IETF Logo Mail Archive

Re: [TLS] PR ¤468: Cookie for hrr

Ilari Liusvaara <ilariliusvaara@welho.com> Sun, 22 May 2016 20:48 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D032212D5A6 for <tls@ietfa.amsl.com>; Sun, 22 May 2016 13:48:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.326
X-Spam-Level:
X-Spam-Status: No, score=-3.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ELwNeKMlwsX0 for <tls@ietfa.amsl.com>; Sun, 22 May 2016 13:48:28 -0700 (PDT)
Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) by ietfa.amsl.com (Postfix) with ESMTP id E9CC912D5A2 for <tls@ietf.org>; Sun, 22 May 2016 13:48:27 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 5A808E054; Sun, 22 May 2016 23:48:26 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id 7erhbaROgHSM; Sun, 22 May 2016 23:48:26 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-155-121.bb.dnainternet.fi [87.100.155.121]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 0CB1F28C; Sun, 22 May 2016 23:48:26 +0300 (EEST)
Date: Sun, 22 May 2016 23:48:23 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20160522204823.GC17811@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20160522142212.GA17666@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBPEQMJvBkb9kNvE4XeV8PyXoi=MchxrjPmmmYbJ8aXamQ@mail.gmail.com> <20160522155921.GA17811@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBPBtuqm-Qz7+WaQfaCzqKSXdpfER-cRHxCV0reae6vpyg@mail.gmail.com> <20160522193302.GB17811@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBNG0dkqTbJ0HNYJOi3Uk7SHGm85AwkWtPTcO3ff6Ag_1A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBNG0dkqTbJ0HNYJOi3Uk7SHGm85AwkWtPTcO3ff6Ag_1A@mail.gmail.com>
User-Agent: Mutt/1.6.0 (2016-04-01)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/_DqmtQqMDd78gHPVBaru3tMwRZ0>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] PR ¤468: Cookie for hrr
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 May 2016 20:48:30 -0000

On Sun, May 22, 2016 at 12:50:38PM -0700, Eric Rescorla wrote:
> On Sun, May 22, 2016 at 12:33 PM, Ilari Liusvaara <ilariliusvaara@welho.com>
> wrote:
> 
> > On Sun, May 22, 2016 at 11:30:10AM -0700, Eric Rescorla wrote:
> > > On Sun, May 22, 2016 at 8:59 AM, Ilari Liusvaara <
> > ilariliusvaara@welho.com>
> > > wrote:
> > >
> > > > Actually, looking at it, I didn't find how EDI context is
> > > > determined. And EDI context needs to be fit into cookies because
> > > > it isn't retransmitted on 2nd CH.
> > > >
> > >
> > > I don't understand what you're saying here. Here is my claim:
> > >
> > > 1. The second ClientHello doesn't come with EDI.
> > > 2. The Cookie (if used for this) needs to contain the entire hash
> > >     state, which means it includes the ClientHello w/ EDI transitively.
> > > 3. Therefore you can recover the hash state no matter how much
> > >     the client changes the ClientHello (though we forbid a lot of
> > >     changes)
> > >
> > > If I'm wrong here, would definitely like to know. Can you explain?
> >
> > That would require hash implementation supporting freezing/thawing
> > (I have seen only one, and that used MD5), which is even more exotic
> > than forking checkpointable hash implementations.
> >
> 
> This is a bit of an irritation, I agree. However, it's only required for
> stateless implementations, so not your average TLS stack. If you
> have a better suggestion, I'd love to have it, thought!

Well, if you didn't have to deal with possibly overly large contexts,
you could just reconstruct the 1st ClientHello and HelloRetryRequest.

(Reconstruction is even easier without having to worry about cross-
handshake cookies). 
 

-Ilari

v2.23.0 | Report a Bug | By Email