Re: [TLS] Collisions (Re: Nico's suggestions - Re: Consensus Call:

"Brian Smith" <brian@briansmith.org> Wed, 12 May 2010 14:42 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 57B083A6CA1 for <tls@core3.amsl.com>; Wed, 12 May 2010 07:42:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F7YeNrfttq8A for <tls@core3.amsl.com>; Wed, 12 May 2010 07:42:41 -0700 (PDT)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) by core3.amsl.com (Postfix) with ESMTP id EA28028C2BC for <tls@ietf.org>; Wed, 12 May 2010 07:26:52 -0700 (PDT)
Received: from T60 (unknown [70.245.69.20]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id E9893509DD for <tls@ietf.org>; Wed, 12 May 2010 10:26:35 -0400 (EDT)
From: "Brian Smith" <brian@briansmith.org>
To: <tls@ietf.org>
References: <20100510221531.GC9429@oracle.com> <201005111339.o4BDdoYQ009725@fs4113.wdf.sap.corp> <20100511152153.GF9429@oracle.com> <201005111803.o4BI3fhO006065@stingray.missi.ncsc.mil> <20100511190958.GR9429@oracle.com> <4BE9B0BC.2000101@extendedsubset.com> <20100511194620.GU9429@oracle.com> <4BE9B856.40000@extendedsubset.com> <20100511200728.GW9429@oracle.com> <4BE9CC88.6040103@extendedsubset.com> <87aas5sbzy.fsf@mocca.josefsson.org>
In-Reply-To: <87aas5sbzy.fsf@mocca.josefsson.org>
Date: Wed, 12 May 2010 09:26:36 -0500
Message-ID: <003601caf1df$24068ad0$6c13a070$@briansmith.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHHMro8BXdqp6B5/qHhToooO2CPmgFmW+YJAjUmb1cBpAvaegHc4ZdyAZ8bmowBonugeAHLA4UDAW9AI3oCX1cKLwJX6SjDAjZV8Kg=
Content-Language: en-us
Subject: Re: [TLS] Collisions (Re: Nico's suggestions - Re: Consensus Call:
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 May 2010 14:42:42 -0000

Simon Josefsson wrote:
> Marsh Ray <marsh@extendedsubset.com> writes:
> 
> > Alternatively, if we determine that indeed the
> > non-collision-resistance of the hash function is the root of all
> > remaining concerns that would be very positive. We could solve them
> > all in one stroke with s/FNV-1a/SHA-256/g.
> 
> If collision-resistance is a required property (I'm not convinced yet), I
believe we
> need hash agility for the possibility that SHA-256 is weak.

In that case, it would be better to consider a new design that follows the
session ID / server-public-key-id design, where the server provides a
cryptographically secured (by TLS) opaque identifier (format totally
unspecified) for the cached data that the client can then use in subsequent
connections. 

Somebody earlier in this thread made a good point that you rarely need this
caching extension if you make good use of session resumption. I think it may
be much better to consider extensions to session resumption that make it
safe(r) to keep sessions open indefinitely (many weeks/months/years).
Perhaps we just need a new extension that says "use this ticket to create a
session using the same server certificate and/or client cert CA list that
was used when the session ticket was created."

Regards,
Brian