Re: [TLS] Redefine Finished message for TLS 1.3 ?

Nicolas Williams <Nicolas.Williams@sun.com> Sat, 14 November 2009 22:00 UTC

Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4FB8A3A679C for <tls@core3.amsl.com>; Sat, 14 Nov 2009 14:00:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.401
X-Spam-Level:
X-Spam-Status: No, score=-5.401 tagged_above=-999 required=5 tests=[AWL=-0.595, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id orcQo7wxXTf1 for <tls@core3.amsl.com>; Sat, 14 Nov 2009 13:59:59 -0800 (PST)
Received: from brmea-mail-1.sun.com (brmea-mail-1.Sun.COM [192.18.98.31]) by core3.amsl.com (Postfix) with ESMTP id 2E4443A6359 for <tls@ietf.org>; Sat, 14 Nov 2009 13:59:59 -0800 (PST)
Received: from dm-central-01.central.sun.com ([129.147.62.4]) by brmea-mail-1.sun.com (8.13.6+Sun/8.12.9) with ESMTP id nAEM0TKP013229 for <tls@ietf.org>; Sat, 14 Nov 2009 22:00:29 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id nAELqxvU017263 for <tls@ietf.org>; Sat, 14 Nov 2009 14:53:00 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id nAELXstB020529; Sat, 14 Nov 2009 15:33:54 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id nAELXr8p020528; Sat, 14 Nov 2009 15:33:53 -0600 (CST)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Sat, 14 Nov 2009 15:33:53 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Nelson B Bolyard <nelson@bolyard.me>
Message-ID: <20091114213353.GN1105@Sun.COM>
References: <20091112181844.GE1105@Sun.COM> <200911122036.nACKa96m016227@fs4113.wdf.sap.corp> <20091112203847.GL1105@Sun.COM> <20091113082235.C55F469F381@kilo.networkresonance.com> <20091113164608.GT1105@Sun.COM> <4AFF0153.3090005@bolyard.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4AFF0153.3090005@bolyard.me>
User-Agent: Mutt/1.5.7i
Cc: tls@ietf.org
Subject: Re: [TLS] Redefine Finished message for TLS 1.3 ?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Nov 2009 22:00:00 -0000

On Sat, Nov 14, 2009 at 11:13:23AM -0800, Nelson B Bolyard wrote:
> On 2009-11-13 08:46 PDT, Nicolas Williams wrote:
> > The post with message-ID <20091113005419.GQ1105@Sun.COM>OM>, subject
> > "Comments on draft-rescorla-tls-renegotiate", sent at 18:54:19 -0600
> > yesterday most certainly described no Hello extensions, only a Finished 
> > message verify_data computation change.
> 
> EKR and Marsh Ray and some others will recall that I proposed essentially
> the same proposal that Nico is now proposing in the meeting meeting in
> Mountain View on September 29, 2009 to which Marsh Ray invited EKR, myself
> and numerous others from this working group.
> 
> I proposed that a change in the computation of the TLS Finished message
> to include some value derived from the master secret previously in use on
> the connection before the current renegotiation (such as the Finished
> message contents or some other value "extracted" from the master secret)
> would avoid the overhead of the new extensions on the wire.  My goal was
> to avoid the extra bandwidth and memory cost of those extensions, which
> might be deemed too costly in certain low memory or bandwidth constrained
> applications.
> 
> Others in the meeting responded that changing the definition of the
> computation of the Finished messages was a change to the base protocol
> specification (which adding an extension is not), and thus the change
> I proposed would make TLS become (say) TLS 1.3.

All things considered, I bet that the finished message verify_data
computation change is the simplest one to make.  Saying that because it
falls outside the spectrum of extensions that can be considered in TLS
1.0-1.2 it can't be considered is a bit of a stretch.  Imagine if we had
no client hello extensions, or that we couldn't use them because in
practice support for them was very spotty, then we'd have to resort to
this approach and no one would say "but we can't unless we call it TLS
1.3"!

That said, I don't think we need to change EKR's proposed fix.  My
purpose in throwing it out, with the big caveat that I included, was to
get those who are worried about SSLv3 to provide specific rationales for
why an extension-less approach should be preferable.  I.e., I was trying
to condense the SSLv3 sub-threads.

> But perhaps we should regard the new extension as a short term expedient,
> and plan to change the definition of the Finished message in TLS 1.3,
> so that the extension will no longer be necessary at some point in the
> future (when TLS 1.3 has become common place, maybe 10 years hence).

There's a certain, er, desire for something like a "secure bit" that can
be used to passively detect broken implementations.  With EKR's fix we
get that bit.  I don't really care for that bit: servers should be
patched, period, rejecting re-negotiations from unpatched clients, and
clients should be patched and should refuse to complete re-negotiation
with unpatched servers and complain _loudly_ about them -- that is the
least that we need, and IMO also all we need.

> Does the Working Group share interest in redefining the Finished message
> computation for TLS 1.3?

I doubt it.  Once the use of hello extensions is demonstrated to work
even for critical cases and when server hello extensions are needed,
then there's no need to change to using an unsignalled fix as in your/my
proposals.

However, I personally very much like the idea of a generic channel
binding facility in TLS, not so much for the purpose of channel binding
TLS to other channels (since EKR's fix takes care of the one case where
we need that) but for providing support to StartTLS-style applications
for authenticating pre-StartTLS negotiations.  For that, your/my
proposals will do (only using application-provided data as the "channel
bindings").

Nico
--