Re: [TLS] Verify data in the RI extension?
David-Sarah Hopwood <david-sarah@jacaranda.org> Sat, 28 November 2009 08:42 UTC
Return-Path: <djhopwood@googlemail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DFF043A679C for <tls@core3.amsl.com>; Sat, 28 Nov 2009 00:42:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c-gnNQRYoFK7 for <tls@core3.amsl.com>; Sat, 28 Nov 2009 00:42:02 -0800 (PST)
Received: from mail-ew0-f214.google.com (mail-ew0-f214.google.com [209.85.219.214]) by core3.amsl.com (Postfix) with ESMTP id 6C15D3A688A for <tls@ietf.org>; Sat, 28 Nov 2009 00:42:02 -0800 (PST)
Received: by ewy6 with SMTP id 6so1258775ewy.29 for <tls@ietf.org>; Sat, 28 Nov 2009 00:41:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type; bh=0xZOZyZK6/pqnF14Lp5lamM+DtS9fq1BmczsT3cEFlQ=; b=WkNUJq1Kh4z8prxVmSq5CewPoXS5ZK6mva/qLjffmpNvS2p0X6Q3ZliU0nDWqP6CeV 7859rJuLAn5IhCkQ3J3yJ2jitwmqNCfFKSZiDMDmLTICk25cOI4/QI1eAXJyss/jvqnQ nOSKrHJlbfVZkExp2jZdFGU37pHWMDoAcOW6Y=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type; b=lPPaAmnLReTPx3vQHOrIRhmot1iNS6/geLWReReMWBE8CbuUpffEonHaAd+HBx8eZK iw6MAuqmG9O0WzWYczpXVvgH88UVi1xnuzD4kvoVWsIIW+zUcsiHtEJCzzT8pfPwO6w3 9TciC8vN1DtaTxB/UlVGRy1YmgZaJLmak8asw=
Received: by 10.216.87.136 with SMTP id y8mr592725wee.70.1259397712875; Sat, 28 Nov 2009 00:41:52 -0800 (PST)
Received: from ?192.168.0.2? (5adcc5d2.bb.sky.com [90.220.197.210]) by mx.google.com with ESMTPS id u14sm5631520gvf.19.2009.11.28.00.41.17 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 28 Nov 2009 00:41:18 -0800 (PST)
Sender: David-Sarah Hopwood <djhopwood@googlemail.com>
Message-ID: <4B10E225.4010501@jacaranda.org>
Date: Sat, 28 Nov 2009 08:41:09 +0000
From: David-Sarah Hopwood <david-sarah@jacaranda.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: tls@ietf.org
References: <9923D81D-BABA-4897-A0E3-6938FFB70045@checkpoint.com> <C7355261.6BB2%stefan@aaa-sec.com> <20091127151113.BDEF16C3795@kilo.networkresonance.com>
In-Reply-To: <20091127151113.BDEF16C3795@kilo.networkresonance.com>
X-Enigmail-Version: 0.96.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------enigD0A19434D5A1A2210F317B40"
Subject: Re: [TLS] Verify data in the RI extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Nov 2009 08:42:04 -0000
Eric Rescorla wrote: > I also share [David-Sarah] Hopwood's concern about ambiguity in the handshake > hashes stream created by having data which is not properly formatted > injected into the hash > (http://www.ietf.org/mail-archive/web/tls/current/msg04857.html), > so I don't think the particular approach in Martin's draft is > really satisfactory. That potential weakness can be avoided by encoding the data to be added into the hash as follows: struct { enum { fake_finished(20) } fake_handshake_type; enum { zero(0), (2^24-1) } fake_length; opaque previous_client_verify_data<12..255>; opaque previous_server_verify_data<12..255>; } PreviousVerifyData; This works because the bytes {20, 0, 0, 0} encode a zero-length Finished message, which if they actually appeared on the wire as a handshake message sent in either direction, would cause the recipient to abort the handshake. (This is similar to what Martin suggested in a recent post. Since any fake_length that is not a valid length for verify_data will work, we might as well use 0.) Note that for the receiver of the extra data to fail to abort the handshake in that case, it would have to make two independent errors, both violating 'MUST' requirements present since SSLv3: it would have to accept the empty Finished message out-of-order [*], *and* not check that the contents of that message is a correct verify_data hash. I'm completely satisfied that this approach solves the problem I was concerned about. > This isn't to say that one couldn't design a mechanism that didn't > carry the signaling data over the wire--one obviously could. > However, when I look back over the 50 or so messages that were > sent to the list yesterday, a large fraction of them are various > tweaks on exactly how incorporate that data, which suggests to > me that this approach isn't at all easy to reason about. What matters is whether we have a solution that is easy to reason about (and to implement and specify) once it has been proposed, not how many posts to a mailing list were needed to get there. ---- [*] <http://www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt> # The handshake protocol messages are presented in the order they must # be sent; sending handshake messages in an unexpected order results # in a fatal error. TLS 1.0 (RFC 2246) # The handshake protocol messages are presented below in the order they # must be sent; sending handshake messages in an unexpected order # results in a fatal error. Unneeded handshake messages can be omitted, # however. Note one exception to the ordering: the Certificate message # is used twice in the handshake (from server to client, then from # client to server), but described only in its first position. The one # message which is not bound by these ordering rules in the Hello # Request message, which can be sent at any time, but which should be # ignored by the client if it arrives in the middle of a handshake. TLS 1.1 (RFC 4346) same wording but with "must" -> "MUST". TLS 1.2 (RFC 5246) same wording but also with "should" -> "SHOULD". -- David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- [TLS] Avoiding first use of RI in ClientHello Eric Rescorla
- Re: [TLS] Avoiding first use of RI in ClientHello Stefan Santesson
- Re: [TLS] Avoiding first use of RI in ClientHello Dr Stephen Henson
- Re: [TLS] Avoiding first use of RI in ClientHello Robert Relyea
- Re: [TLS] Avoiding first use of RI in ClientHello Eric Rescorla
- Re: [TLS] Avoiding first use of RI in ClientHello Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Avoiding first use of RI in ClientHello peter.robinson
- Re: [TLS] Avoiding first use of RI in ClientHello Min Huang
- Re: [TLS] Verify data in the RI extension? Yoav Nir
- Re: [TLS] Avoiding first use of RI in ClientHello Pasi.Eronen
- Re: [TLS] Avoiding first use of RI in ClientHello Pasi.Eronen
- [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Avoiding first use of RI in ClientHello Eric Rescorla
- [TLS] Perhaps there's another way. Was: Verify da… Marsh Ray
- Re: [TLS] Perhaps there's another way. Was: Verif… Dr Stephen Henson
- Re: [TLS] Avoiding first use of RI in ClientHello Stefan Santesson
- [TLS] What would be the point of removing signall… David-Sarah Hopwood
- Re: [TLS] Perhaps there's another way. Was: Verif… Marsh Ray
- Re: [TLS] Perhaps there's another way. Was: Verif… Dr Stephen Henson
- Re: [TLS] What would be the point of removing sig… Stefan Santesson
- Re: [TLS] What would be the point of removing sig… Marsh Ray
- Re: [TLS] What would be the point of removing sig… Bodo Moeller
- Re: [TLS] Perhaps there's another way. Was: Verif… Nelson B Bolyard
- Re: [TLS] What would be the point of removing sig… Nelson B Bolyard
- Re: [TLS] What would be the point of removing sig… Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Simon Josefsson
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Nikos Mavrogiannopoulos
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Avoiding first use of RI in ClientHello Bodo Moeller
- Re: [TLS] Verify data in the RI extension? Bodo Moeller
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] What would be the point of removing sig… David-Sarah Hopwood
- Re: [TLS] What would be the point of removing sig… David-Sarah Hopwood
- Re: [TLS] What would be the point of removing sig… David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Bodo Moeller
- Re: [TLS] What would be the point of removing sig… Bodo Moeller
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Marsh Ray
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Yoav Nir