Re: [TLS] Verify data in the RI extension?
Bodo Moeller <bmoeller@acm.org> Sun, 29 November 2009 10:12 UTC
Return-Path: <SRS0=dAnb=HR=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0018D3A67F0 for <tls@core3.amsl.com>; Sun, 29 Nov 2009 02:12:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.204
X-Spam-Level:
X-Spam-Status: No, score=-102.204 tagged_above=-999 required=5 tests=[AWL=0.045, BAYES_00=-2.599, HELO_EQ_DE=0.35, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G7Jkd8on5035 for <tls@core3.amsl.com>; Sun, 29 Nov 2009 02:12:53 -0800 (PST)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.10]) by core3.amsl.com (Postfix) with ESMTP id DE02B3A6782 for <tls@ietf.org>; Sun, 29 Nov 2009 02:12:52 -0800 (PST)
Received: from [10.1.120.118] ([74.125.121.49]) by mrelayeu.kundenserver.de (node=mrbap1) with ESMTP (Nemesis) id 0MOkOU-1NArXk3ol4-005Zao; Sun, 29 Nov 2009 11:12:40 +0100
From: Bodo Moeller <bmoeller@acm.org>
To: David-Sarah Hopwood <david-sarah@jacaranda.org>
In-Reply-To: <4B10E225.4010501@jacaranda.org>
References: <9923D81D-BABA-4897-A0E3-6938FFB70045@checkpoint.com> <C7355261.6BB2%stefan@aaa-sec.com> <20091127151113.BDEF16C3795@kilo.networkresonance.com> <4B10E225.4010501@jacaranda.org>
Message-Id: <CA341C50-8D89-49B3-A2C7-F870129093D1@acm.org>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Sun, 29 Nov 2009 11:12:37 +0100
X-Mailer: Apple Mail (2.936)
X-Provags-ID: V01U2FsdGVkX1+xciekni19FgLdFfcvxYWwJ4wolEl0FiWMhyt pNDcQ3ewVjhfwpkTKxZaT5r+PuJfChAeL/60k4uNIkt/FvINAy S+XzZzNj6WlJOBvZPQ1ig==
Cc: tls@ietf.org
Subject: Re: [TLS] Verify data in the RI extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Nov 2009 10:16:22 -0000
On Nov 28, 2009, at 9:41 AM, David-Sarah Hopwood wrote: > Eric Rescorla wrote: >> I also share [David-Sarah] Hopwood's concern about ambiguity in the >> handshake >> hashes stream created by having data which is not properly formatted >> injected into the hash >> (http://www.ietf.org/mail-archive/web/tls/current/msg04857.html), >> so I don't think the particular approach in Martin's draft is >> really satisfactory. > > That potential weakness can be avoided by encoding the data to be > added > into the hash as follows: > > struct { > enum { fake_finished(20) } fake_handshake_type; > enum { zero(0), (2^24-1) } fake_length; > opaque previous_client_verify_data<12..255>; > opaque previous_server_verify_data<12..255>; > } PreviousVerifyData; > > This works because the bytes {20, 0, 0, 0} encode a zero-length > Finished message, which if they actually appeared on the wire as > a handshake message sent in either direction, would cause the > recipient to abort the handshake. (This is similar to what Martin > suggested in a recent post. Since any fake_length that is not a > valid length for verify_data will work, we might as well use 0.) > > Note that for the receiver of the extra data to fail to abort the > handshake in that case, it would have to make two independent errors, > both violating 'MUST' requirements present since SSLv3: it would have > to accept the empty Finished message out-of-order [*], *and* not > check that the contents of that message is a correct verify_data hash. Arguably a single receiver-side bug might be enough -- namely, having a receiver *ignore* out-of-sequence messages without looking at their content. Then if an adversary includes the above in the actual handshake data sent to one of the peers, the receiver would interpret the concatenation previous_client_verify_data || previous_server_verify_data as one or more additional handshake messages, might similarly ignore these as unexpected, and with a non- negligible probability would end up at the correct message boundary to parse the next actual handshake message. (Encoding the actual combined length of the previous_..._verify_data fields seems simpler to analyze -- this still wouldn't be a valid Finished message; or hash an empty Finished first, then a pseudo- message containing the previous verify data. Of course, neither of this avoids the potential problem with buggy receivers that ignore out- of-sequence messages. That pseudo-message *could* use the Certificate type to maximize the probability that buggy implementations will look at it and stop [given that Certificate is expected at that point of the protocol], but I guess that looks even weirder.) Bodo
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- [TLS] Avoiding first use of RI in ClientHello Eric Rescorla
- Re: [TLS] Avoiding first use of RI in ClientHello Stefan Santesson
- Re: [TLS] Avoiding first use of RI in ClientHello Dr Stephen Henson
- Re: [TLS] Avoiding first use of RI in ClientHello Robert Relyea
- Re: [TLS] Avoiding first use of RI in ClientHello Eric Rescorla
- Re: [TLS] Avoiding first use of RI in ClientHello Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Avoiding first use of RI in ClientHello peter.robinson
- Re: [TLS] Avoiding first use of RI in ClientHello Min Huang
- Re: [TLS] Verify data in the RI extension? Yoav Nir
- Re: [TLS] Avoiding first use of RI in ClientHello Pasi.Eronen
- Re: [TLS] Avoiding first use of RI in ClientHello Pasi.Eronen
- [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Avoiding first use of RI in ClientHello Eric Rescorla
- [TLS] Perhaps there's another way. Was: Verify da… Marsh Ray
- Re: [TLS] Perhaps there's another way. Was: Verif… Dr Stephen Henson
- Re: [TLS] Avoiding first use of RI in ClientHello Stefan Santesson
- [TLS] What would be the point of removing signall… David-Sarah Hopwood
- Re: [TLS] Perhaps there's another way. Was: Verif… Marsh Ray
- Re: [TLS] Perhaps there's another way. Was: Verif… Dr Stephen Henson
- Re: [TLS] What would be the point of removing sig… Stefan Santesson
- Re: [TLS] What would be the point of removing sig… Marsh Ray
- Re: [TLS] What would be the point of removing sig… Bodo Moeller
- Re: [TLS] Perhaps there's another way. Was: Verif… Nelson B Bolyard
- Re: [TLS] What would be the point of removing sig… Nelson B Bolyard
- Re: [TLS] What would be the point of removing sig… Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Simon Josefsson
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Nikos Mavrogiannopoulos
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Avoiding first use of RI in ClientHello Bodo Moeller
- Re: [TLS] Verify data in the RI extension? Bodo Moeller
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] What would be the point of removing sig… David-Sarah Hopwood
- Re: [TLS] What would be the point of removing sig… David-Sarah Hopwood
- Re: [TLS] What would be the point of removing sig… David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Bodo Moeller
- Re: [TLS] What would be the point of removing sig… Bodo Moeller
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Marsh Ray
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Yoav Nir