IETF Logo Mail Archive

Re: [TLS] Verify data in the RI extension?

Michael D'Errico <mike-list@pobox.com> Sun, 29 November 2009 17:08 UTC

Return-Path: <mike-list@pobox.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E07773A6946 for <tls@core3.amsl.com>; Sun, 29 Nov 2009 09:08:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.515
X-Spam-Level:
X-Spam-Status: No, score=-2.515 tagged_above=-999 required=5 tests=[AWL=0.084, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rS9UW-KI5Ols for <tls@core3.amsl.com>; Sun, 29 Nov 2009 09:08:44 -0800 (PST)
Received: from sasl.smtp.pobox.com (a-pb-sasl-sd.pobox.com [64.74.157.62]) by core3.amsl.com (Postfix) with ESMTP id 58D263A6962 for <tls@ietf.org>; Sun, 29 Nov 2009 09:08:43 -0800 (PST)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id 00AA8A2E9B for <tls@ietf.org>; Sun, 29 Nov 2009 12:08:37 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=FQ1PgiyP2aG2 KPzQu3NHIHevvJE=; b=JJIIxIE6+foNRB9JBf5MV4qWczJhhlHXzBTKZMAWFGyA kvPdPtyXgZlS22P6DRjybt78oaB6K/ngfHHJLnMv2p/0u5Gu1ZnSD1VNiRR0r4yC jZTITRJy3hb/LXLk0iVWkbarKVhES4hm8QxJsKWUMN0zbbtFF3ATixwCXy4LjL4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=fdzIOV b1Dws7hmNu8+mXLQX+kmHFJmZJXTBZzAM6EodRLJrmJqn0A1xjg8o4xzUoplbYIK t9mMDIOtjnmZUYnJROiPKhdSC5cFxacUpQ/APKHrSm5fr2E5OyQ0QKkrPl3LTfWI LUFVcYL92YlLOS2tD28s3cP6+guJk9D7ez3io=
Received: from a-pb-sasl-sd.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id F0AEDA2E9A for <tls@ietf.org>; Sun, 29 Nov 2009 12:08:36 -0500 (EST)
Received: from administrators-macbook-pro.local (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTPSA id 4C7F7A2E99 for <tls@ietf.org>; Sun, 29 Nov 2009 12:08:35 -0500 (EST)
Message-ID: <4B12AAF6.7060203@pobox.com>
Date: Sun, 29 Nov 2009 09:10:14 -0800
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: tls@ietf.org
References: <9923D81D-BABA-4897-A0E3-6938FFB70045@checkpoint.com> <C7355261.6BB2%stefan@aaa-sec.com> <20091127151113.BDEF16C3795@kilo.networkresonance.com> <4B10E225.4010501@jacaranda.org> <CA341C50-8D89-49B3-A2C7-F870129093D1@acm.org>
In-Reply-To: <CA341C50-8D89-49B3-A2C7-F870129093D1@acm.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: D53912F4-DD09-11DE-AA6E-EF34BBB5EC2E-38729857!a-pb-sasl-sd.pobox.com
Subject: Re: [TLS] Verify data in the RI extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Nov 2009 17:08:45 -0000

Bodo Moeller wrote:
> On Nov 28, 2009, at 9:41 AM, David-Sarah Hopwood wrote:
>>
>>   struct {
>>       enum { fake_finished(20) } fake_handshake_type;
>>       enum { zero(0), (2^24-1) } fake_length;
>>       opaque previous_client_verify_data<12..255>;
>>       opaque previous_server_verify_data<12..255>;
>>   } PreviousVerifyData;
>>
> (Encoding the actual combined length of the previous_..._verify_data 
> fields seems simpler to analyze -- this still wouldn't be a valid 
> Finished message; or hash an empty Finished first, then a pseudo-message 
> containing the previous verify data.  Of course, neither of this avoids 
> the potential problem with buggy receivers that ignore out-of-sequence 
> messages.  That pseudo-message *could* use the Certificate type to 
> maximize the probability that buggy implementations will look at it and 
> stop [given that Certificate is expected at that point of the protocol], 
> but I guess that looks even weirder.)

Encoding a longer length is even better since that will suck some of the
real Certificate message into the fake Finished message, making it
impossible for the handshake to complete.  How much longer?  Why not just
use the maximum length of 0xFFFFFF?

Mike

v2.23.0 | Report a Bug | By Email