Re: [TLS] Consensus Call: FNV vs SHA1

Simon Josefsson <simon@josefsson.org> Mon, 10 May 2010 21:48 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4D5343A6AA0 for <tls@core3.amsl.com>; Mon, 10 May 2010 14:48:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.486
X-Spam-Level:
X-Spam-Status: No, score=-1.486 tagged_above=-999 required=5 tests=[AWL=-0.746, BAYES_20=-0.74]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mXiJWMDkhA99 for <tls@core3.amsl.com>; Mon, 10 May 2010 14:48:25 -0700 (PDT)
Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by core3.amsl.com (Postfix) with ESMTP id EAF483A6A58 for <tls@ietf.org>; Mon, 10 May 2010 14:48:23 -0700 (PDT)
Received: from mocca (c80-216-25-148.bredband.comhem.se [80.216.25.148]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id o4ALm9XU015429 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <tls@ietf.org>; Mon, 10 May 2010 23:48:10 +0200
From: Simon Josefsson <simon@josefsson.org>
To: tls@ietf.org
References: <AC1CFD94F59A264488DC2BEC3E890DE50A43B479@xmb-sjc-225.amer.cisco.com> <20100510190954.GV9429@oracle.com>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:100510:tls@ietf.org::cSnAxgY8pMB1AEmy:3oJz
X-Hashcash: 1:22:100510:jsalowey@cisco.com::yea5GLeVCjxuVdsc:7wtR
X-Hashcash: 1:22:100510:nicolas.williams@oracle.com::yNRQqzbb5bjP8mQE:HfUv
Date: Mon, 10 May 2010 23:48:09 +0200
In-Reply-To: <20100510190954.GV9429@oracle.com> (Nicolas Williams's message of "Mon, 10 May 2010 14:09:55 -0500")
Message-ID: <87r5lj4eee.fsf@mocca.josefsson.org>
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Virus-Scanned: clamav-milter 0.96 at yxa-v
X-Virus-Status: Clean
Subject: Re: [TLS] Consensus Call: FNV vs SHA1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2010 21:48:26 -0000

Nicolas Williams <Nicolas.Williams@oracle.com> writes:

>  - Add a description of what happens if cached object checksums collide.
>
>    No, the current security considerations section doesn't deal with
>    this, and rightly so _if_ collisions are not a security problem, but
>    what happens when there are collisions?  Do hanshakes fail?

I agree that it is important to explain this.

If collisions happen, it appears that we do get slightly weaker
semantics of what it means for a handshake to succeed: we aren't
cryptographically certain (in the sense that there is cryptographic
reduction) that the client and server agree on the data used during the
handshake for cached items (CA cert list, server certificate) after the
handshake has concluded.

It seems a server could easily create two pairs of server certificates
that results in the same FNV-1a value but are different certificates.  A
client connecting to a server offering a cached value for the server
certificate would not know which server certificate was intended, even
after completing the handshake.  If correct, that seems surprising.

This requires a conspiring server, so maybe it is irrelevant.

This problem would be solved if the Finished message were computed over
the replaced data rather than the digest value.  Then any data
mismatches would be detected at the TLS Finished computation, and the
handshake fail.  Perhaps this is simpler than introducing a
cryptographic digest.

It is late here, so I may be totally missing some aspect.

/Simon