IETF Logo Mail Archive

Re: [TLS] WGLC: draft-ietf-tls-session-hash

Eric Rescorla <ekr@rtfm.com> Thu, 15 January 2015 22:51 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5778E1A90A9 for <tls@ietfa.amsl.com>; Thu, 15 Jan 2015 14:51:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ExELlCJI_-7P for <tls@ietfa.amsl.com>; Thu, 15 Jan 2015 14:51:52 -0800 (PST)
Received: from mail-wg0-f54.google.com (mail-wg0-f54.google.com [74.125.82.54]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7E531A90A1 for <tls@ietf.org>; Thu, 15 Jan 2015 14:51:51 -0800 (PST)
Received: by mail-wg0-f54.google.com with SMTP id z12so17619490wgg.13 for <tls@ietf.org>; Thu, 15 Jan 2015 14:51:50 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=5x8aXk6Zjfih4o/3pNvxwE0/N7FPdI/swnpKBmvpGbY=; b=hHQE0FM5eqhhNVEhJ475Yv9w6OI7u0Sq7U+LY5M8vR19S/N7zO5dr7gkEBuSx83Buv WjXtgHFLQavIKK7d9FxeoWOHAowNeiTAnYZDAiMxiGK6YwdTX5ucu1WUaHWGtAFtLmSN 8J31Ybp37dVrX9rRhGGuHKOROhdoYRN/Kv92HxAwK70Jd4olUAB/Q/Ngskv2NKADzDTB 2PKCPf+snPpSXkjl1dgsKaVjkzZt5ZPm/Tuo9SXjvEYADBp40TqprBvcUQ4FX2bpeUS3 sraN0qGbdbXU+h/VcqSEzc3dhgHaEbiNjMmPdRerGuhRDv1oc/VABPWY5pKP1xtB0gLP EWuQ==
X-Gm-Message-State: ALoCoQlbUqaVrNDwOT0lL4q+O5Ri6fjiqXUfqSdMIFOBUbOJSXPmohN2E+RmbPUJ16QAmLsf7Ymf
X-Received: by 10.180.84.98 with SMTP id x2mr511855wiy.14.1421362310545; Thu, 15 Jan 2015 14:51:50 -0800 (PST)
MIME-Version: 1.0
Received: by 10.27.142.215 with HTTP; Thu, 15 Jan 2015 14:51:10 -0800 (PST)
In-Reply-To: <75C82EF9-8800-453F-A489-10FD26E7F2CD@gmail.com>
References: <E3E12F78-101D-4BA8-9EFB-53C24362066E@ieca.com> <62165FC2-540D-48A5-A7AC-3D6D9087FDD2@gmail.com> <B773EC7F-9CE8-4A23-AE53-9F2D4264B4F2@pahtak.org> <75C82EF9-8800-453F-A489-10FD26E7F2CD@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 15 Jan 2015 14:51:10 -0800
Message-ID: <CABcZeBMGkhaB4QW914A8cZjgGvnzXN-7Q9pYWWdgitcZzpSYeg@mail.gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="f46d044401b29e160b050cb8b310"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ZUqZjQcQkEDPasUbtciEsgG0Vig>
Cc: Stephen Checkoway <s@pahtak.org>, "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] WGLC: draft-ietf-tls-session-hash
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jan 2015 22:51:56 -0000

So to be clear, the proposed language is:

For sessions negotiated without EMS:
- SHOULD not resume
- MUST not resume sessions if the client offers EMS in the resumption
  (and therefore SHOULD do a complete negotiation).

For sessions negotiated with EMS:
- The client ??? offer EMS
- The server MUST NOT echo it?

I propose that the ??? be MUST and that the server MUST fail if the client
does not offer EMS. The intuition here is that the client is saying that it
wants EMS.

-Ekr

P.S. Thanks to Wan-Teh and Martin for talking this over privately.




On Mon, Nov 24, 2014 at 6:22 AM, Yoav Nir <ynir.ietf@gmail.com> wrote:

>
> > On Nov 24, 2014, at 1:58 PM, Stephen Checkoway <s@pahtak.org> wrote:
> >
> >
> > On Nov 24, 2014, at 3:44 AM, Yoav Nir <ynir.ietf@gmail.com> wrote:
> >
> >> Third issue: Why can’t an attacker disable this protection by simply
> omitting the extension from both its ClientHello and ServerHello?  At least
> in the short term it won’t be practical to fail a handshake because the
> other side doesn’t support this extension. I guess the answer is that the
> ruse will work, but the other attacks mentioned in TRIPLE-HS will fail, but
> it’s not clear to me why. A can still proxy unchanged records from C to S
> if the connections are resumptions. Perhaps servers should be prohibited
> from resuming a session set up without this extension if the ClientHello
> does include the extension.
> >
> > The draft currently says "Clients and servers SHOULD NOT resume sessions
> that do not use the extended master secret..." Are you saying you want that
> to be MUST NOT?
>
> I missed that line.
>
> What I was suggesting was that servers MUST NOT resume sessions that were
> negotiated without the extended master secret in handshakes that do have
> the extension.
>
> Thinking it over now, I guess it would be better to have both lines,
> because there’s a significant performance penalty to prohibiting sessions
> resumption with all existing clients, and prohibiting the resumption where
> the attacker is not manipulating the handshake defeats the known attacks.
>
> Yoav
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email