Re: [TLS] Triple Handshake Fix.
Karthik Bhargavan <karthik.bhargavan@gmail.com> Wed, 30 April 2014 13:25 UTC
Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AED71A08BB for <tls@ietfa.amsl.com>; Wed, 30 Apr 2014 06:25:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aH8DONKQ1dZR for <tls@ietfa.amsl.com>; Wed, 30 Apr 2014 06:25:32 -0700 (PDT)
Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) by ietfa.amsl.com (Postfix) with ESMTP id D49F11A08C3 for <tls@ietf.org>; Wed, 30 Apr 2014 06:25:31 -0700 (PDT)
Received: by mail-wi0-f175.google.com with SMTP id cc10so9127148wib.2 for <tls@ietf.org>; Wed, 30 Apr 2014 06:25:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=w4zsZXi5enavItWQ+NII+4IiC4HinS5Yl0/Es1tFR/g=; b=uPY74l7yW1C3SMme9WspLqmlgbOG/1gxoQIb7bMyU3cw/6pR8ySzAgo8TFn4X/z6wO /346TTPk09lE4IFIdygKhvJvFI0QbsETzFnHBLvoQQe8Kc5+J9lhwagL3j+fNwDIZXsi mi/6Ap/MyI2mdIIjONllWoPp1+zAoHSkNbiQGgBdaRh6T5cHVFhH3ZufYIHipYi/hCZB hq/OUAGPoBUC/h8NXf/K8vnHh7cg2ePfXGUdqe2GVtNwvc+bDrcThz3p1DiTCTk60ZeE 2jno6Dcsic7oCU3tqull9FaRY28+7fp6tsOhce2hchFRrYFnZm/+cCW2u8pybvZ+OELB uNsQ==
X-Received: by 10.180.211.239 with SMTP id nf15mr3692774wic.9.1398864329875; Wed, 30 Apr 2014 06:25:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.180.24.168 with HTTP; Wed, 30 Apr 2014 06:25:09 -0700 (PDT)
In-Reply-To: <CADMpkc+JeDDebHs0G3G3f17AGw9EjOe=EcK1dh_mikKjyF1DbQ@mail.gmail.com>
References: <CAL9PXLyGjM0R-NRdqzbfKWOvbLjT+mwE9uT0BQTpiFt5p27ATQ@mail.gmail.com> <CALR0ui+RfdFiQ4-1Odb8DKa3Kc_Ont__eBnpMNa9Obm1FeCi2A@mail.gmail.com> <CADMpkc+JeDDebHs0G3G3f17AGw9EjOe=EcK1dh_mikKjyF1DbQ@mail.gmail.com>
From: Karthik Bhargavan <karthik.bhargavan@gmail.com>
Date: Wed, 30 Apr 2014 15:25:09 +0200
Message-ID: <CA+_8ft7fwatXJjDmcsHvXG5W+CRPAx8N1+cT9Mh86pntQ7=_vQ@mail.gmail.com>
To: Bodo Moeller <bmoeller@acm.org>
Content-Type: multipart/alternative; boundary="001a11c264ec78a82904f8427bbe"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/VgBgHWFEa3l-cOYa6hxswlYm0PI
Cc: "tls@ietf.org" <tls@ietf.org>, Alfredo Pironti <alfredo@pironti.eu>
Subject: Re: [TLS] Triple Handshake Fix.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2014 13:25:34 -0000
On Wed, Apr 30, 2014 at 2:15 PM, Bodo Moeller <bmoeller@acm.org> wrote > > <http://www.ietf.org/id/draft-bhargavan-tls-session-hash-00.txt> >> > Thanks, but haven't we seen that this alone doesn't actually fix the > problem? I think we'll need a requirement for clients and servers > implementing this spec to do one of the following, because an attacker > can't be expected to opt in to extended master secrets in its handshakes: > > (1) If the current session does not use an extended master secret, don't > allow renegotiation. > > (2) If a session does not use an extended master secret, don't allow it to > be resumed. > I agree that the first approach is probably more palatable for legacy applications. We should require no-renegotiation, and strongly recommend that application not use channel bindings or exported TLS keys (or PRFs) in this case. > > Approach 2 arguably is cleaner, but since it would entirely prevent > session resumption between updated implementations and legacy > implementations, it's probably not viable to roll out immediately. Maybe > for servers you'd initially want to pick either approach 1 or approach 2 > depending on the particular needs (whether renegotiation is needed at all), > while clients initially could allow *both* renegotiation and resumption for > new sessions, where whichever comes first for a given session would > disallow the other. Eventually, once support for extended master secrets > is reasonably widespread, everyone should switch to approach 2. > > Bodo > > > > > > > I think this is still missing a requirement for clients and servers that > implement the fixed > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- [TLS] Triple Handshake Fix. Adam Langley
- Re: [TLS] Triple Handshake Fix. Alfredo Pironti
- Re: [TLS] Triple Handshake Fix. Yngve N. Pettersen
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Martin Rex
- Re: [TLS] Triple Handshake Fix. Martin Thomson
- Re: [TLS] Triple Handshake Fix. Geoffrey Keating
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Watson Ladd
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Karthik Bhargavan
- Re: [TLS] Triple Handshake Fix. Karthik Bhargavan
- Re: [TLS] Triple Handshake Fix. Geoffrey Keating
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Martin Thomson
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Watson Ladd
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Bodo Moeller