Re: [TLS] Comments on TLS identity protection
<home_pw@msn.com> Tue, 26 December 2006 21:21 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GzJjV-0000Tj-Ip; Tue, 26 Dec 2006 16:21:13 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GzJjU-0000TE-Eo for tls@ietf.org; Tue, 26 Dec 2006 16:21:12 -0500
Received: from bay0-omc2-s26.bay0.hotmail.com ([65.54.246.162]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GzJjT-0005aH-0I for tls@ietf.org; Tue, 26 Dec 2006 16:21:12 -0500
Received: from hotmail.com ([65.54.174.77]) by bay0-omc2-s26.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Tue, 26 Dec 2006 13:21:10 -0800
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 26 Dec 2006 13:21:10 -0800
Message-ID: <BAY103-DAV55EDC979920A3B650664792C10@phx.gbl>
Received: from 69.227.152.254 by BAY103-DAV5.phx.gbl with DAV; Tue, 26 Dec 2006 21:21:06 +0000
X-Originating-IP: [69.227.152.254]
X-Originating-Email: [home_pw@msn.com]
X-Sender: home_pw@msn.com
From: home_pw@msn.com
To: EKR <ekr@networkresonance.com>
References: <86vek7pph4.fsf@raman.networkresonance.com><200612192115.WAA22812@uw1048.wdf.sap.corp><20061220123640.GB21201@tau.invalid><BAY103-DAV16CA488319082D81A3B00C92C20@phx.gbl> <86y7ouslir.fsf@delta.rtfm.com>
Subject: Re: [TLS] Comments on TLS identity protection
Date: Wed, 27 Dec 2006 08:30:23 -0800
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail desktop 8.0.1223
X-MimeOLE: Produced By Microsoft MimeOLE V8.0.1223
X-OriginalArrivalTime: 26 Dec 2006 21:21:10.0481 (UTC) FILETIME=[C3960C10:01C72933]
X-Spam-Score: 2.5 (++)
X-Scan-Signature: 093efd19b5f651b2707595638f6c4003
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
----- Original Message ----- From: "EKR" <ekr@networkresonance.com> To: <home_pw@msn.com> Cc: "Bodo Moeller" <bmoeller@acm.org>; "Martin Rex" <martin.rex@sap.com>; <tls@ietf.org> Sent: Tuesday, December 26, 2006 7:51 AM Subject: Re: [TLS] Comments on TLS identity protection > <home_pw@msn.com> writes: > >> Normally, client auth is not allowed on a PKI-class ciphersuite, if >> the server has not performed server auth. (In a mix of PKIand non-pki >> ciphersuites -during a change-ciher-spec between the two - things are >> admittedly more ambiguous.) >> >> On a PKI-class limited renegotiation case (or a session resumption >> case), server auth is implied, of course - assuming both enc and mac >> ciphers mechanism are not NULL. > > There's no way in TLS to currently have a NULL MAC algorithm. > I doubt there is lilkely to be one soon. There was no way for a client to directly control the encryption keys/IVs of a connection, until Fortezza_dms defined itself a way in its ciphersuite/serverkeyexchange! Clearly, we cannot say the SSL architecture denied that practice, or akin practices someone defines local for a (weird) MAC regime! We should learn to say "IETF standardized/endorsed ciphersuites don't...". TLS has clearly evolved, as a defined term, under the tutelage of IETF. We now understand that an "IETF-Conforming TLS implementation" may process local cipersuites, and its necessarily associated key agreement mechanisms, opaque handers, custom types, ephemeral handling. This is a consequent of standardizing the very means of denoting local ciphersuites - an excellent IETF move, if I may deliver an architectural compliment. > >> For SSL3 using the RSA ciphersuites, one can ask for client auth on >> handshake#2, without having provided server cert chain on that second >> 'shake; server auth being established in the TLS resumed session (and >> renewed Connection) state. > > I don't believe that this is correct. The state machines for the > two handshakes aren't really related. What language leads you > to believe that this is OK. Perhaps its my mental model at fault; this is not uncommon! (And I known I'm pushing the envelope, here; repeating questionable reasoning used - and previously challenged - 10 years ago, in a similar debate. I'm only interesting in RSA optimization, remember. And, I'm not interested in hobbling RSA, to be only used in modes equivalent to the limits facing other PKC schemes. And, lots of multi-key/multi-phase RSA computational variants exist, awaiting exploitation by designers of local ciphersuites.) Anyhows, Session Handshakes create pool(s) of TEKs/IKs/MEKs... using PKC algs, with centralized cache and cache protocols based off of sessionid and closure rules (per TLS and per app) that only influence connections that are yet to be active. Connections spawn off of these entries, by embodiment-specific means (perhaps each NIC uses an IEEE protocol to talk to the common session cache on the local or remote master switch in the subnet/vlan's STP, overcoming its vlan partioning sandbox that otherwise limits access to the particular session cache instance shared by all entities on the (tunneled) vlan) I see each such entry as being an "instance-factory pattern"; several runs of the truncated hello->final protocol on some bearer may each then renew the random components of the connection state(s), per connection duplication of an active session. Perhaps the http flows within may be pipelined, which includes how TLSconnections and per-connection TLS messages are mapped to bearer(s). This is particularly relevant if there is natural parallelism or streaming protocols in effect (e.g classical HTML page resolution where inline DHTML duplicates the active session to strongly name the address(es) resolved for relative URLs subordinate to that page). Now, for given cached session state (created by shake#1), and the connection stated with "renewed random values" are the two handshakes not linked by values used in the final protocol of the duplication session? Particularly, where we are are using unique TLS transports for each TLS COnnection, don't we need to rely on "inter-handshake linkage" using cryptographic strength - such that a client auth done on one TCP connection is carried forward onto the TLS Connection duplicated from its parent that as in turn communicated a different TCP (but still active) connection? (This seemed to be one of the areas in SRP that they had not quite got correct, yet.) And, then turning the argument around, doesn't the same reasoning apply for server auth? > > -Ekr Some fun in 2818, also, (half-)reasoning by analogy:- If the client has external information as to the expected identity of the server, the hostname check MAY be omitted. (For instance, a client may be connecting to a machine whose address and hostname are dynamic but the client knows the certificate that the server will present.) In such cases, it is important to narrow the scope of acceptable certificates as much as possible in order to prevent man in the middle attacks. In special cases, it may be appropriate for the client to simply ignore the server's identity, but it must be understood that this leaves the connection open to active attack. _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection badra
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Kyle Hamilton
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- RE: [TLS] Comments on TLS identity protection Peter Williams
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection Bodo Moeller
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection badra
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection badra
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection Badra
- Re: [TLS] Comments on TLS identity protection Omirjan Batyrbaev
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection Martin Rex
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection home_pw