Re: [TLS] Wrapping up cached info

[Marsh Ray <marsh@extendedsubset.com>]

On 5/17/2010 11:29 AM, Joseph Salowey (jsalowey) wrote:
> I agree with Uri, that if you determine you need SHA-256 then you should
> plan for hash agility.  TLS 1.2 plans for hash agility.  
> 
> What about Nico's proposal where a checksum is used to identify the
> cached data and the actual handshake contains the actual data hashed
> with the algorithm used in the PRF negotiated with the cipher suite? 
> 
> This way we don't have to introduce hash agility into the extension, but
> we have cryptographic hash agility where it matters in the Finished
> computation.  Does it solve the problem?  

It could perhaps be made to solve the problem, but IMHO it would require
so much additional complexity (aka attack surface) that it wouldn't be
worth it.

While I don't like to reject anything out-of-hand, injecting data into
the calculation of the Finished messages raises a lot of concerns. The
way it currently works (the data interpreted logically is just the bytes
as seen in the hanshake records) has a certain elegant simplicity that
would be a shame to lose. The consequence of the loss of integrity in
the calculation of the Finished messages is pretty much a complete
compromise of the security.

For example, how will the injected data be wrapped? (It must be
delimited somehow or ambiguities may be possible). If they are replaced
as in-line substitutions will lengths of enclosing objects be fixed up?
If there are multiple substitutions, in what order will the replacements
be injected? For an attacker who can efficiently create checksum
collisions does it make any precomputed attacks easier? Will this
require changes in any commonly used APIs (PKCS#11, Schannel, etc)?

- Marsh