Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-renegotation: next
Marsh Ray <marsh@extendedsubset.com> Wed, 16 December 2009 22:09 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 330F43A6A8F for <tls@core3.amsl.com>; Wed, 16 Dec 2009 14:09:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.591
X-Spam-Level:
X-Spam-Status: No, score=-2.591 tagged_above=-999 required=5 tests=[AWL=0.008, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T+hLbjvnJvfb for <tls@core3.amsl.com>; Wed, 16 Dec 2009 14:09:19 -0800 (PST)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id 29D5B3A6A8D for <tls@ietf.org>; Wed, 16 Dec 2009 14:09:19 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1NL23M-0005vq-Lv; Wed, 16 Dec 2009 22:09:04 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 907D96678; Wed, 16 Dec 2009 22:09:02 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1+0s0MkZd8rAISZXaQJLDMOic8kT+DHIfg=
Message-ID: <4B295A7E.4080901@extendedsubset.com>
Date: Wed, 16 Dec 2009 16:09:02 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: mrex@sap.com
References: <200912162059.nBGKx7Sv017923@fs4113.wdf.sap.corp>
In-Reply-To: <200912162059.nBGKx7Sv017923@fs4113.wdf.sap.corp>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-renegotation: next
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2009 22:09:20 -0000
Martin Rex wrote: > Kemp, David P. wrote: >> Martin's text contradicts the AD's decision ... > > I do not fully agree with the AD's determination of rough consensus. > > For the MCSV signaling, the real rough consensus is different from > what Pasi wrote: > > http://www.ietf.org/mail-archive/web/tls/current/msg05306.html That email is Michael Gray of IBM saying "I do not believe a technical objection to the CipherSuite method has been presented" which is not remotely the same as a real lack of "rough consensus". > A mandatory Client->Server signaling through cipher suite may > have less fanatic followers by the count of numbers, Fanaticism is orthogonal to cardinality. > but technical > advantages and _no_ technical objections have been raised against it. Let me re-state them then. Making SCSV mandatory means that it no longer is the equivalent of an empty extension, which raises the question of exactly what it does mean. Saying it means "I'm updated" is simply begging the question. Sending SCSV with no extension in a renegotiation Hello is a very questionable thing to do. That combination of values is needed for clients that wish to send an _initial_ hello and interoperate with extensions-intolerant servers! Overloading to also mean (and be ambiguous) with "I'm intentionally _renegotiating_ in a manner known to be insecure" is bad. And that is a technical objection. > The current either cipher suite or empty TLS extension RI signaling > may have more "pro", but has significant objections against it > because of the ambiguity, "MUST send this and/or that" is not an ambiguity and you know it. > increased complexity, I disagree, see below. > a 4x code size > burden for old non-rengotiating servers How can a TLS client prove in advance that the server could not have been enticed to renegotiate by a MitM? It is not possible to do in general, and thus no general implementation of the protocol can rely on it for security. I just don't see any explanation other than you are pushing this to save a few lines of code in your own particular circumstance. > and additional testing > complexity. Yes. These additional test cases are unfortunate, but nearly all vendors agreed that it was necessary to have an SCSV option to avoid hitting slow failures connecting to the extensions intolerant servers seen in the wild. If you were so concerned with testing complexity you wouldn't be pushing to make simplifying assumptions in your implementation. Testing all cases is certainly more work than the minimal code to support the one and/or requirement. > So as far as rough consensus is concerned, it is definitely > with the approach I described. The "mandatory SCSV" scheme seems primarily useful if your solution works by modifying the PRF inputs on renegotiation and letting the Finished hash comparisons detect the attack. That method had some merit and was given serious consideration by myself and many others. But again, the reason I could not ultimately support it is because it involved changing the cryptographic calculations. Regardless of whether you or I think that it was done correctly, it is a very very big deal to some important users. It will invoke a formal cryptographic review process which will prevent this solution from being usable by many important sites any time soon. Retro-fitting a "mandatory SCSV" requirement to the RI extension proposal is what introduces the complexity and ambiguity without a well-defined benefit. Here are all the things that have to happen in order for a mandatory SCSV requirement to be of benefit: 1. Client has to be in compatible/insecure mode. 2. Mitm has to impersonate a server of interest to the client. 3. Client does not check Mitm's cert on the initial handshake. 4. Client must be willing to conduct a server-initiated renegotiation (from anonymous server). 5. Legit target server has to be in compatible/insecure mode. If all these things happen, then the complicated protocol change prevents one attack variant but leaves others. In addition, another necessary condition for this to actually be a useful improvement is: 6. Mitm can find no unpatched server of equal or greater value with which to attack the connection of this client. The additional complexity and ambiguity that the "mandatory SCSV" scheme introduces for no real benefit is my technical objection against it. - Marsh
- [TLS] draft-ietf-tls-renegotation: next steps Pasi.Eronen
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next steps Paul Hoffman
- Re: [TLS] draft-ietf-tls-renegotation: next steps Michael D'Errico
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next steps Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next steps Eric Rescorla
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Kemp, David P.
- Re: [TLS] draft-ietf-tls-renegotation: next steps Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Marsh Ray
- [TLS] Generic process issues (Re: Re: draft-ietf-… Nicolas Williams
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Marsh Ray
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next steps David-Sarah Hopwood
- Re: [TLS] draft-ietf-tls-renegotation: next steps David-Sarah Hopwood
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next Pasi.Eronen
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next Kyle Hamilton
- Re: [TLS] draft-ietf-tls-renegotation: next Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Michael D'Errico
- Re: [TLS] draft-ietf-tls-renegotation: next David-Sarah Hopwood