Re: [TLS] Triple Handshake Fix.
Karthik Bhargavan <karthik.bhargavan@gmail.com> Wed, 30 April 2014 13:20 UTC
Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC0551A08CB for <tls@ietfa.amsl.com>; Wed, 30 Apr 2014 06:20:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZaP4f1XUZwAG for <tls@ietfa.amsl.com>; Wed, 30 Apr 2014 06:20:25 -0700 (PDT)
Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com [IPv6:2a00:1450:400c:c00::232]) by ietfa.amsl.com (Postfix) with ESMTP id 0EF641A08BB for <tls@ietf.org>; Wed, 30 Apr 2014 06:20:24 -0700 (PDT)
Received: by mail-wg0-f50.google.com with SMTP id k14so1658727wgh.33 for <tls@ietf.org>; Wed, 30 Apr 2014 06:20:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=kxYOYjU5KUxWImg6F5zoCWl/GF2/fpcyFfEiuvV4tCc=; b=hjQVP7CPGMT49gYyocw8/eYsbnPyxxGI0VKsKrGhiWbk4l2qqYlfljFzhiJnwkGaP8 gRC4ikPPlcZYeUJHVzZ/GHGfGETAWprRqY86AJ31GliK8O+fxRzoi3GXx6HeRk+5BkqJ pMi1zxvRd6IerMq2oNe0mmJ6lHkcwJvfYFULgYB+xVVqzbrHwmlxtWZwBwnJN6opndZn ANUsFfxezsn/qOvNwXUiJKse5gyXJuoPkg/3E8PuRa84+JhIEZ0OshMGZ9LkNn3vbiQC quJtLM7ars6kEAXbd9+Hkn6d+mWByeyDUpKQ8BTTolEYs5gtJ2XhBXmVezVMal+4RkLM l1Bg==
X-Received: by 10.180.100.234 with SMTP id fb10mr3735547wib.26.1398864023120; Wed, 30 Apr 2014 06:20:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.180.24.168 with HTTP; Wed, 30 Apr 2014 06:20:03 -0700 (PDT)
In-Reply-To: <m2lhunwy32.fsf@localhost.localdomain>
References: <CAL9PXLyGjM0R-NRdqzbfKWOvbLjT+mwE9uT0BQTpiFt5p27ATQ@mail.gmail.com> <m2lhunwy32.fsf@localhost.localdomain>
From: Karthik Bhargavan <karthik.bhargavan@gmail.com>
Date: Wed, 30 Apr 2014 15:20:03 +0200
Message-ID: <CA+_8ft7XCoZ5LsRns8o+aMik5zCFB_L9TbASWv+n9P+nJsmHfw@mail.gmail.com>
To: Geoffrey Keating <geoffk@geoffk.org>
Content-Type: multipart/alternative; boundary="f46d043748f32ff38804f8426966"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/YUdtX0wZ-9jVoqaMsJ-AB30cYp8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Triple Handshake Fix.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2014 13:20:26 -0000
> I read this and couldn't work out how it interacted with > renegotiation. I'm surprised there's no discussion of renegotiation > at all in section 3. Does 'handshake_messages' include: > > a) Only the first handshake; or > for each session, handshake_messages includes messages in the full handshake that set up the session. each full renegotiation handshake sets up a new session and hence a new session hash. the session hash countermeasure is meant to link resumed connection with the original connections where the session was created. independently, we still need renegotiation indication (rfc4726) to link different handshakes on the same connection. in other words, the session hash complements rfc5746, it does not replace it. I also note that the draft leaves out the (last?) 'certificate verify' > message, is that intentional? Are there any security consequences? > CertificateVerify is not part of the handshake_messages on purpose, since the SSL 3.0 CertificateVerify message uses the master secret. So, to be backward compatible with SSL 3.0, we need to compute the master secret before this message. Is there a ciphersuite where the CertificateVerify message carries new contextual information that is not present in the previous messages? In the key exchanges we have looked at, excluding this message seems to be safe (e.g. the client certificate is in a previous Certificate message). -K > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Triple Handshake Fix. Adam Langley
- Re: [TLS] Triple Handshake Fix. Alfredo Pironti
- Re: [TLS] Triple Handshake Fix. Yngve N. Pettersen
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Martin Rex
- Re: [TLS] Triple Handshake Fix. Martin Thomson
- Re: [TLS] Triple Handshake Fix. Geoffrey Keating
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Watson Ladd
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Karthik Bhargavan
- Re: [TLS] Triple Handshake Fix. Karthik Bhargavan
- Re: [TLS] Triple Handshake Fix. Geoffrey Keating
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Martin Thomson
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Watson Ladd
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Bodo Moeller