Re: [TLS] New drafts: adding input to the TLS master secret

Paul Hoffman <> Wed, 03 February 2010 16:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 18C8028C0D9 for <>; Wed, 3 Feb 2010 08:06:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.05
X-Spam-Status: No, score=-6.05 tagged_above=-999 required=5 tests=[AWL=-0.004, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 35udMe+d1ui6 for <>; Wed, 3 Feb 2010 08:06:19 -0800 (PST)
Received: from (Balder-227.Proper.COM []) by (Postfix) with ESMTP id 1A2F628C123 for <>; Wed, 3 Feb 2010 08:06:18 -0800 (PST)
Received: from [] ( []) (authenticated bits=0) by (8.14.2/8.14.2) with ESMTP id o13G6xAQ046736 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 3 Feb 2010 09:07:00 -0700 (MST) (envelope-from
Mime-Version: 1.0
Message-Id: <p06240804c78f4cfc4ce4@[]>
In-Reply-To: <>
References: <p0624089bc78922bdaddd@[]> <> <p06240813c78e116da3f6@[]> <001001caa442$beefbde0$3ccf39a0$@org> <p06240829c78e37e5a850@[]> <001101caa44b$35f6f540$a1e4dfc0$@org> <p06240831c78e4f0e15ee@[]> <> <p0624083bc78e8c1563cc@[]> <> <p0624083ec78eaacd96fa@[]> <>
Date: Wed, 3 Feb 2010 08:06:59 -0800
To: Marsh Ray <>
From: Paul Hoffman <>
Content-Type: text/plain; charset="us-ascii"
Cc: "" <>
Subject: Re: [TLS] New drafts: adding input to the TLS master secret
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 03 Feb 2010 16:06:20 -0000

At 10:19 AM -0500 2/3/10, Marsh Ray wrote:
>I was thinking of TLS 1.0, since that's what seems to be mostly used.

draft-hoffman-tls-master-secret-input explicitly says it is modifies TLS 1.2.

>This is where my authority to speak goes off a cliff. But that never
>stopped me before. Anyway, it looks to me like HMAC PRF in TLS 1.0
>amounts to little more than the better of the two hash functions, which
>in this case is SHA-1.

Mixing cryptographic apples and oranges may not be helpful for this discussion. Please say whether or not you think that there is a cryptographic flaw in draft-hoffman-tls-master-secret-input that applies to TLS 1.2. If there is, then there is probably an underlying flaw in TLS 1.2 by itself, and that should be discussed seriously. I suspect that there is not.

> >> It also requires clients and servers to buffer the stuff and later
>>> implement a sorting algorithm based on type order.
>> By "later" you mean "still within the same handshake sequence" and by
>> "sorting algorithm" you mean "ascending order of two-byte numbers",
>> yes?
>>> Lots could go wrong with that. Pathological sort order DoS attacks,
>>> etc.
>> Please explain further. The TLS spec says that you can only have one
>> instance of an extension in a handshake. Thus, all TLS
>> implementations today already should be looking for multiple
>> instances of the same extension. What is left is a relatively small
>> number of extension values, each of which has a unique two-byte
>> number associated with it.
>Well, you could check for duplicated extension IDs with a hash table
>data structure that is O(1) in space and time.

The proposal in draft-hoffman-tls-master-secret-input does not change this; the one-use-of-each-extension rule comes from the TLS 1.2 spec, not from the draft.

>Sorting is a little less predictable.
>> Where does "pathological sort order DoS
>> attacks" or "etc" come in?
>For example, once upon a time Perl used classic quicksort. Quicksort has
>this worst-case of O(n**2). Sending thousands of extensions ordered in
>the worst way can consume a bunch of CPU (the kind which might not be
>offloaded onto crypto accelerator hardware).

If there are thousands of extensions that do master secret input, and you have an implementation that is able to do all those thousands, then I would agree with you. However, I believe that the complexity of adding the code for those thousands of extensions is probably higher than the complexity of your algorithm that sorts two-byte numbers

>I'm not saying this is a significant argument against new features in
>general, only that adding new complexity adds new attack possibilities.


>So it needs a bit of justification.

It is justified because the two sides need to know what order to add in the values to the master secret PRF calculation. If the spec had said "in the order that the extensions came in", then you would be complaining that you need to add a new data structure to remember the order that they came in. Sorting on a value that is already in the extension data seemed like a better choice, yes?

--Paul Hoffman, Director
--VPN Consortium