[TLS] Comments on draft-rescorla-tls-opaque-prf-input-00.txt
Simon Josefsson <simon@josefsson.org> Wed, 15 August 2007 14:32 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ILJv0-0003bJ-He; Wed, 15 Aug 2007 10:32:18 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ILJuz-0003bD-3p for tls@lists.ietf.org; Wed, 15 Aug 2007 10:32:17 -0400
Received: from yxa.extundo.com ([83.241.177.38]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ILJux-0006l3-GN for tls@lists.ietf.org; Wed, 15 Aug 2007 10:32:17 -0400
Received: from mocca.josefsson.org (yxa.extundo.com [83.241.177.38]) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id l7FEW7Sx017804 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 15 Aug 2007 16:32:08 +0200
X-Hashcash: 1:22:070815:ekr@networkresonance.com::qFUWcqAQiBu0YmFm:BmfZ
X-Hashcash: 1:22:070815:msalter@restarea.ncsc.mil::+duYo062MwMRXt2U:Ce3h
X-Hashcash: 1:22:070815:tls@lists.ietf.org::WTfOOflBiL0jc+Sd:3jHZ
From: Simon Josefsson <simon@josefsson.org>
To: ekr@networkresonance.com, msalter@restarea.ncsc.mil
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
Date: Wed, 15 Aug 2007 16:32:07 +0200
Message-ID: <873aykzx5k.fsf@mocca.josefsson.org>
User-Agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Status: No, score=-1.0 required=4.0 tests=AWL,BAYES_50, FORGED_RCVD_HELO,SPF_PASS autolearn=ham version=3.1.1
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on yxa-iv
X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com
X-Virus-Status: Clean
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 36c793b20164cfe75332aa66ddb21196
Cc: tls@lists.ietf.org
Subject: [TLS] Comments on draft-rescorla-tls-opaque-prf-input-00.txt
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Hi. I have read the document and wrote down some comments, that I try
to distill into this e-mail. Take this post for what its worth, an hour
or so worth of looking at the document and composing the feedback. I
may have misunderstood something, and in that case, I would appreciate
clarifications.
In general, I believe the document is in good technical shape, and that
implementations of it should be possible.
The abstract should spell out PRF, I suggest to replace:
This document describes a mechanism for using opaque PRF inputs with
Transport Layer Security (TLS) and Datagram TLS (DTLS).
with
This document describes a mechanism for using opaque pseudo-random
function (PRF) inputs with Transport Layer Security (TLS) and
Datagram TLS (DTLS).
The introduction, section 1, could be improved by also mentioning the
PRF term. I suggest to change:
The client and server each contribute a Random value which is then
mixed with secret keying material to produce the final per-
association keying material.
into:
The client and server each contribute a Random value which is then
mixed, using a pseudo-random function (PRF), with secret keying
material to produce the final per-association keying material.
The title of section 3.2 ('PRF Modifications') is miss-leading because
the PRF is not modified by this document. What is modified by the
document is the algorithm described in section 8.1 of RFC 4346. I
suggest to change the title of section 3.2 to 'Modifications to Master
Secret Computation'.
The observation in the previous paragraph may suggest that a better
title for the entire document would be 'Opaque Inputs to Master Secret
Computation for TLS'. The document only discuss new PRF inputs to one
particular use of the PRF. The document do not discuss new PRF inputs
to all PRF computations, which could be inferred from the current title
'Opaque PRF Inputs for TLS'. I got a flawed impression of the goals
with the document after reading the title and not having read much of
the details in the document.
Section 3.2 uses terms 'PMS' and 'MS' without explanation, and there is
no references to the appropriate place in RFC 4346 that is modified. I
suggest to replace the current paragraph:
When the opaque PRF input feature is in use, the opaque PRF input
values MUST be mixed into the PRF along with the client and server
random values during the PMS->MS conversion. Thus, the PRF becomes:
with the following:
When the opaque PRF input feature is in use, the opaque PRF input
values MUST be mixed into the PRF along with the client and server
random values during the pre-master secret to master secret
conversion (section 8.1 of RFC 4346). Thus, the step becomes:
The final paragraph in section 3.2 reads:
Because new extensions may not be introduced in resumed handshakes,
mixing in the opaque PRF inputs during the MS->keying material
conversion would simply involve mixing in the same material twice.
Therefore, the opaque PRF inputs are only used when the PMS is
converted into the MS.
The statement is not specific to resumed session, as far as I can tell.
Further, there is already a section 4.3 that explain the interactions
with resumed handshake (a forward reference would have helped me). I
believe it would be clearer to drop the reference to resumed handshakes
here, and focus on the assertion itself, because it is helpful in
understanding the design choice. I suggest to drop the first line, and
to add some references and word explanations, making the paragraph read:
Mixing in the opaque PRF inputs during master secret to keying
material conversion (see section 6.3 of RFC 4346) would simply
involve mixing in the same material twice. Therefore, the opaque PRF
inputs are only used when the premaster secret is converted into the
master secret. See also section 4.3.
For symmetry between (all in section 3.1):
If a client requires the opaque PRF input feature but
the server does not negotiate it, the client SHOULD generate a fatal
"handshake_failure" alert.
and:
In this
case, the server should generate a fatal "handshake_failure" alert.
I suggest the last 'should' be in upper case.
In section 4.1, I suggest to add something like this:
This extension enables client and servers to send significant amount
of data "out-of-band" to each other, which can be abused to leak
information.
Finally, I wonder whether the size limit of the opaque prf inputs is
appropriate. It is currently limited to 64KB. This is larger than what
would be justified by entropy to better seed the PRF, where (if I
understand the cryptography properly) you'd typically use 128 or 256
bytes. However, 64KB may be too limited if, as is suggested by the
document, the data will be in some pre-agreed format that the client and
server can parse and do something intelligible with. This also begs the
question whether there should be an optional type-indicator present, to
indicate the format of the opaque data?
/Simon
_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls