Re: [TLS] Redefine Finished message for TLS 1.3 ?

Martin Rex <mrex@sap.com> Sun, 15 November 2009 19:31 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5DC743A69A4 for <tls@core3.amsl.com>; Sun, 15 Nov 2009 11:31:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.742
X-Spam-Level:
X-Spam-Status: No, score=-3.742 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_40=-0.185, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dLnwQppAWvLI for <tls@core3.amsl.com>; Sun, 15 Nov 2009 11:31:56 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 3A5B53A67B4 for <tls@ietf.org>; Sun, 15 Nov 2009 11:31:56 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nAFJVq9r021346 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 15 Nov 2009 20:31:52 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911151931.nAFJVpK3016250@fs4113.wdf.sap.corp>
To: bmoeller@acm.org
Date: Sun, 15 Nov 2009 20:31:51 +0100
In-Reply-To: <3EFE80FB-AB07-4BB3-ABDD-E836D27B7E54@acm.org> from "Bodo Moeller" at Nov 15, 9 11:13:46 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal08
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Redefine Finished message for TLS 1.3 ?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Nov 2009 19:31:57 -0000

Bodo Moeller wrote:
> 
> One way to avoid most of the overhead from the current ID would be to  
> keep the extension *always* empty.  If the client and server both send  
> it during any given handshake, then the Finished messages concluding  
> that handshake will be computed mostly in the standard way, but if  
> it's a renegotiation handshake, including the previous handshake's  
> Finished messages in the handshake_messages that will be hashed.   
> [Open question: Where should they go?  Maybe the easiest is to always  
> hash them at the end; client first, server second.]

My suggestion: always after ServerHello.  At that point, servers
and clients know whether they need to fallback to the old behaviour
or not, provided that their policy/configuration should allow that.

They should definitely go before the CertificateVerify message, so that
the signature with the client certificate is also securely
cryptographically bound to the channel (I don't like the idea to
have the CertificateVerify succeed on a MITM attack and only the finished
mac fail, if we can easily make both fail.

> 
> The step up to TLS 1.3 will be easy: Just make the modified Finished  
> computation the default for the new protocol (i.e., no longer  
> requiring the extension-based negotiation).

Correct!  There really is no need to keep the old, unprotected
negotiation around in TLS v1.3.  If TLSv1.3 is proposed by the client
and agreed to by the server, no additional signaling is necessary
anymore.  This is why adding the verify_data to the handshake messages
hashes (my suggestion, always after ServerHello)


-Martin