[TLS] A crazy idea

Michael D'Errico <mike-list@pobox.com> Sun, 15 November 2009 04:06 UTC

Return-Path: <mike-list@pobox.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0F7653A6358 for <tls@core3.amsl.com>; Sat, 14 Nov 2009 20:06:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.579
X-Spam-Level:
X-Spam-Status: No, score=-2.579 tagged_above=-999 required=5 tests=[AWL=0.020, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Du1ry-mhwvOK for <tls@core3.amsl.com>; Sat, 14 Nov 2009 20:06:58 -0800 (PST)
Received: from sasl.smtp.pobox.com (a-pb-sasl-quonix.pobox.com [208.72.237.25]) by core3.amsl.com (Postfix) with ESMTP id 1BFEB3A6359 for <tls@ietf.org>; Sat, 14 Nov 2009 20:06:58 -0800 (PST)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 110C87FFFE for <tls@ietf.org>; Sat, 14 Nov 2009 23:07:28 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=IVO0rU1wfg9h de2+dELMofinfpk=; b=V7NYEpcAOboRQCCL4El1vOrPSHdA+lPL8HgBdzdLQYw6 /19niD5i/loEY14AVSIluvg8tNoFlXouIEoYIvxWzy7Wo8PQc/6msK2tGypUJSw9 tN1oG3lrX+LE7jQOOOpPIC0AdvHzfWspdmDl9v4Dn0zHKtKHp7PZTBA9lssvY/A=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=S/9bQ/ n6HQ8w3FM1lHncRjvU3xBh+umXBYdec+HlET+hfUDdg1bgyXtsWViUMiyI1UnNlx +S3Mpkxbz8m5igVq1u1wh5hHsdiQhhmAtaLjMJGoftYLf8NdgrnMoRAaMzlqtdV6 EMmIVsjDhO4sy3okNVVPHStZSxMzvE/4rs+HU=
Received: from a-pb-sasl-quonix. (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 0DDA67FFFD for <tls@ietf.org>; Sat, 14 Nov 2009 23:07:28 -0500 (EST)
Received: from administrators-macbook-pro.local (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTPSA id 905037FFFC for <tls@ietf.org>; Sat, 14 Nov 2009 23:07:27 -0500 (EST)
Message-ID: <4AFF7EC3.8060805@pobox.com>
Date: Sat, 14 Nov 2009 20:08:35 -0800
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: tls@ietf.org
References: <200911150230.nAF2USpK019975@fs4113.wdf.sap.corp> <4AFF6EFA.6080508@pobox.com> <4AFF7071.9050102@extendedsubset.com> <4AFF77B1.1000106@jacaranda.org>
In-Reply-To: <4AFF77B1.1000106@jacaranda.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: 63639B36-D19C-11DE-AA5F-9F3FEE7EF46B-38729857!a-pb-sasl-quonix.pobox.com
Subject: [TLS] A crazy idea
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Nov 2009 04:06:59 -0000

Here's a crazy idea: we could define a completely incompatible change
to the way Finished messages are calculated even on initial handshakes.

A client can initially try connecting using the new Finished message
calculation, and if that fails, fall back to the original (if it's
willing to risk talking to an unpatched server).

The server has the advantage of receiving the client's Finished message
before it needs to send its own, so it can compute both the new and the
old versions to see which the client supports.  Then it can decide
whether to continue with the handshake or abort.  This also thwarts any
tampering by a MITM since neither calculation would match if messages
were altered.

For session resumption, each side would need to remember whether the
new or the old Finished calculation was used.

Just throwing the idea out there....

Mike