Re: [TLS] Collisions (Re: Nico's suggestions - Re: Consensus Call:
"Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu> Tue, 11 May 2010 13:54 UTC
Return-Path: <prvs=274770b3e0=uri@ll.mit.edu>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 68A2E3A68E1 for <tls@core3.amsl.com>; Tue, 11 May 2010 06:54:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.031
X-Spam-Level:
X-Spam-Status: No, score=-6.031 tagged_above=-999 required=5 tests=[AWL=0.567, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v376TzmqeSas for <tls@core3.amsl.com>; Tue, 11 May 2010 06:54:36 -0700 (PDT)
Received: from mx1.ll.mit.edu (MX1.LL.MIT.EDU [129.55.12.45]) by core3.amsl.com (Postfix) with ESMTP id 5DF9E28C0E7 for <tls@ietf.org>; Tue, 11 May 2010 06:54:05 -0700 (PDT)
Received: from LLE2K7-HUB02.mitll.ad.local (LLE2K7-HUB02.mitll.ad.local) by mx1.ll.mit.edu (unknown) with ESMTP id o4BDrKQZ023925; Tue, 11 May 2010 09:53:51 -0400
From: "Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu>
To: "'mrex@sap.com'" <mrex@sap.com>, "'Nicolas.Williams@oracle.com'" <Nicolas.Williams@oracle.com>
Date: Tue, 11 May 2010 09:53:49 -0400
Thread-Topic: [TLS] Collisions (Re: Nico's suggestions - Re: Consensus Call:
Thread-Index: AcrxD68NF4c41bbDQXG0x59VhByLVAAAbLOz
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40, 4.0.166 definitions=2010-05-11_04:2010-02-06, 2010-05-11, 2010-05-11 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=5.0.0-0908210000 definitions=main-1005110063
Message-Id: <20100511135405.5DF9E28C0E7@core3.amsl.com>
Cc: "'paul.hoffman@vpnc.org'" <paul.hoffman@vpnc.org>, "'tls@ietf.org'" <tls@ietf.org>
Subject: Re: [TLS] Collisions (Re: Nico's suggestions - Re: Consensus Call:
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2010 13:54:37 -0000
Are you planning to use full 160 bits of SHA-1 output? If not - you realize that possibility of collision on truncated output is higher? Regards, Uri ----- Original Message ----- From: tls-bounces@ietf.org <tls-bounces@ietf.org> To: Nicolas Williams <Nicolas.Williams@oracle.com> Cc: paul.hoffman@vpnc.org <paul.hoffman@vpnc.org>; tls@ietf.org <tls@ietf.org> Sent: Tue May 11 09:39:50 2010 Subject: Re: [TLS] Collisions (Re: Nico's suggestions - Re: Consensus Call: Nicolas Williams wrote: > > Stefan Santesson wrote: > > > > What if a collision occurs? > > > > That is pretty deterministic too. The server and the client may then agree > > on a cached value by mistake. They will then go ahead and try to complete > > the handshake with different opinions on a cached security critical value, > > such as disagreeing about the server certificate chain. This will inevitably > > lead to a handshake failure. > > That's what I thought. > > > Upon a failed cached handshake, the client and server tries a new handshake > > without caching, updates it's cache and moves on with life. > > Well... Many applications might not. Can the handshake be retried > transparently to the application? Or will the application have to > close() its socket and re-connect()? Re-thinking this scenario, I do not think that is a workable approach. The reason why I originally asked for using a (sha-1) hash value over the replaced data instead of a simple, server-assigned identifier, was robustness. Going through a handshake failure is _NOT_ an option. I wanted to avoid the cache of the server and client to get out-of-sync, and the use of a sha-1 hash value over the real data instead of that data should be sufficiently robust so that the server will send the real data in case the clients cached value differs from what the server would normally send. It is generally impossible to recover from a TLS handshake failure. It normally requires closure of the existing connection and opening of a new connection because it is completely unspecified how to recover from a TLS handshake failure on a connection (and how to clear the network pipe from unprocessed data from the previous handshake). If a client-side proxy traversal is involved, a full app-level proxy handshake is required. If proxy traversal requires an OTP authentication, it will be completely impossible without user interaction. -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- Re: [TLS] Collisions (Re: Nico's suggestions - Re… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] Collisions (Re: Nico's suggestions - Re… Jeffrey A. Williams