Re: [TLS] Proposed text for removing renegotiation

Yoav Nir <ynir.ietf@gmail.com> Wed, 28 May 2014 10:05 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F8131A08B3 for <tls@ietfa.amsl.com>; Wed, 28 May 2014 03:05:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HgP-WerbG_sG for <tls@ietfa.amsl.com>; Wed, 28 May 2014 03:05:43 -0700 (PDT)
Received: from mail-we0-x236.google.com (mail-we0-x236.google.com [IPv6:2a00:1450:400c:c03::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 264841A08B4 for <tls@ietf.org>; Wed, 28 May 2014 03:05:42 -0700 (PDT)
Received: by mail-we0-f182.google.com with SMTP id t60so11132134wes.27 for <tls@ietf.org>; Wed, 28 May 2014 03:05:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=DUJ36uKuxT/NjszGecOAxBsPfbpj8KU12ef9M/xJFfU=; b=qznagBsv74FY33T/EkGtP4C8L5IYkQfZo8CDIFIAWiDvhO50JAt/lnbpQhX+JB8/Do 9h1Vvjy01S8c5eO56R1HgLL72ePhrxAR1c28FS4u1ctXy4ZXdxZ+p/6+LM2wfBu0v0HA ZaDtuwwtdMoPDH9XM1GINixnnyjUnz8qNgILTtYySIa/NrXy8femtXSHSE7OyNHJnuyH uNsY+eVI2yov9HJIO06PqxtsTIQEkro3iUzFbZxJPtnowyggPZaMiL1y01OcFzx5fdBT MJ2tlHrk4eydkOUJtT9Z5On53/CCpgE3Yry+rDX7g2AY50Rbuhqm7iH9HRBO6SH1Ok9R ib1w==
X-Received: by 10.194.249.134 with SMTP id yu6mr42253753wjc.86.1401271538568; Wed, 28 May 2014 03:05:38 -0700 (PDT)
Received: from [172.24.249.169] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id bj2sm15621517wib.3.2014.05.28.03.05.37 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 28 May 2014 03:05:38 -0700 (PDT)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <53852A1B.6000808@amacapital.net>
Date: Wed, 28 May 2014 13:05:35 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <955C8E0E-81DC-4301-ABBA-F763D1223C37@gmail.com>
References: <CABkgnnXaLKmxXL01hQEdxHSNGt3nZQQNBLDD5H2LqBzTo3vK4g@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7130CE35E03@USMBX1.msg.corp.akamai.com> <53852A1B.6000808@amacapital.net>
To: Andy Lutomirski <luto@amacapital.net>
X-Mailer: Apple Mail (2.1878.2)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/pLVN8kWUHJgh0M8LiGtQ0L6456g
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Proposed text for removing renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 May 2014 10:05:45 -0000

On May 28, 2014, at 3:13 AM, Andy Lutomirski <luto@amacapital.net> wrote:

> On 05/27/2014 03:18 PM, Salz, Rich wrote:
>>> This overloads ChangeCipherSpec, which some might find distasteful, but I think that it is consistent with it's current use and purpose.
>> 
>> Yeah, I'm not thrilled but it, although I admit it is consistent.
>> 
>> I would rather see something like Yoav (?) proposed via Jabber at the interim meeting:  a "reset but don't close" message.  Either side sends it, the other side replies, and at this point all state is thrown away and it's just as if the client first connected.  It avoids TCP reconnect, perhaps requires more work (but the EDH key should be cached), but it seems much clearner.
> 
> I suspect that, without a lot of API care, this will reintroduce the
> original renegotiation attack: client sends a prefix, says "reset but
> don't close", and starts forwarding ciphertext from a different client.

Definitely, so we’d need a same or similar indication to prevent abuse. I tend to think that a binary indication of “initial contact” would be enough (as normal clients will always be “initial contact” and a ClientHello with “initial contact” should never appear after StopTLS), but I could be wrong.

Yoav