Re: [TLS] Triple Handshake Fix.
Bodo Moeller <bmoeller@acm.org> Wed, 30 April 2014 12:50 UTC
Return-Path: <SRS0=1u8P=Z6=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB9071A6F7F for <tls@ietfa.amsl.com>; Wed, 30 Apr 2014 05:50:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.579
X-Spam-Level:
X-Spam-Status: No, score=-1.579 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rXwHZvAJdxSA for <tls@ietfa.amsl.com>; Wed, 30 Apr 2014 05:50:21 -0700 (PDT)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.130]) by ietfa.amsl.com (Postfix) with ESMTP id 0C8FA1A6F79 for <tls@ietf.org>; Wed, 30 Apr 2014 05:50:11 -0700 (PDT)
Received: from mail-yk0-f176.google.com (mail-yk0-f176.google.com [209.85.160.176]) by mrelayeu.kundenserver.de (node=mreue003) with ESMTP (Nemesis) id 0Lbv6m-1X6nxD0RLY-00jKCr; Wed, 30 Apr 2014 14:15:59 +0200
Received: by mail-yk0-f176.google.com with SMTP id q9so1367179ykb.21 for <tls@ietf.org>; Wed, 30 Apr 2014 05:15:58 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.236.51.42 with SMTP id a30mr5220204yhc.19.1398860158136; Wed, 30 Apr 2014 05:15:58 -0700 (PDT)
Received: by 10.170.78.5 with HTTP; Wed, 30 Apr 2014 05:15:58 -0700 (PDT)
In-Reply-To: <CALR0ui+RfdFiQ4-1Odb8DKa3Kc_Ont__eBnpMNa9Obm1FeCi2A@mail.gmail.com>
References: <CAL9PXLyGjM0R-NRdqzbfKWOvbLjT+mwE9uT0BQTpiFt5p27ATQ@mail.gmail.com> <CALR0ui+RfdFiQ4-1Odb8DKa3Kc_Ont__eBnpMNa9Obm1FeCi2A@mail.gmail.com>
Date: Wed, 30 Apr 2014 14:15:58 +0200
Message-ID: <CADMpkc+JeDDebHs0G3G3f17AGw9EjOe=EcK1dh_mikKjyF1DbQ@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: Alfredo Pironti <alfredo@pironti.eu>
Content-Type: multipart/alternative; boundary="bcaec50dc41ed0f89204f8418226"
X-Provags-ID: V02:K0:YbEFjN4ZbgqkhsAnykFwXsh0dys2SnyeKNl1/wqcldH 8ez4052vQqkwZallXsdxgoYim5sjDYBa90/1Da2jytSHL33NUI CYQD7WVI6mIYCN+WzSBrXblaycrr5At3bDClnWEw0THXJxscIw iAokjw/AOz+q1Xq4rhFZJkKX2REakTvITqcNITEzJ23oFiS/yT bBIwj+1To4N/8oGk2BhVjl0UAbTuBDEFVzR1P/4B1mBVcxkPkr ajYPFzoGgWAC1aHWxbvTRz0FOKr5e/0Q9qmezIWH26vSIvQnsL 2m3CYX3pah73rJ9yOJxsAZQyqN1NAjlfu6p/tc6dOuLNB15pLW +vqnHKGqpzfXmqVp5QONdF8+d92Pc9Eevl6kuPF03z7TcwjQvc q1mUClcLzERF96hBt7oy5rdrUb72wfwduGSFnMABQ5I/YiZ07+ 9Akdm
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/c4Ml9NAX9knikCVmUtVvOPUTXQg
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Triple Handshake Fix.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2014 13:11:47 -0000
Alfredo Pironti <alfredo@pironti.eu>: I've uploaded the draft to the IETF repository [1]. > > [1] http://www.ietf.org/id/draft-bhargavan-tls-session-hash-00.txt > Thanks, but haven't we seen that this alone doesn't actually fix the problem? I think we'll need a requirement for clients and servers implementing this spec to do one of the following, because an attacker can't be expected to opt in to extended master secrets in its handshakes: (1) If the current session does not use an extended master secret, don't allow renegotiation. (2) If a session does not use an extended master secret, don't allow it to be resumed. Approach 2 arguably is cleaner, but since it would entirely prevent session resumption between updated implementations and legacy implementations, it's probably not viable to roll out immediately. Maybe for servers you'd initially want to pick either approach 1 or approach 2 depending on the particular needs (whether renegotiation is needed at all), while clients initially could allow *both* renegotiation and resumption for new sessions, where whichever comes first for a given session would disallow the other. Eventually, once support for extended master secrets is reasonably widespread, everyone should switch to approach 2. Bodo I think this is still missing a requirement for clients and servers that implement the fixed
- [TLS] Triple Handshake Fix. Adam Langley
- Re: [TLS] Triple Handshake Fix. Alfredo Pironti
- Re: [TLS] Triple Handshake Fix. Yngve N. Pettersen
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Martin Rex
- Re: [TLS] Triple Handshake Fix. Martin Thomson
- Re: [TLS] Triple Handshake Fix. Geoffrey Keating
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Watson Ladd
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Karthik Bhargavan
- Re: [TLS] Triple Handshake Fix. Karthik Bhargavan
- Re: [TLS] Triple Handshake Fix. Geoffrey Keating
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Martin Thomson
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Watson Ladd
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Bodo Moeller