Re: [TLS] CCS and key reset and renegotiation

Yoav Nir <> Thu, 05 June 2014 17:24 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 290091A021A for <>; Thu, 5 Jun 2014 10:24:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_21=0.6, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 33Vhf-HMAyhc for <>; Thu, 5 Jun 2014 10:24:02 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c03::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 92FEA1A017F for <>; Thu, 5 Jun 2014 10:24:02 -0700 (PDT)
Received: by with SMTP id u57so1520580wes.29 for <>; Thu, 05 Jun 2014 10:23:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=/8Uy2Ez954XNVmMvdwv9RF9VDisoDSXOnWfrf0fxMYo=; b=mzwLCzcbjdL1Y2QlwiBPOM9NcIb1rUEmzkC8mBrQ6VIcI4amHsF+3EO29RX/pi0ZG8 zPuvLsuLZBjMYL7OxgF1J9PQUWV90oCf3ewD5ugdbd38Em78IoFGmMkToGwFB9cLyIiP FE3dMfSp6TtVD8X/c8ay4o8Z1RBBk1NwrKPqAhZ95brEyFz3otAAM257OqGD5xvolo3j c3oNbaoLr5vlkUDWTKiTQftTsYO2sKh7v6T+VPse5yjbGbEnNom5+dB0Q1Mxqh0Im5r8 tPKloOjRoXZqTs4aWbZt5eWLrZ/yPhoWNp6uCJEtz8TxaETJzTeB8gllG1x5tKfNVwFa yarw==
X-Received: by with SMTP id g17mr17994722wic.48.1401989032954; Thu, 05 Jun 2014 10:23:52 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id b19sm16632674wic.5.2014. for <> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 05 Jun 2014 10:23:52 -0700 (PDT)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Yoav Nir <>
In-Reply-To: <>
Date: Thu, 5 Jun 2014 20:23:46 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
X-Mailer: Apple Mail (2.1878.2)
Subject: Re: [TLS] CCS and key reset and renegotiation
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Jun 2014 17:24:04 -0000

On Jun 5, 2014, at 7:42 PM, Viktor Dukhovni <> wrote:

> On Thu, Jun 05, 2014 at 08:25:26AM -0700, Watson Ladd wrote:
>>> I think it adds weight to my concern about using ChangeCipherSpec to do
>>> key reset.  I still prefer the trade-offs of having a ?slow the TLS but
>>> keep the TCP layer open? and starting over.  Much simpler to prove it?s
>>> correct.
>> What can change when that happens? Furthermore, rekeying is a matter of
>> getting more PRF output: how does that introduce security concerns.
> Whether or not rekeying is easier to implement with a STOPTLS, or
> by switching directly from one keyset to another, without an
> intermediate transition to cleartext, a STOPTLS feature has additional
> upside.  I don't recall whether this idea got dropped, or whether
> STOPTLS might yet happen in TLS 1.3.  Anyone care to bring me up
> to speed?


StopTLS is just an idea I threw around ([1]) in response to some other idea that someone said in the room (no idea who and don’t remember what) in pretty much the last minute of the Interim meeting. I think it was a response to some other suggestions to get rid of renegotiation for rekeying, such as requiring everyone to start a new connection (StopTLS saves a round-trip), or various kinds of abbreviated handshake (StopTLS is simpler). 

StopTLS would need some mechanism to prevent a Dispensa/Ray/Rex prefix injection attack.

It’s not currently a part of any plan for any version of TLS.


[1]  at time 19:40:04