Re: [TLS] Wrapping up cached info (and PRF WTF)

"Kemp, David P." <DPKemp@missi.ncsc.mil> Mon, 17 May 2010 19:45 UTC

Return-Path: <DPKemp@missi.ncsc.mil>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D31B03A6AC2 for <tls@core3.amsl.com>; Mon, 17 May 2010 12:45:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.277
X-Spam-Level:
X-Spam-Status: No, score=-4.277 tagged_above=-999 required=5 tests=[AWL=-0.278, BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NYNxJZCWZggb for <tls@core3.amsl.com>; Mon, 17 May 2010 12:45:36 -0700 (PDT)
Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by core3.amsl.com (Postfix) with ESMTP id 7B4373A6A5E for <tls@ietf.org>; Mon, 17 May 2010 12:45:36 -0700 (PDT)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Mon, 17 May 2010 15:45:19 -0400
Message-ID: <201005171945.o4HJjNtp008322@stingray.missi.ncsc.mil>
In-Reply-To: <AC1CFD94F59A264488DC2BEC3E890DE50A67C326@xmb-sjc-225.amer.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] Wrapping up cached info (and PRF WTF)
Thread-Index: Acr12oyVh6LZskrwQJqy0Mb6pFK61wAAq/DAAAQgc1A=
References: <C816DA05.66DF%uri@ll.mit.edu> <4BF168A3.40409@extendedsubset.com> <AC1CFD94F59A264488DC2BEC3E890DE50A67C326@xmb-sjc-225.amer.cisco.com>
From: "Kemp, David P." <DPKemp@missi.ncsc.mil>
To: <tls@ietf.org>
X-OriginalArrivalTime: 17 May 2010 19:46:37.0468 (UTC) FILETIME=[A99B75C0:01CAF5F9]
Subject: Re: [TLS] Wrapping up cached info (and PRF WTF)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 May 2010 19:45:37 -0000

>> [Nico] Paul Hoffman proposes an extension to add inputs to the
Finished 
>> message computation.  There's no objection yet to Paul's proposal on 
>> the grounds you state.
>
> [Marsh] I'm not sure the discussion got that far, so it's not evidence
of much.


Was this a verbal proposal?  Paul has submitted the following I-Ds:

draft-hoffman-tls-additional-random-ext-01  -- Additional Random
Extension to TLS
draft-hoffman-tls-master-secret-input-01    -- Additional Master Secret
Inputs for TLS

but nothing that would add inputs to the Finished computation other than
what was actually transmitted over the wire.

I agree with using a checksum to identify the cached data while
including the actual data in the finished calculation.   I don't see any
mechanism for doing that using either of the Hoffman drafts, but I still
think it could be done in a relatively straightforward manner by
defining a "CachedObject" compression algorithm that would "compress"
and "expand" by direct substitution of checksums for data.

----------

And on a different topic, What is This Function?


RFC 5246 section 4.3 defines the notation for two types of vectors:
  Fixed length:     T T'[n];
  Variable length:  T T'<floor..ceiling>;

and section 7.4.9 defines the structure of the Finished message:

      struct {
          opaque verify_data[verify_data_length];
      } Finished;

      verify_data
         PRF(master_secret, finished_label, Hash(handshake_messages))
            [0..verify_data_length-1];


What sort of notation is a function PRF() followed by a floor and
ceiling expression enclosed in square brackets []?

Assuming it means that the PRF output is truncated to some variable
number of bytes, why is the floor 0 bytes and the ceiling 11 bytes when
all verify_data vectors MUST be either exactly 12 (current ciphersuites)
or at least 12 (future ciphersuites) bytes???

Dave



-----Original Message-----
From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of
Joseph Salowey (jsalowey)
Sent: Monday, May 17, 2010 12:30 PM
To: Marsh Ray; Blumenthal, Uri - 0668 - MITLL
Cc: tls@ietf.org
Subject: Re: [TLS] Wrapping up cached info

I agree with Uri, that if you determine you need SHA-256 then you should
plan for hash agility.  TLS 1.2 plans for hash agility.  

What about Nico's proposal where a checksum is used to identify the
cached data and the actual handshake contains the actual data hashed
with the algorithm used in the PRF negotiated with the cipher suite? 

This way we don't have to introduce hash agility into the extension, but
we have cryptographic hash agility where it matters in the Finished
computation.  Does it solve the problem?  

Joe