Re: [TLS] WGLC: draft-ietf-tls-session-hash

Yoav Nir <> Mon, 24 November 2014 14:22 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 471011A6F71 for <>; Mon, 24 Nov 2014 06:22:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 21tN_uL3m6ll for <>; Mon, 24 Nov 2014 06:22:36 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c05::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4206F1A6FAA for <>; Mon, 24 Nov 2014 06:22:30 -0800 (PST)
Received: by with SMTP id l15so5903415wiw.16 for <>; Mon, 24 Nov 2014 06:22:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=GnC5DPha12qASO8S1K3e0dk2Z7bH51YZgnYnMa97NDc=; b=UulrxXER2Mw4zPChYWRTvnBDFcUpC7ue2AmkR9s5m4+MMRGuS92K1U1x8gbZN8+16m f2HvbyaFWR92O/NYCnlkCVdpupwv12wyM1i5BhYJA9PSRfesF/aHp9A8YSRWjNyvXDcb EYGO15XszVdLSR8/FE1oOOlEK1JBhsX+pPdBW8JnhHLQps5GKrPVz1aj9RV3eJhVReIY jMXsjZl25elocfGOwU43zOUU0JQ4iYohfVAoiKMrfBMeqjg33bZ1D6w6EdpdRoLi3NAR I2jJBi/1YMy6Yi23UGgvwoCe28soHJDBSufef+IT/MTwq83TCIshNfJE1zuLP5rwVbF9 haOw==
X-Received: by with SMTP id q12mr22274029wib.45.1416838949047; Mon, 24 Nov 2014 06:22:29 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id q7sm11657843wix.0.2014. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 24 Nov 2014 06:22:28 -0800 (PST)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Yoav Nir <>
In-Reply-To: <>
Date: Mon, 24 Nov 2014 16:22:25 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
To: Stephen Checkoway <>
X-Mailer: Apple Mail (2.1993)
Cc: " (" <>
Subject: Re: [TLS] WGLC: draft-ietf-tls-session-hash
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 24 Nov 2014 14:22:38 -0000

> On Nov 24, 2014, at 1:58 PM, Stephen Checkoway <> wrote:
> On Nov 24, 2014, at 3:44 AM, Yoav Nir <> wrote:
>> Third issue: Why can’t an attacker disable this protection by simply omitting the extension from both its ClientHello and ServerHello?  At least in the short term it won’t be practical to fail a handshake because the other side doesn’t support this extension. I guess the answer is that the ruse will work, but the other attacks mentioned in TRIPLE-HS will fail, but it’s not clear to me why. A can still proxy unchanged records from C to S if the connections are resumptions. Perhaps servers should be prohibited from resuming a session set up without this extension if the ClientHello does include the extension.
> The draft currently says "Clients and servers SHOULD NOT resume sessions that do not use the extended master secret..." Are you saying you want that to be MUST NOT?

I missed that line.

What I was suggesting was that servers MUST NOT resume sessions that were negotiated without the extended master secret in handshakes that do have the extension.

Thinking it over now, I guess it would be better to have both lines, because there’s a significant performance penalty to prohibiting sessions resumption with all existing clients, and prohibiting the resumption where the attacker is not manipulating the handshake defeats the known attacks.