Re: [TLS] WGLC: draft-ietf-tls-session-hash
Yoav Nir <ynir.ietf@gmail.com> Mon, 24 November 2014 14:22 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 471011A6F71 for <tls@ietfa.amsl.com>; Mon, 24 Nov 2014 06:22:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 21tN_uL3m6ll for <tls@ietfa.amsl.com>; Mon, 24 Nov 2014 06:22:36 -0800 (PST)
Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4206F1A6FAA for <tls@ietf.org>; Mon, 24 Nov 2014 06:22:30 -0800 (PST)
Received: by mail-wi0-f177.google.com with SMTP id l15so5903415wiw.16 for <tls@ietf.org>; Mon, 24 Nov 2014 06:22:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=GnC5DPha12qASO8S1K3e0dk2Z7bH51YZgnYnMa97NDc=; b=UulrxXER2Mw4zPChYWRTvnBDFcUpC7ue2AmkR9s5m4+MMRGuS92K1U1x8gbZN8+16m f2HvbyaFWR92O/NYCnlkCVdpupwv12wyM1i5BhYJA9PSRfesF/aHp9A8YSRWjNyvXDcb EYGO15XszVdLSR8/FE1oOOlEK1JBhsX+pPdBW8JnhHLQps5GKrPVz1aj9RV3eJhVReIY jMXsjZl25elocfGOwU43zOUU0JQ4iYohfVAoiKMrfBMeqjg33bZ1D6w6EdpdRoLi3NAR I2jJBi/1YMy6Yi23UGgvwoCe28soHJDBSufef+IT/MTwq83TCIshNfJE1zuLP5rwVbF9 haOw==
X-Received: by 10.180.11.140 with SMTP id q12mr22274029wib.45.1416838949047; Mon, 24 Nov 2014 06:22:29 -0800 (PST)
Received: from [172.24.251.68] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id q7sm11657843wix.0.2014.11.24.06.22.27 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 24 Nov 2014 06:22:28 -0800 (PST)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <B773EC7F-9CE8-4A23-AE53-9F2D4264B4F2@pahtak.org>
Date: Mon, 24 Nov 2014 16:22:25 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <75C82EF9-8800-453F-A489-10FD26E7F2CD@gmail.com>
References: <E3E12F78-101D-4BA8-9EFB-53C24362066E@ieca.com> <62165FC2-540D-48A5-A7AC-3D6D9087FDD2@gmail.com> <B773EC7F-9CE8-4A23-AE53-9F2D4264B4F2@pahtak.org>
To: Stephen Checkoway <s@pahtak.org>
X-Mailer: Apple Mail (2.1993)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/TqXbt2DjWj2vJ9qfJ-K4MNAgArQ
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] WGLC: draft-ietf-tls-session-hash
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Nov 2014 14:22:38 -0000
> On Nov 24, 2014, at 1:58 PM, Stephen Checkoway <s@pahtak.org> wrote: > > > On Nov 24, 2014, at 3:44 AM, Yoav Nir <ynir.ietf@gmail.com> wrote: > >> Third issue: Why can’t an attacker disable this protection by simply omitting the extension from both its ClientHello and ServerHello? At least in the short term it won’t be practical to fail a handshake because the other side doesn’t support this extension. I guess the answer is that the ruse will work, but the other attacks mentioned in TRIPLE-HS will fail, but it’s not clear to me why. A can still proxy unchanged records from C to S if the connections are resumptions. Perhaps servers should be prohibited from resuming a session set up without this extension if the ClientHello does include the extension. > > The draft currently says "Clients and servers SHOULD NOT resume sessions that do not use the extended master secret..." Are you saying you want that to be MUST NOT? I missed that line. What I was suggesting was that servers MUST NOT resume sessions that were negotiated without the extended master secret in handshakes that do have the extension. Thinking it over now, I guess it would be better to have both lines, because there’s a significant performance penalty to prohibiting sessions resumption with all existing clients, and prohibiting the resumption where the attacker is not manipulating the handshake defeats the known attacks. Yoav
- [TLS] WGLC: draft-ietf-tls-session-hash Sean Turner
- Re: [TLS] WGLC: draft-ietf-tls-session-hash Stephen Checkoway
- Re: [TLS] WGLC: draft-ietf-tls-session-hash Yoav Nir
- Re: [TLS] WGLC: draft-ietf-tls-session-hash Adam Langley
- Re: [TLS] WGLC: draft-ietf-tls-session-hash Nico Williams
- Re: [TLS] WGLC: draft-ietf-tls-session-hash Stephen Checkoway
- Re: [TLS] WGLC: draft-ietf-tls-session-hash Yoav Nir
- Re: [TLS] WGLC: draft-ietf-tls-session-hash Nico Williams
- Re: [TLS] WGLC: draft-ietf-tls-session-hash Eric Rescorla
- Re: [TLS] WGLC: draft-ietf-tls-session-hash Martin Thomson
- Re: [TLS] WGLC: draft-ietf-tls-session-hash Eric Rescorla
- Re: [TLS] WGLC: draft-ietf-tls-session-hash Martin Thomson
- Re: [TLS] WGLC: draft-ietf-tls-session-hash Henrik Grubbström