IETF Logo Mail Archive

Re: [TLS] Verify data in the RI extension?

Eric Rescorla <ekr@networkresonance.com> Fri, 27 November 2009 15:10 UTC

Return-Path: <ekr@networkresonance.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 91DE13A68D8 for <tls@core3.amsl.com>; Fri, 27 Nov 2009 07:10:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.107
X-Spam-Level:
X-Spam-Status: No, score=0.107 tagged_above=-999 required=5 tests=[AWL=0.089, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zgk4w5ttVF5H for <tls@core3.amsl.com>; Fri, 27 Nov 2009 07:10:34 -0800 (PST)
Received: from kilo.networkresonance.com (74-95-2-169-SFBA.hfc.comcastbusiness.net [74.95.2.169]) by core3.amsl.com (Postfix) with ESMTP id C37F83A6836 for <tls@ietf.org>; Fri, 27 Nov 2009 07:10:34 -0800 (PST)
Received: from kilo.local (localhost [127.0.0.1]) by kilo.networkresonance.com (Postfix) with ESMTP id BDEF16C3795; Fri, 27 Nov 2009 07:11:13 -0800 (PST)
Date: Fri, 27 Nov 2009 07:11:12 -0800
From: Eric Rescorla <ekr@networkresonance.com>
To: Stefan Santesson <stefan@aaa-sec.com>
In-Reply-To: <C7355261.6BB2%stefan@aaa-sec.com>
References: <9923D81D-BABA-4897-A0E3-6938FFB70045@checkpoint.com> <C7355261.6BB2%stefan@aaa-sec.com>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20091127151113.BDEF16C3795@kilo.networkresonance.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Verify data in the RI extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Nov 2009 15:10:36 -0000

At Fri, 27 Nov 2009 09:54:41 +0100,
Stefan Santesson wrote:
> 
> The current draft-ietf-tls-renegotiation-01.txt still promotes RI extension
> containing verify_data from previous handshake.
> 
> Sorry for repeating my question, but I would be really interested to know
> why this is considered a better security design, than to simply send an
> empty RI (and to feed the values directly into Finished calculation without
> exchange).

I think I answered this question with my view in an earlier message:

  This requires breaking the current clean definition of handshake
  hashes as the hash of all the handshake messages and simply adding
  some synthetic message in the middle. I don't think this is anywhere
  near as clean, as evidenced by the ongoing debate about whether to put
  it the synthetic data in the front, the back, incorporate it into the
  PRF, or chain the pre-existing handshake messages. [FWIW, I think I
  prefer the last of these implicit versions.]
  
  By contrast, RI allows that part of the system (which is well
  understood) to remain the same and in fact when RI is offered on the
  first handshake, there is no change to the TLS core at all. It's all
  just hashed into Finished as part of the ordinary TLS procedures,
  and everything is in fact compliant TLS, which I think is desirable.
  
  I appreciate that this is to some extent a matter of tradeoffs,
  but I don't find the arguments in favor of the implicit version
  very compelling when weighed against the above.

I also share David Hopwood's concern about ambiguity in the handshake
hashes stream created by having data which is not properly formatted
injected into the hash
(http://www.ietf.org/mail-archive/web/tls/current/msg04857.html),
so I don't think the particular approach in Martin's draft is
really satisfactory.

This isn't to say that one couldn't design a mechanism that didn't
carry the signaling data over the wire--one obviously could. 
However, when I look back over the 50 or so messages that were
sent to the list yesterday, a large fraction of them are various
tweaks on exactly how incorporate that data, which suggests to
me that this approach isn't at all easy to reason about.

-Ekr

v2.23.0 | Report a Bug | By Email