[TLS] client and server verify_data in draft-rescorla-tls-renegotiate.txt
"Robert Dugal" <rdugal@certicom.com> Fri, 13 November 2009 19:28 UTC
Return-Path: <rdugal@certicom.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6F9C93A6A37 for <tls@core3.amsl.com>; Fri, 13 Nov 2009 11:28:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.202
X-Spam-Level:
X-Spam-Status: No, score=-5.202 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id csmYs0GBU1HN for <tls@core3.amsl.com>; Fri, 13 Nov 2009 11:28:26 -0800 (PST)
Received: from mhs04ykf.rim.net (mhs04ykf.rim.net [216.9.243.82]) by core3.amsl.com (Postfix) with ESMTP id E65A03A6978 for <tls@ietf.org>; Fri, 13 Nov 2009 11:28:25 -0800 (PST)
X-AuditID: 0a666446-b7bc0ae000003d34-d2-4afdb3767777
Received: from XCH39YKF.rim.net ( [10.64.31.40]) by mhs04ykf.rim.net (RIM Mail) with SMTP id C3.55.15668.673BDFA4; Fri, 13 Nov 2009 14:28:54 -0500 (EST)
Received: from XCH57YKF.rim.net ([10.64.31.54]) by XCH39YKF.rim.net with Microsoft SMTPSVC(6.0.3790.3959); Fri, 13 Nov 2009 14:28:53 -0500
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CA6497.897F9A0D"
Date: Fri, 13 Nov 2009 14:28:53 -0500
Message-ID: <7E1DF37F1F42AB4E877E492C308E6AC402430344@XCH57YKF.rim.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: client and server verify_data in draft-rescorla-tls-renegotiate.txt
Thread-Index: Acpkl4lLUwKu2BjRRpmRwJGW2j+RKQ==
From: Robert Dugal <rdugal@certicom.com>
To: tls@ietf.org
X-OriginalArrivalTime: 13 Nov 2009 19:28:53.0789 (UTC) FILETIME=[892F2CD0:01CA6497]
X-Brightmail-Tracker: AAAAAQAAAZE=
Subject: [TLS] client and server verify_data in draft-rescorla-tls-renegotiate.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Nov 2009 19:28:27 -0000
A co-worker an I have been discussing the draft and have some concerns about sending client and server verify_data in the extension. In the ClientHello, the client sends the verify_data from the client's previous Finish message as the renegotiated_connection data. In the ServerHello, the server sends both the cient's verify_data and the server's verify_data. This data is not normally sent in the clear and I am wondering if this will provide additional data that can be used to mount some other form of attack . The only reason we are sending any data at all is to prove that the renegotiation is bound to a previous handshake, so why not bind it with some data that is on the wire and visible to everyone? One possability is to use the client and server randoms as the renegotiated_connection data. This data is sent as plaintext on the wire so it reveals nothing the attacker doesn't already know. If these randoms are included in the client hello's renegotiation_connection data then they will also be included in the client and server message hashes. Likewise, if they are missing from the renegotiation_connection data an attacker cannot add them or else client and server message hashes will mismatch and renegotiated handshake will fail. Another alternative could be to use the client's encrypted Finish message rather than the verify_data from Client's Finish message, and server's encrypted Finish message. Again both these data are sent on the wire so reveal nothing. It's probably easier to use the randoms as handshake and record layer may not be able interchage data. -- Robert Dugal Senior Software Developer Certicom Corp. A Subsidiary of Research In Motion rdugal@certicom.com direct 905.501.3848 fax 905.507.4230 www.certicom.com --------------------------------------------------------------------- This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
- [TLS] client and server verify_data in draft-resc… Robert Dugal
- Re: [TLS] client and server verify_data in draft-… Nicolas Williams
- Re: [TLS] client and server verify_data in Martin Rex
- Re: [TLS] client and server verify_data in draft-… Eric Rescorla
- Re: [TLS] client and server verify_data in draft-… David-Sarah Hopwood
- Re: [TLS] client and server verify_data in draft-… David-Sarah Hopwood