Re: [TLS] TLS Digest, Vol 65, Issue 88

Martin Rex <> Mon, 21 December 2009 18:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 12D0428C124 for <>; Mon, 21 Dec 2009 10:56:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.894
X-Spam-Status: No, score=-5.894 tagged_above=-999 required=5 tests=[AWL=-0.245, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VZWsC7IGhfJt for <>; Mon, 21 Dec 2009 10:56:13 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id EA82228C101 for <>; Mon, 21 Dec 2009 10:56:12 -0800 (PST)
Received: from by (26) with ESMTP id nBLItss4026259 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 21 Dec 2009 19:55:54 +0100 (MET)
From: Martin Rex <>
Message-Id: <>
Date: Mon, 21 Dec 2009 19:55:53 +0100
In-Reply-To: <> from "Ravi Ganesan" at Dec 21, 9 10:27:38 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Subject: Re: [TLS] TLS Digest, Vol 65, Issue 88
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 21 Dec 2009 18:56:14 -0000

Ravi Ganesan wrote:
> >
> > Ravi, your terminology is slightly confusing.  Renegotiation refers
> > to a TLS handshake that is performed under protection of an existing
> > TLS session, so the two things you could distinguish are:
> >
> >  - renegotiation with a full handshake
> >  - renegotiation with an abbreviated handshake (aka session resume)
> I prefer not to think of the handshake happening "under protection" of
> previous session. Another example of this is in current draft which says:
> "The handshake is in the clear to the attacker but encrypted over the
> attacker's TLS connection to the server." The handshake itself is always of
> course is in the clear, certain values in it are encrypted with certain
> keys. And in some cases this results in binding to previous sessions. This
> sounds nitpicky, but I only say this because perfectly smart security people
> with some knowledge of SSL can read sentences like above to assume the
> entire handshake (including client_random and server_random) is encrypted.

We might be talking past each other to some extent.

For a renegotiation handhshake, the entire handshake is encrypted,
including client_random and server_random, which means that anybody
watching it on the network can not see anything else than the
TLS record protocol on the outside (but he can see the ContentType
of the records).

The communication peers can decrypt the communication, of course.
In the specific case of the one attack described in
draft-ietf-tls-renegotiation the MitM encrypts the handshake data
received from the peer and sends it to the server into a renegotiation
handshake, and the MitM decrypts all handshake data received from
the server and sends it to the client in the clear.

If you discount the special case of the RSA-encrypted premaster secret,
there are _no_ values in the handshake data that are encrypted
"with certain keys".

In the SSL&TLS design, encryption of the communication happens exclusively
at the record layer (using records with sequence numbers).