Re: [TLS] client and server verify_data in draft-rescorla-tls-renegotiate.txt
David-Sarah Hopwood <david-sarah@jacaranda.org> Sat, 14 November 2009 02:38 UTC
Return-Path: <djhopwood@googlemail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F38753A68F8 for <tls@core3.amsl.com>; Fri, 13 Nov 2009 18:38:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mJFQDMwYWWlW for <tls@core3.amsl.com>; Fri, 13 Nov 2009 18:38:06 -0800 (PST)
Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.26]) by core3.amsl.com (Postfix) with ESMTP id B8ED63A681A for <tls@ietf.org>; Fri, 13 Nov 2009 18:38:05 -0800 (PST)
Received: by ey-out-2122.google.com with SMTP id 9so1148280eyd.51 for <tls@ietf.org>; Fri, 13 Nov 2009 18:38:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type; bh=eUMHPYFQxN3fYwBEmrW3hnH48ms1RNKE27tXb7e8/zE=; b=FfacqixrDmZLRYAuT4N9aLcSimj28k5MJuYet0rgYllYFt5eGqFqCZaH9XH7ga7lLl 2LZ7HjpT7exqx6XojTdbREobBT8g1Emf0oDWgoDk2Kij9bnhzA2MOnqwhEot4689TnZK GIwraYe7DnE72cKnrT1jzZulKAxr1/xzFKYQw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type; b=qel+s1U1MA3bYO/1V4sPplrRKKB3UW38q32vCv/fF5QcKXcxj+WR7sqmlCj/ZzMigh AT66dGN0E8v3Dk1bvMd9mwKkxfGat035gLiFJZpi57d4m/tRTUqavzGTOGTBaeqOfYL3 h6ky5EKPL5RJC2syxMLBO101CQ2i8EeVBx3+4=
Received: by 10.213.100.168 with SMTP id y40mr546853ebn.28.1258166312642; Fri, 13 Nov 2009 18:38:32 -0800 (PST)
Received: from ?192.168.0.2? (5e06f2bf.bb.sky.com [94.6.242.191]) by mx.google.com with ESMTPS id 7sm1599119eyg.41.2009.11.13.18.38.30 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 13 Nov 2009 18:38:31 -0800 (PST)
Sender: David-Sarah Hopwood <djhopwood@googlemail.com>
Message-ID: <4AFE181B.2050502@jacaranda.org>
Date: Sat, 14 Nov 2009 02:38:19 +0000
From: David-Sarah Hopwood <david-sarah@jacaranda.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: tls@ietf.org
References: <7E1DF37F1F42AB4E877E492C308E6AC402430344@XCH57YKF.rim.net>
In-Reply-To: <7E1DF37F1F42AB4E877E492C308E6AC402430344@XCH57YKF.rim.net>
X-Enigmail-Version: 0.96.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------enig6F099B361E2DDABB0F1FFBB1"
Subject: Re: [TLS] client and server verify_data in draft-rescorla-tls-renegotiate.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Nov 2009 02:38:07 -0000
Robert Dugal wrote: > A co-worker an I have been discussing the draft and have some concerns > about sending client and server verify_data in the extension. > > In the ClientHello, the client sends the verify_data from the client's > previous Finish message as the renegotiated_connection data. > > In the ServerHello, the server sends both the cient's verify_data and > the server's verify_data. > > This data is not normally sent in the clear and I am wondering if this > will provide additional data that can be used to mount some other form > of attack . I can't see a feasible attack as long as the hash function doesn't reveal information about its input. However, I think you're right to be concerned; we need input from experienced cryptographers about this. > The only reason we are sending any data at all is to prove that the > renegotiation is bound to a previous handshake, so why not bind it with > some data that is on the wire and visible to everyone? > > > > One possability is to use the client and server randoms as the > renegotiated_connection data. This data is sent as plaintext on the > wire so it reveals nothing the attacker doesn't already know. That doesn't have the same security properties. It is possible for two different sessions to have the same (ClientRandom, ServerRandom) pair. (Attacker acts as a MITM and forwards client's random to server and vice-versa.) The Finished hashes, OTOH, are unique to a session because an attacker can't force the whole handshake to be identical for two sessions (well, unless they are talking to themself). > Another alternative could be to use the client's encrypted Finish > message rather than the verify_data from Client's Finish message, and > server's encrypted Finish message. That would work. -- David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
- [TLS] client and server verify_data in draft-resc… Robert Dugal
- Re: [TLS] client and server verify_data in draft-… Nicolas Williams
- Re: [TLS] client and server verify_data in Martin Rex
- Re: [TLS] client and server verify_data in draft-… Eric Rescorla
- Re: [TLS] client and server verify_data in draft-… David-Sarah Hopwood
- Re: [TLS] client and server verify_data in draft-… David-Sarah Hopwood