Re: [TLS] TLS Digest, Vol 65, Issue 88
Martin Rex <mrex@sap.com> Mon, 21 December 2009 18:56 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 12D0428C124 for <tls@core3.amsl.com>; Mon, 21 Dec 2009 10:56:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.894
X-Spam-Level:
X-Spam-Status: No, score=-5.894 tagged_above=-999 required=5 tests=[AWL=-0.245, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VZWsC7IGhfJt for <tls@core3.amsl.com>; Mon, 21 Dec 2009 10:56:13 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id EA82228C101 for <tls@ietf.org>; Mon, 21 Dec 2009 10:56:12 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id nBLItss4026259 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 21 Dec 2009 19:55:54 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200912211855.nBLItr57029345@fs4113.wdf.sap.corp>
To: ravi@findravi.com
Date: Mon, 21 Dec 2009 19:55:53 +0100
In-Reply-To: <3561bdcc0912211027l642d7085kf825965d3b0d6ec9@mail.gmail.com> from "Ravi Ganesan" at Dec 21, 9 10:27:38 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] TLS Digest, Vol 65, Issue 88
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Dec 2009 18:56:14 -0000
Ravi Ganesan wrote: > > > > > Ravi, your terminology is slightly confusing. Renegotiation refers > > to a TLS handshake that is performed under protection of an existing > > TLS session, so the two things you could distinguish are: > > > > - renegotiation with a full handshake > > - renegotiation with an abbreviated handshake (aka session resume) > > I prefer not to think of the handshake happening "under protection" of > previous session. Another example of this is in current draft which says: > "The handshake is in the clear to the attacker but encrypted over the > attacker's TLS connection to the server." The handshake itself is always of > course is in the clear, certain values in it are encrypted with certain > keys. And in some cases this results in binding to previous sessions. This > sounds nitpicky, but I only say this because perfectly smart security people > with some knowledge of SSL can read sentences like above to assume the > entire handshake (including client_random and server_random) is encrypted. We might be talking past each other to some extent. For a renegotiation handhshake, the entire handshake is encrypted, including client_random and server_random, which means that anybody watching it on the network can not see anything else than the TLS record protocol on the outside (but he can see the ContentType of the records). The communication peers can decrypt the communication, of course. In the specific case of the one attack described in draft-ietf-tls-renegotiation the MitM encrypts the handshake data received from the peer and sends it to the server into a renegotiation handshake, and the MitM decrypts all handshake data received from the server and sends it to the client in the clear. If you discount the special case of the RSA-encrypted premaster secret, there are _no_ values in the handshake data that are encrypted "with certain keys". In the SSL&TLS design, encryption of the communication happens exclusively at the record layer (using records with sequence numbers). -Martin
- Re: [TLS] Handshake not under protection Michael D'Errico
- Re: [TLS] TLS Digest, Vol 65, Issue 88 Ravi Ganesan
- Re: [TLS] TLS Digest, Vol 65, Issue 88 Martin Rex
- Re: [TLS] Handshake not under protection Marsh Ray
- Re: [TLS] Handshake not under protection Martin Rex
- Re: [TLS] Handshake not under protection Marsh Ray
- Re: [TLS] Handshake not under protection Martin Rex
- Re: [TLS] Handshake not under protection Geoffrey Keating
- Re: [TLS] Handshake not under protection Martin Rex
- Re: [TLS] Handshake not under protection Marsh Ray
- Re: [TLS] Handshake not under protection Martin Rex
- Re: [TLS] Handshake not under protection Marsh Ray
- Re: [TLS] Handshake not under protection Michael D'Errico
- Re: [TLS] Handshake not under protection Martin Rex