IETF Logo Mail Archive

Re: [TLS] Triple Handshake Fix.

Karthik Bhargavan <karthik.bhargavan@gmail.com> Wed, 30 April 2014 13:25 UTC

Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AED71A08BB for <tls@ietfa.amsl.com>; Wed, 30 Apr 2014 06:25:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aH8DONKQ1dZR for <tls@ietfa.amsl.com>; Wed, 30 Apr 2014 06:25:32 -0700 (PDT)
Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) by ietfa.amsl.com (Postfix) with ESMTP id D49F11A08C3 for <tls@ietf.org>; Wed, 30 Apr 2014 06:25:31 -0700 (PDT)
Received: by mail-wi0-f175.google.com with SMTP id cc10so9127148wib.2 for <tls@ietf.org>; Wed, 30 Apr 2014 06:25:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=w4zsZXi5enavItWQ+NII+4IiC4HinS5Yl0/Es1tFR/g=; b=uPY74l7yW1C3SMme9WspLqmlgbOG/1gxoQIb7bMyU3cw/6pR8ySzAgo8TFn4X/z6wO /346TTPk09lE4IFIdygKhvJvFI0QbsETzFnHBLvoQQe8Kc5+J9lhwagL3j+fNwDIZXsi mi/6Ap/MyI2mdIIjONllWoPp1+zAoHSkNbiQGgBdaRh6T5cHVFhH3ZufYIHipYi/hCZB hq/OUAGPoBUC/h8NXf/K8vnHh7cg2ePfXGUdqe2GVtNwvc+bDrcThz3p1DiTCTk60ZeE 2jno6Dcsic7oCU3tqull9FaRY28+7fp6tsOhce2hchFRrYFnZm/+cCW2u8pybvZ+OELB uNsQ==
X-Received: by 10.180.211.239 with SMTP id nf15mr3692774wic.9.1398864329875; Wed, 30 Apr 2014 06:25:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.180.24.168 with HTTP; Wed, 30 Apr 2014 06:25:09 -0700 (PDT)
In-Reply-To: <CADMpkc+JeDDebHs0G3G3f17AGw9EjOe=EcK1dh_mikKjyF1DbQ@mail.gmail.com>
References: <CAL9PXLyGjM0R-NRdqzbfKWOvbLjT+mwE9uT0BQTpiFt5p27ATQ@mail.gmail.com> <CALR0ui+RfdFiQ4-1Odb8DKa3Kc_Ont__eBnpMNa9Obm1FeCi2A@mail.gmail.com> <CADMpkc+JeDDebHs0G3G3f17AGw9EjOe=EcK1dh_mikKjyF1DbQ@mail.gmail.com>
From: Karthik Bhargavan <karthik.bhargavan@gmail.com>
Date: Wed, 30 Apr 2014 15:25:09 +0200
Message-ID: <CA+_8ft7fwatXJjDmcsHvXG5W+CRPAx8N1+cT9Mh86pntQ7=_vQ@mail.gmail.com>
To: Bodo Moeller <bmoeller@acm.org>
Content-Type: multipart/alternative; boundary="001a11c264ec78a82904f8427bbe"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/VgBgHWFEa3l-cOYa6hxswlYm0PI
Cc: "tls@ietf.org" <tls@ietf.org>, Alfredo Pironti <alfredo@pironti.eu>
Subject: Re: [TLS] Triple Handshake Fix.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2014 13:25:34 -0000

On Wed, Apr 30, 2014 at 2:15 PM, Bodo Moeller <bmoeller@acm.org> wrote
>
>  <http://www.ietf.org/id/draft-bhargavan-tls-session-hash-00.txt>
>>
> Thanks, but haven't we seen that this alone doesn't actually fix the
> problem?  I think we'll need a requirement for clients and servers
> implementing this spec to do one of the following, because an attacker
> can't be expected to opt in to extended master secrets in its handshakes:
>
> (1) If the current session does not use an extended master secret, don't
> allow renegotiation.
>
> (2) If a session does not use an extended master secret, don't allow it to
> be resumed.
>


I agree that the first approach is probably more palatable for legacy
applications. We should require no-renegotiation, and strongly recommend
that application not use channel bindings or exported TLS keys (or PRFs) in
this case.



>
> Approach 2 arguably is cleaner, but since it would entirely prevent
> session resumption between updated implementations and legacy
> implementations, it's probably not viable to roll out immediately.  Maybe
> for servers you'd initially want to pick either approach 1 or approach 2
> depending on the particular needs (whether renegotiation is needed at all),
> while clients initially could allow *both* renegotiation and resumption for
> new sessions, where whichever comes first for a given session would
> disallow the other.  Eventually, once support for extended master secrets
> is reasonably widespread, everyone should switch to approach 2.
>
> Bodo
>
>
>
>
>
>
> I think this is still missing a requirement for clients and servers that
> implement the fixed
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>

v2.23.0 | Report a Bug | By Email