".
> 
> 
> Cheers
> 
> AGL

Minimizing the unnecessary unencrypted information in TLS seems like a
wise idea, and post-CCS TLS extensions is a good first step in that
direction.

Defining the use cases and the threat model of post-CCS extensions is
probably a useful thing to do at this point.

For example, thinking about use cases, there are TLS extensions that
can't be placed post-CCS, like the ECC extensions or SessionTicket,
since they concern the SSL key exchange. At the same time, TLS
extensions like server_name, RI or NPN make sense post-CCS.

With regards to the threat model, post-CCS extensions should probably
share the exact same threat model as pre-CCS extensions, since they
both happen before the Finished record (for example, putting
application data on them is not a good idea).

Talking about threat models, the "client offers, server selects" model
might be susceptible to brute-force extension enumeration attacks, and
if 'secret TLS extensions' are considered useful, the protocol should
be designed appropriately.

Getting a bit funkier (since the state machine is a-changing these
days) maybe it makes sense to add a post-auth post-Finished phase to
TLS, so that "supplemental data" can be exchanged without the fear of
an MITM.

PS: Sorry for screwing up the threading; I am not subscribed to the
list and the ML web archive does not expose Message-IDs.

v2.23.0 | Report a Bug | By Email