IETF Logo Mail Archive

Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client cert and

Nikos Mavrogiannopoulos <nmav@gnutls.org> Thu, 17 February 2011 09:48 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EC1963A6DCB for <tls@core3.amsl.com>; Thu, 17 Feb 2011 01:48:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XcnYDl42WNqd for <tls@core3.amsl.com>; Thu, 17 Feb 2011 01:48:36 -0800 (PST)
Received: from mail-qy0-f179.google.com (mail-qy0-f179.google.com [209.85.216.179]) by core3.amsl.com (Postfix) with ESMTP id 0EB7F3A6D69 for <tls@ietf.org>; Thu, 17 Feb 2011 01:48:35 -0800 (PST)
Received: by qyj19 with SMTP id 19so2325995qyj.10 for <tls@ietf.org>; Thu, 17 Feb 2011 01:49:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=IuinEXx6y/NQr/bok99zHcsgcHuiKUA7kqPAQvH9y9A=; b=XQ03hCHWIZ97G5jaNQLqr5xtiaSBfwgWl4bWcH1/Bx9igttzXZrqRkcaSl2QZoC/Ci 2AOYfT4I71Ykl9eyU57g1EqdXOJ6m4Lrn4yqQamwVJsS2BboJsRaA+279zLGUuHDUFh1 VLF9AeHijdh2P32FibKB1DFyomjnJ1ErSfQ/A=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=XLPmWBwDdrwHZIZA37sUdMCtj13IErgh0ex5jamFM5W2mqzMZR65//YrhqtNANu+VQ E6WslsRHzfglbJAAcgC9JFoVTGGARME7/baf4V4Dpl842PeOyj1GDyBQVrb/Lh8U4SaO EdYSMbCO37X9H49be+Izi59+f23j5bQmAPCOI=
MIME-Version: 1.0
Received: by 10.229.218.197 with SMTP id hr5mr2077864qcb.14.1297936146067; Thu, 17 Feb 2011 01:49:06 -0800 (PST)
Sender: n.mavrogiannopoulos@gmail.com
Received: by 10.229.232.18 with HTTP; Thu, 17 Feb 2011 01:49:06 -0800 (PST)
In-Reply-To: <AANLkTimsFTBw=WtOopKfQkPnKJJH83kaHYuN89GBLEPC@mail.gmail.com>
References: <201102162335.p1GNZ0Yd009478@fs4113.wdf.sap.corp> <4D5C65D2.4060502@pobox.com> <4D5CE08C.5060402@gnutls.org> <AANLkTimsFTBw=WtOopKfQkPnKJJH83kaHYuN89GBLEPC@mail.gmail.com>
Date: Thu, 17 Feb 2011 10:49:06 +0100
X-Google-Sender-Auth: 71bJnpLH7XXJUXylRRJw-UwKMfs
Message-ID: <AANLkTi=A61NKuyY6fZ2kaMfYOL1R4pHdvHUeVtWMhXpR@mail.gmail.com>
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client cert and
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Feb 2011 09:48:37 -0000

On Thu, Feb 17, 2011 at 10:35 AM, Eric Rescorla <ekr@rtfm.com> wrote:

>>> I see the potential problem.  For me, though, I just hold onto all
>>> of the handshake messages until the handshake concludes.  It may use
>>> a bit more memory for a short amount of time, but the issue you raise
>>> is completely avoided.  Call it a space <-> code complexity
>>> trade-off.
>> Indeed. There is no other way to correctly implement TLS 1.2 except
>> from holding a copy of all the handshake messages. This is problematic
>> when converting an implementation of TLS 1.0 or 1.1 to that, since
>> those protocols only required to hold the state of 1 or 2 running hashes.
> Is that really true?. My memory from the discussions and briefly
> refreshed by looking at the
> doc is that you only need to hold the messages until you see the
> ServerHello at which point
> you know the PRF and so you can just start storing hashes.

Note that you're talking about the hashes required for the finished
messages and you're correct on this note. However there is also the
hash required for the CertificateVerify message. If the server requests
a client certificate then it has to store all messages up to (but not
including) the CertificateVerify message.
That is because he cannot possibly know which signature algorithm
hash the client will use.

In TLS 1.0 and 1.1 the same hashes as the ones in the finished
messages were being used, so that was not an issue.

regards,
Nikos

v2.23.0 | Report a Bug | By Email