IETF Logo Mail Archive

Re: [TLS] First TLS cached information draft posted

Martin Rex <Martin.Rex@sap.com> Tue, 09 June 2009 13:47 UTC

Return-Path: <Martin.Rex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 797223A6806 for <tls@core3.amsl.com>; Tue, 9 Jun 2009 06:47:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Level:
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wtGTeOIb3aFk for <tls@core3.amsl.com>; Tue, 9 Jun 2009 06:47:32 -0700 (PDT)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 53EC83A659B for <TLS@ietf.org>; Tue, 9 Jun 2009 06:47:32 -0700 (PDT)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id n59DlZ17010900 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 9 Jun 2009 15:47:35 +0200 (MEST)
From: Martin Rex <Martin.Rex@sap.com>
Message-Id: <200906091347.n59DlYva003622@fs4113.wdf.sap.corp>
To: simon@josefsson.org
Date: Tue, 09 Jun 2009 15:47:34 +0200
In-Reply-To: <87fxe9ki6m.fsf@mocca.josefsson.org> from "Simon Josefsson" at Jun 9, 9 08:57:53 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Cc: TLS@ietf.org
Subject: Re: [TLS] First TLS cached information draft posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jun 2009 13:47:33 -0000

Simon Josefsson wrote:
> 
> > 3) Is the server REQUIRED to honor its support of a CachedObject by
> > replacing the identified handshake data with a received hash?
> >
> > Proposed answer = NO (for reasons raised by Martin)
> 
> I understand Martin's concern, but how would a client know whether data
> was replaced or not?  How would the client know which hash algorithm is
> used?

The Server can reliably signal in the ServerHello extension whether
it supports Caching for an object for which the Client asserted
a Hash value in the ClientHello extension, and the Server ought
to be able to decide upfront which Hash algorithms it supports.

Allowing the client to supply different hashes for different
incarnations of the same tls handshake data would significantly
increase the protocol complexity.  Suddenly, the hash values
of different algorithms might refer to different cached data.

I would suggest to limit the client to announce only one cached
value (possibly with different hash algorithms, but then the server
should not have to check each hash value for a mach, but only the
hash algorithm selected by the server).

It might be sensible for the client to manage cache entries based
on several attributes, and in particular distuigish also by the
"server name" as used in the TLS extension "Server name indication"
in order to support TLS-compatible virtual hosting.


> 
> > 4) What does the server send as replacement for the replaced handshake data?
> >
> > Proposed answer = One opaque hash_value (without hash type identifier) that
> > was received by the client, which MUST contain a valid hash over the
> > replaced data.
> 
> I think we need to include the hash algorithm too.  You cannot infer
> which hash algorithm is used based on the length only.
> 
> I don't think it is reliable to optionally replace data.  Hash values
> can be made to look like valid ASN.1, and the client would have to guess
> whether the server replaced the value or not.

The Server Hello Extension should indicate whether the server will
try to use the caching extension, and which hash algorithm it is
going to use (from those proposed by the client).

So the "heuristic" of the client is to match the potentially cached
data (length first, then data) against the one hash value that the
client originally proposed in the ClientHelloExtension and that the server
agreed to support in the ServerHelloExtension.

Personally, I'm not concerned about a potential collision of the
clients proposed hash with the real data that the server is going
to send.  Such a collision would not affect the data that the server
is going to send, it could only affect how the client would
interpret it (using the cached data instead of parsing the
real data that looks like its proposed hash).

What are possible alternatives?
- Send other data that could be ambiguous in other scenarios
- Send data in a specifically invalid fashion, i.e. a maximum-value
  length field that exceeds the outer container size.


-Martin

v2.23.0 | Report a Bug | By Email