Re: [TLS] Renegotiation: trying to summarize
Geoff Keating <geoffk@geoffk.org> Wed, 25 June 2014 04:51 UTC
Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0833D1B2AB6 for <tls@ietfa.amsl.com>; Tue, 24 Jun 2014 21:51:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.302
X-Spam-Level:
X-Spam-Status: No, score=-1.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_66=0.6, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bU5Affa0bTut for <tls@ietfa.amsl.com>; Tue, 24 Jun 2014 21:51:25 -0700 (PDT)
Received: from dragaera.releasedominatrix.com (dragaera.releasedominatrix.com [216.129.105.14]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 931C01B2AAD for <tls@ietf.org>; Tue, 24 Jun 2014 21:51:25 -0700 (PDT)
Received: from [10.0.69.132] (unknown [198.0.208.82]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by dragaera.releasedominatrix.com (Postfix) with ESMTP id E4ED233D025; Wed, 25 Jun 2014 04:51:24 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Geoff Keating <geoffk@geoffk.org>
In-Reply-To: <20140624234351.32F161AD64@ld9781.wdf.sap.corp>
Date: Tue, 24 Jun 2014 21:51:23 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <59837AA9-8C37-42D2-AB8B-A45AF6B02B97@geoffk.org>
References: <20140624234351.32F161AD64@ld9781.wdf.sap.corp>
To: mrex@sap.com
X-Mailer: Apple Mail (2.1878.2)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/_aT3EYGl13itnmkYHIyYAed7tc0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Renegotiation: trying to summarize
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jun 2014 04:51:28 -0000
On 24 Jun 2014, at 4:43 pm, Martin Rex <mrex@sap.com> wrote: > Geoffrey Keating wrote: >> >> I believe there was also a proposal to allow client auth at any point >> during the session, but not renegotiate: no new ciphers, no new keys, >> just send CertificateRequest and get back Client Certificate and >> CertificateVerify. This does prevent use of client certificates with >> encryption-only algorithms, but it seems such a thing should be used >> from the start of the connection anyway. >> >> Compared to renegotiation this allows many simplifications: > > I believe that just the opposite is true, this opens a whole new can > of worms. > > Really, the existing renegotiation is both strong and simple. > > > For most of our (customer's) usage scenarios, TLS session caching > is a MUST, and the session caching concept with renegotiation is > simple and clear. I think there is strong evidence to the contrary: If it was simple and clear, the triple handshake attacks would not have been possible. > A TLS session that authenticates only the server (certificate) within > TLS has different properties than a TLS session that authenticates > both, client&server. With traditional renegotiation, these are > distinct SSL sessions (as far as caching is concerned), and either > one can be resumed. So, in current TLS, if a session is established with no client authentication, and then there's renegotiation with a client certificate, and then the first session is resumed, has that resumed session been authenticated by the client certificate? It seems like with the renegotiation fix, the entity that established the second session has signed data that associates them with the first session. Did they mean to do that? Will the server interpret it that way? Is it safe for the server to interpret it that way? > The most common use of renegotiation is to change the status of > one (or both) peers from not authenticated in the existing session > to authenticated in the renegotiated session. Actually, it is used to change the status in *both* sessions. In HTTPS, the protocol exchange does not go: -> PUT authenticated path <- please renegotiate, and now I want a client auth <> renegotiation <- thank you, but your previous request gets an error because it was sent before you authenticated -> PUT authenticated path <- OK, send me the data what actually happens is: -> PUT authenticated path <- please renegotiate, and now I want a client auth <> renegotiation <- thank you, send me the data The server uses the renegotiation to authenticate the request sent before the renegotiation. (I used PUT here to make it clearer, but the same principle applies to a regular GET request.)
- [TLS] Renegotiation: trying to summarize Martin Thomson
- Re: [TLS] Renegotiation: trying to summarize Andrei Popov
- Re: [TLS] Renegotiation: trying to summarize Martin Thomson
- Re: [TLS] Renegotiation: trying to summarize Geoffrey Keating
- Re: [TLS] Renegotiation: trying to summarize Salz, Rich
- Re: [TLS] Renegotiation: trying to summarize Martin Thomson
- Re: [TLS] Renegotiation: trying to summarize Peter Gutmann
- Re: [TLS] Renegotiation: trying to summarize Martin Rex
- Re: [TLS] Renegotiation: trying to summarize Watson Ladd
- Re: [TLS] Renegotiation: trying to summarize Geoff Keating
- Re: [TLS] Renegotiation: trying to summarize henry.story@bblfish.net