Re: [TLS] CCS and key reset and renegotiation
Nico Williams <nico@cryptonector.com> Thu, 05 June 2014 16:27 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 144F51A0220 for <tls@ietfa.amsl.com>; Thu, 5 Jun 2014 09:27:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5jV9CUrzoryW for <tls@ietfa.amsl.com>; Thu, 5 Jun 2014 09:27:27 -0700 (PDT)
Received: from homiemail-a111.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id D51011A023E for <tls@ietf.org>; Thu, 5 Jun 2014 09:27:27 -0700 (PDT)
Received: from homiemail-a111.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a111.g.dreamhost.com (Postfix) with ESMTP id A40B72007F008 for <tls@ietf.org>; Thu, 5 Jun 2014 09:27:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=GuGpxR71gwuyuYlZ+7zJTHtwTYE=; b=iHzife0av3C DzG0CZCXyR6RFA6uqS/3X58hG6BKhsaV/4RqSl1CbgfyOBMG9tet/7brs57NN0sH LXTTE08UCFaW2VbHRhfqlmtdWdVMB4W2/sG/ZeOP3ftg707G32FYtUvtE9dhLTsN wRi39A69gpzsFqjyaDnU0sSrXv6wVlbE=
Received: from mail-wi0-f175.google.com (mail-wi0-f175.google.com [209.85.212.175]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a111.g.dreamhost.com (Postfix) with ESMTPSA id 492272007F005 for <tls@ietf.org>; Thu, 5 Jun 2014 09:27:20 -0700 (PDT)
Received: by mail-wi0-f175.google.com with SMTP id f8so10859251wiw.2 for <tls@ietf.org>; Thu, 05 Jun 2014 09:27:18 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.180.77.225 with SMTP id v1mr17178243wiw.5.1401985638115; Thu, 05 Jun 2014 09:27:18 -0700 (PDT)
Received: by 10.216.29.200 with HTTP; Thu, 5 Jun 2014 09:27:18 -0700 (PDT)
In-Reply-To: <CABkgnnUD0vnt+pNgwMh4Hcq+DroncdDE87cJ7de+wsUB67=JKQ@mail.gmail.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C7130F434981@USMBX1.msg.corp.akamai.com> <CACsn0c=O5Xp82JqsxXsik+4NEG5h-0HSJ-NM1zhywJVg_oX1Dg@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7130F4349C2@USMBX1.msg.corp.akamai.com> <CABkgnnUD0vnt+pNgwMh4Hcq+DroncdDE87cJ7de+wsUB67=JKQ@mail.gmail.com>
Date: Thu, 05 Jun 2014 11:27:18 -0500
Message-ID: <CAK3OfOhrKNiz7oKqWGWKxVB891LfuZMEuvHT1-VsROPX-fLUDw@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/n4PTnsE9YRvb-ohnAhRvxVLUYE0
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] CCS and key reset and renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jun 2014 16:27:30 -0000
On Thu, Jun 5, 2014 at 10:53 AM, Martin Thomson <martin.thomson@gmail.com> wrote: > On 5 June 2014 08:41, Salz, Rich <rsalz@akamai.com> wrote: >>> I don't see why the incompetence of implementors should govern our >>> decisions. If something cannot be implemented correctly it must be removed, >>> but why is rekeying such a thing? >> >> Because the line between “often get it wrong” and “cannot be implemented” is >> often a very thin one and it’s better to be cautious and safe, then >> pedantically correct and usually broken. > > > I tend to agree with Watson here. This is a problem that happens > during the initial handshake only. Maybe we can design the handshake > to ensure that CCS cannot be abused for TLS 1.3. But I don't see how > this vulnerability extends to subsequent handshakes or rekeying > exchanges. A single bit of state was not kept or checked. How do we prevent that sort of implementation bug with protocol design? How could we prevent the goto fail bug with protocol design? (Well, DANE helps, to be sure, by cutting out the PKIX. But really, even then there will be plenty of opportunities to commit bugs of these types.) At some point using silly implementation bugs as a justification for protocol design decisions... will probably lead to bad protocol design decisions. There are cases where I think that protocol design decisions do impact implementation quality. For example, using ASN.1 w/ BER/DER/CER in new protocols is asking for trouble because a) cheap tooling is still not widely available, b) BER is very redundant, and redundancy doesn't help programmers get it right. ASN.1 w/ PER, or XDR -- these are superior to BER. Nico --
- Re: [TLS] CCS and key reset and renegotiation Viktor Dukhovni
- [TLS] CCS and key reset and renegotiation Salz, Rich
- Re: [TLS] CCS and key reset and renegotiation Watson Ladd
- Re: [TLS] CCS and key reset and renegotiation Nico Williams
- Re: [TLS] CCS and key reset and renegotiation Salz, Rich
- Re: [TLS] CCS and key reset and renegotiation Martin Thomson
- Re: [TLS] CCS and key reset and renegotiation Peter Gutmann
- Re: [TLS] CCS and key reset and renegotiation Watson Ladd
- Re: [TLS] CCS and key reset and renegotiation Nico Williams
- Re: [TLS] CCS and key reset and renegotiation Viktor Dukhovni
- Re: [TLS] CCS and key reset and renegotiation Yoav Nir
- Re: [TLS] CCS and key reset and renegotiation Viktor Dukhovni
- Re: [TLS] CCS and key reset and renegotiation Yoav Nir
- Re: [TLS] CCS and key reset and renegotiation Jeffrey Walton
- Re: [TLS] CCS and key reset and renegotiation Peter Gutmann
- Re: [TLS] CCS and key reset and renegotiation Watson Ladd
- Re: [TLS] CCS and key reset and renegotiation Salz, Rich
- Re: [TLS] CCS and key reset and renegotiation Watson Ladd
- Re: [TLS] CCS and key reset and renegotiation Salz, Rich
- Re: [TLS] CCS and key reset and renegotiation Paul Lambert
- Re: [TLS] CCS and key reset and renegotiation Salz, Rich
- Re: [TLS] CCS and key reset and renegotiation Peter Gutmann
- Re: [TLS] CCS and key reset and renegotiation Michael StJohns