Re: [TLS] Wrapping up cached info

Marsh Ray <marsh@extendedsubset.com> Mon, 17 May 2010 17:03 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ED2713A6956 for <tls@core3.amsl.com>; Mon, 17 May 2010 10:03:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.447
X-Spam-Level:
X-Spam-Status: No, score=-0.447 tagged_above=-999 required=5 tests=[AWL=-0.448, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BKiZlPr6zNtU for <tls@core3.amsl.com>; Mon, 17 May 2010 10:03:11 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 7BC4C3A68AD for <tls@ietf.org>; Mon, 17 May 2010 10:03:06 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OE3iS-000O0g-H1; Mon, 17 May 2010 17:02:57 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id E5D426048; Mon, 17 May 2010 17:02:54 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX19ZK+I3tMfJoygFeo7TlvvRtyqrblLOnVc=
Message-ID: <4BF176BF.8020000@extendedsubset.com>
Date: Mon, 17 May 2010 12:02:55 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100216 Thunderbird/3.0.2
MIME-Version: 1.0
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
References: <C816DA05.66DF%uri@ll.mit.edu> <4BF168A3.40409@extendedsubset.com> <AC1CFD94F59A264488DC2BEC3E890DE50A67C326@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <AC1CFD94F59A264488DC2BEC3E890DE50A67C326@xmb-sjc-225.amer.cisco.com>
X-Enigmail-Version: 1.0.1
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] Wrapping up cached info
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 May 2010 17:03:12 -0000

On 5/17/2010 11:29 AM, Joseph Salowey (jsalowey) wrote:
> I agree with Uri, that if you determine you need SHA-256 then you should
> plan for hash agility.  TLS 1.2 plans for hash agility.  
> 
> What about Nico's proposal where a checksum is used to identify the
> cached data and the actual handshake contains the actual data hashed
> with the algorithm used in the PRF negotiated with the cipher suite? 
> 
> This way we don't have to introduce hash agility into the extension, but
> we have cryptographic hash agility where it matters in the Finished
> computation.  Does it solve the problem?  

It could perhaps be made to solve the problem, but IMHO it would require
so much additional complexity (aka attack surface) that it wouldn't be
worth it.

While I don't like to reject anything out-of-hand, injecting data into
the calculation of the Finished messages raises a lot of concerns. The
way it currently works (the data interpreted logically is just the bytes
as seen in the hanshake records) has a certain elegant simplicity that
would be a shame to lose. The consequence of the loss of integrity in
the calculation of the Finished messages is pretty much a complete
compromise of the security.

For example, how will the injected data be wrapped? (It must be
delimited somehow or ambiguities may be possible). If they are replaced
as in-line substitutions will lengths of enclosing objects be fixed up?
If there are multiple substitutions, in what order will the replacements
be injected? For an attacker who can efficiently create checksum
collisions does it make any precomputed attacks easier? Will this
require changes in any commonly used APIs (PKCS#11, Schannel, etc)?

- Marsh