Re: [TLS] Collisions (Re: Nico's suggestions - Re: Consensus Call:

[Stefan Santesson <stefan@aaa-sec.com>]

On 10-05-11 5:57 PM, "Nicolas Williams" <Nicolas.Williams@oracle.com> wrote:

> On Tue, May 11, 2010 at 04:45:51PM +0200, Stefan Santesson wrote:
>> Wouldn't this be solved automatically if the cache is flushed upon failure?
> 
> Not really:
> 
> a) the failed handshake will be visible to the application
> (handshake_failure is a fatal error);
> 

Yes

> b) the failure will eventually happen again (since the user will most
> likely want to talk to the same servers whose objects' checksums
> collided.
> 

Yes, and with the cash for that server flushed, the client will be bound to
retry without caching (since it has no data cached anymore).

The client will then (typically) update it's cache on the next successful
handshake and problem should be fixed.

/Stefan

> I think you'll want to say that the cache must not be flushed, but
> rather that objects with colliding checksums must be flagged as such so
> that they are never used again via this extension.
> 
> Again, I expect this will not often be a problem, but when and if it is
> then this problem might be difficult to diagnose and re-occur too often.
> 
> I think this argues for a cryptographic hash.  Collisions are not a
> security problem here, but they are an operational problem.  IMO this
> rules out FNV-1a.  Also, as Uri points out, you will want to have larger
> numbers of hash bits (64 is too few for this application).
> 
> Nico