IETF Logo Mail Archive

[TLS] Quest for Unified Solution to TLS Renegotiation

Michael D'Errico <mike-list@pobox.com> Wed, 25 November 2009 21:02 UTC

Return-Path: <mike-list@pobox.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5071F3A6820 for <tls@core3.amsl.com>; Wed, 25 Nov 2009 13:02:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.504
X-Spam-Level:
X-Spam-Status: No, score=-2.504 tagged_above=-999 required=5 tests=[AWL=0.095, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HcWW7JdgHT3A for <tls@core3.amsl.com>; Wed, 25 Nov 2009 13:02:04 -0800 (PST)
Received: from sasl.smtp.pobox.com (a-pb-sasl-sd.pobox.com [64.74.157.62]) by core3.amsl.com (Postfix) with ESMTP id 6BAAC3A67A1 for <tls@ietf.org>; Wed, 25 Nov 2009 13:02:04 -0800 (PST)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id 5CD94A184F for <tls@ietf.org>; Wed, 25 Nov 2009 16:01:59 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:content-type :content-transfer-encoding; s=sasl; bh=oO8Yug9AVw31t/XoCPxJlYlVA Ls=; b=HMKCD1izV5jvuYyrUkh2wdKtBx/xI6Lp0bXHjN2Nj6+9rj2A18kML7PzD WNhQ6TuBiwWtwqoa1aa3sfL4QBHMP04GRHWP25txPMKioCg0Cv3KazkQqIxOITT6 VxUrJtMbBfsXbjhLQxpw2SY7W3iBN1tPgeFiGOJMr9oh62fay0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:content-type :content-transfer-encoding; q=dns; s=sasl; b=QG0SweIJ4Enof3ZKRnU hEqmxQZTQEvB/O09idBHASp9/eL41NAqg5K8BpmB/F34Jep4qctQB7XsYCDeChzj cm1wDPcnmlrxDeFkQFh9tauCISVqu7E3qCxvktU/6ABBQtq+fIxdCQYeun9aow30 rWdUuY76fgTxlLAlH9HK1kI4=
Received: from a-pb-sasl-sd.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id 5A416A184E for <tls@ietf.org>; Wed, 25 Nov 2009 16:01:59 -0500 (EST)
Received: from administrators-macbook-pro.local (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTPSA id C27FDA184D for <tls@ietf.org>; Wed, 25 Nov 2009 16:01:58 -0500 (EST)
Message-ID: <4B0D9B94.9080205@pobox.com>
Date: Wed, 25 Nov 2009 13:03:16 -0800
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: TLS Working Group <tls@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: C5A43974-DA05-11DE-9383-EF34BBB5EC2E-38729857!a-pb-sasl-sd.pobox.com
Subject: [TLS] Quest for Unified Solution to TLS Renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2009 21:02:05 -0000

I think that it would be good to find a unified solution that
everybody is happy with, and believe that this may be it:


   1) Client-to-Server signalling can be done in either of
      two ways:

      A) an empty Secure_Renegotiation (SR) extension, or
      B) a "magic" cipher suite

   2) Server-to-Client signal is always an empty SR extension

   3) Incorporate previous verify_data into Finished calc.


The particulars:

A client that currently sends any other extensions MUST also
send the empty SR extension.

A client that currently does not send any extensions MAY send
the empty SR extension, or MAY send the magic cipher suite.

In response to either 1A or 1B, the server responds with an
empty SR extension.  The only ugliness is this apparently-
unsolicited extension returned by the server in response to
the magic cipher suite.  I used to be against this, but have
since decided that it is no more ugly than flipping a version
bit or any of the other ideas.

It remains to be decided if adding the verify_data to the
handshake message stream is the right way to do (3), or if
changing the PRF in some way is better, such as changing the
seed to be the handshake message hash appended with the old
verify_data, or some other method.



Benefits:

All versions including SSLv3 are fixed and able to renegotiate
safely.

This is entirely backward-compatible with SSLv3, even SSLv2
ClientHello.  It is better than RI because when the magic
cipher suite is used there, the server can not check the
verify_data from the client (since it is not sent), so it
can not renegotiate with those old clients at all.

Using an empty extension is much more lightweight a use of
extensions than RI since there is no need to pack the verify_
data into it when sending, or to extract the data when
receiving.

Clients that don't want to add full support for extensions do
not need to -- they can just check for the existence of the
empty SR extension which is a fixed 6-byte string.


I would fully support this "new"[*] solution.  Anybody else?

Mike


[*] I do not remember who initially came up with each of the
ideas in this solution; it was truly a team effort.

v2.23.0 | Report a Bug | By Email