Re: [TLS] Collisions (Re: Nico's suggestions - Re: Consensus Call:

Marsh Ray <> Thu, 13 May 2010 14:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CFBFB3A6B67 for <>; Thu, 13 May 2010 07:42:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.875
X-Spam-Status: No, score=-0.875 tagged_above=-999 required=5 tests=[AWL=-0.135, BAYES_20=-0.74]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id liJUTb2GutdM for <>; Thu, 13 May 2010 07:42:40 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 239B93A6B65 for <>; Thu, 13 May 2010 07:42:37 -0700 (PDT)
Received: from ([]) by with esmtpa (Exim 4.68) (envelope-from <>) id 1OCZcI-0000zo-Th; Thu, 13 May 2010 14:42:27 +0000
Received: from [] (localhost []) by (Postfix) with ESMTP id 3E7F56456; Thu, 13 May 2010 14:42:22 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Report-Abuse-To: (see for abuse reporting information)
X-MHO-User: U2FsdGVkX18m1z+vsXWZYX5xiDLM+fQoVd7mgm1n2m8=
Message-ID: <>
Date: Thu, 13 May 2010 09:42:23 -0500
From: Marsh Ray <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/20100216 Thunderbird/3.0.2
MIME-Version: 1.0
To: Yoav Nir <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.0.1
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: Simon Josefsson <>, "Kemp, David P." <>, "" <>
Subject: Re: [TLS] Collisions (Re: Nico's suggestions - Re: Consensus Call:
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 13 May 2010 14:42:41 -0000

On 5/13/2010 2:15 AM, Yoav Nir wrote:
> I kind of fail to see where the discussion shifted. In fact we have
> NOT determined that *malicious* collision resistance is a concern.

I have determined that I am concerned about malicious collisions, until
I get a comfortable feeling that they're not a problem. It's certainly
not anyone else's job to make me feel a certain way, but I hope you
don't mind if I ask a bunch of questions.

We should also keep in mind that the extension only addresses two types
of cached data at this time, but could possibly later include more. If
security analysis needs to based on the particulars of a given cached
item type that should get written down somewhere in the draft.

> A client connects to a server and caches the credentials. Next time
> it connects to the *same* server,

The client may intend to connect to the same server, but we can't assume
it actually *is* connecting to the same server at this point in the
handshake. Proving that it actually is the same server is the #1 goal of
the handshake, and can't be considered a success until the Finished
message is checked.

> it shows an extension that proves
> knowledge of the credentials.

How does it do that?

The extension is sent in-the-clear so it's not a shared secret. I don't
see any signing operation either.

Without collision resistance, attacker may have arranged for the client
to cache something different with the same hash. Client and server may
be using the same hash to talk about different things.

> Assuming the credentials haven't
> changed, the server can skip sending the credentials, but still has
> to prove ownership by signing something or by decrypting the
> pre-master secret. So what could an attacker do?

Are we discussing only the certificate_chain caching right now?

There's also the trusted_cas type and any defined in the future (if in
fact this is a general extensible facility).

- Marsh