IETF Logo Mail Archive

Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client cert and

Nikos Mavrogiannopoulos <nmav@gnutls.org> Thu, 17 February 2011 08:46 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6C9A53A6C6A for <tls@core3.amsl.com>; Thu, 17 Feb 2011 00:46:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.742
X-Spam-Level:
X-Spam-Status: No, score=-3.742 tagged_above=-999 required=5 tests=[AWL=-0.143, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wlxq6ZjbEw2I for <tls@core3.amsl.com>; Thu, 17 Feb 2011 00:46:40 -0800 (PST)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by core3.amsl.com (Postfix) with ESMTP id 58D273A6ABF for <tls@ietf.org>; Thu, 17 Feb 2011 00:46:40 -0800 (PST)
Received: by wwa36 with SMTP id 36so2325586wwa.13 for <tls@ietf.org>; Thu, 17 Feb 2011 00:47:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:message-id:date:from:user-agent :mime-version:to:subject:references:in-reply-to:x-enigmail-version :openpgp:content-type:content-transfer-encoding; bh=NNHXM1i9uBSShKhwtMbzhUujWP9CjLCOCZtKSw3SWkA=; b=ZdPSNydD0Ib40+8KS30/DkQ1Va09zUMsgxFQ/Uq+OHYCVw3p84pzk1GoKB/hc1D9U0 EYw0UjkVTUzG/Rp24sY532+K4usiYN0hIoI3gVaaTpE1/vRncR13DbDF62SYOwM9BIVK 1C3w2UsmbCMNLk3QUcJwRsl+KswIpFyeTyprA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=lAv/gp+XtQvy/K+xW6msR/uWmxn8xrzPbC3skcct497B6PAmwd4cacK/rAqZcDBame lJAtmK/DgED6gGGFtyu6YCE7GSaK5DL2hO6Az7WBalh6lVLibwQarAJdt7LM24nQaSOt yzhhrpOaK5tbK30c+Yv1Hc1EKQ/yJAYzQHpIg=
Received: by 10.216.13.134 with SMTP id b6mr76308web.25.1297932430017; Thu, 17 Feb 2011 00:47:10 -0800 (PST)
Received: from [10.100.2.14] (78-23-65-69.access.telenet.be [78.23.65.69]) by mx.google.com with ESMTPS id o33sm266559wej.13.2011.02.17.00.47.08 (version=SSLv3 cipher=OTHER); Thu, 17 Feb 2011 00:47:09 -0800 (PST)
Sender: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Message-ID: <4D5CE08C.5060402@gnutls.org>
Date: Thu, 17 Feb 2011 09:47:08 +0100
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101208 Thunderbird/3.1.7
MIME-Version: 1.0
To: tls@ietf.org
References: <201102162335.p1GNZ0Yd009478@fs4113.wdf.sap.corp> <4D5C65D2.4060502@pobox.com>
In-Reply-To: <4D5C65D2.4060502@pobox.com>
X-Enigmail-Version: 1.1.2
OpenPGP: id=96865171
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client cert and
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Feb 2011 08:46:41 -0000

On 02/17/2011 01:03 AM, Michael D'Errico wrote:
> I see the potential problem.  For me, though, I just hold onto all
> of the handshake messages until the handshake concludes.  It may use
> a bit more memory for a short amount of time, but the issue you raise
> is completely avoided.  Call it a space <-> code complexity
> trade-off.

Indeed. There is no other way to correctly implement TLS 1.2 except
from holding a copy of all the handshake messages. This is problematic
when converting an implementation of TLS 1.0 or 1.1 to that, since
those protocols only required to hold the state of 1 or 2 running hashes.

This is also not easy to fix in TLS 1.3. Even if TLS 1.3 only
requires to hold the state of a single hash, implementations
must be prepared to hold the entire state just in case TLS 1.2
is negotiated.

> This issue would have been avoided if the
> supported_signature_algorithms extension was symmetric and allowed
> the server to specify its list of algorithms in a ServerHello
> extension.  Alas, that was not the design we ended up with.

That was a bad design decision in TLS 1.2 (if we assume that not caching
all messages was a requirement).

regards,
Nikos

v2.23.0 | Report a Bug | By Email