Re: [TLS] Finished stuffing

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 13 September 2016 19:15 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07DFC12B50F for <tls@ietfa.amsl.com>; Tue, 13 Sep 2016 12:15:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.408
X-Spam-Level:
X-Spam-Status: No, score=-3.408 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.508] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vtrctVPDLcrN for <tls@ietfa.amsl.com>; Tue, 13 Sep 2016 12:15:17 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) by ietfa.amsl.com (Postfix) with ESMTP id 4DAA512B52A for <tls@ietf.org>; Tue, 13 Sep 2016 12:15:15 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id C8C7F11344; Tue, 13 Sep 2016 22:15:13 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id m8re2YplWJp2; Tue, 13 Sep 2016 22:15:13 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-237-87.bb.dnainternet.fi [87.100.237.87]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 7230528B; Tue, 13 Sep 2016 22:15:13 +0300 (EEST)
Date: Tue, 13 Sep 2016 22:15:10 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Benjamin Kaduk <bkaduk@akamai.com>
Message-ID: <20160913191510.hfumchrmzvfplnlm@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABcZeBNqs+6SYsA9SnED8nWkUXifSPuF4gBdRG-gJamtWmxWNw@mail.gmail.com> <CABcZeBP890QrcbpGR9Ht2RkfHShavkkDmvvKPP+81x8Bz+SeDA@mail.gmail.com> <CAF8qwaCVyRrSm-XtL6Jd_VKD9qGmCJNFJW1GZVjmidsr3DnW_Q@mail.gmail.com> <CAOgPGoD8YEr=+c8eG+YZ=6nSvFB2uk7MiKNgN7Z=wg7ihAUhzg@mail.gmail.com> <e1048616-22f9-4f37-ee1c-712f97213e31@akamai.com> <20160909201903.t726g3tywns2pfuq@LK-Perkele-V2.elisa-laajakaista.fi> <599816da-8c60-938d-d6c0-3ec1510e2b96@akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <599816da-8c60-938d-d6c0-3ec1510e2b96@akamai.com>
User-Agent: NeoMutt/20160910 (1.7.0)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/qPoCWvU4D5AMjhl3azsPzClh9V4>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Finished stuffing
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2016 19:15:29 -0000

On Tue, Sep 13, 2016 at 12:04:40PM -0500, Benjamin Kaduk wrote:
> 
> 
> On 09/09/2016 03:19 PM, Ilari Liusvaara wrote:
> > On Fri, Sep 09, 2016 at 02:50:59PM -0500, Benjamin Kaduk wrote:
> 
> >> I have a slight (i.e., unjustified) preference for doing
> >> ClientHello-with-block-of-zeros rather than prefix-of-ClientHello.  (Is
> >> there a reason to require this extension to be the last one with
> >> block-of-zeros?  Clearly there is for prefix-of-ClientHello.)
> > What about the case where client tries DHE-PSK and gets attempt
> > rejected because of missing group (or because address verification)?
> > 0-RTT is gone yes, but the PSK attempt isn't.
> >
> > What happens to the hash in this case?
> >
> >
> 
> I feel like I must be missing something, but I don't really understand
> the question.  (Sadly, waiting in the hope that someone else did
> understand and would respond didn't work.)  The 0-RTT failed, so the
> full handshake will have an actual Finished message, with a different
> hash calculated (including over the "hello_finished" extension).  The
> most plausible way I could interpret the question seems to be asking
> about the lack of Hash(resumption_context) in the 1-RTT Finished, but
> the security properties of that should be the same as for the
> hello_finished, so I'm still puzzled.
> 
> Sorry for being dense...

I mean the following case (perhaps bit misconfigured server):

Client: ClientHello(groups=23,24,29;PSK=foo;shares=23:bar,29:baz,...,finished=zot)
Server: HelloRetryRequest(group=24)
Client: ClientHello(groups=23,24,29;PSK=foo;shares=23:bar,29:baz,24:quux,...,finished=???)


What is the finished data calculated over in the second case?


-Ilari