Re: [TLS] Single round trip abbreviated handshake

["Brian Smith" <brian@briansmith.org>]

Michael Tüxen wrote:
> ... not if you run DTLS over a connection oriented transport
> protocol like DCCP or SCTP. For the new transport connection
> you need to establish a new DTLS connection.

That's true. But, MashSSL is TLS tunneled through HTTP over TCP, so it has a lot of flexibility in how it defines a "HTTP over TCP transport connection." MashSSL already lets that transport connection span multiple TCP connections (AFAICT).

> Michael Tüxen wrote:
> > I assume that he just "continues to use an existing DTLS connect", or
> > am I wrong?

You both understand the idea.

Ravi Ganesan wrote:
> I do not know about DTLS, but in regular TLS one cannot say open a fresh socket,
> send a client_hello with an existing session ID, do a change cipher_spec and
> start sending data using keys from old session.
> You really need to go through the abbreviated handshake dance for a number of
> reasons, including fresh keys to keep cut and paste attacks at bay, etc. It would
> be very ironic if we ended up with holes that were fixed in the SSL 2.0 to 3.0
> transition. (See section 3.0 and 4.0 of this paper
> http://www.schneier.com/paper-ssl.pdf).

DTLS and even regular TLS wouldn’t work if that was true. I think it will be help to look at how DTLS works--in particular, how it distinguishes the start of a new DTLS handshake from a continuation of an existing DTLS connection.

Unfortunately, I can't really devote enough time to this topic to explain everything clearly. Maybe in a few weeks I will have time to work on it some more.

Regards,
Brian