IETF Logo Mail Archive

Re: [TLS] New cached-info draft 09 posted

Marsh Ray <marsh@extendedsubset.com> Mon, 12 July 2010 23:37 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1823B3A6CFF for <tls@core3.amsl.com>; Mon, 12 Jul 2010 16:37:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.787
X-Spam-Level:
X-Spam-Status: No, score=-1.787 tagged_above=-999 required=5 tests=[AWL=0.812, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6d4rsvB83wf5 for <tls@core3.amsl.com>; Mon, 12 Jul 2010 16:37:52 -0700 (PDT)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id F103F3A6D1E for <tls@ietf.org>; Mon, 12 Jul 2010 16:37:09 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OYSYo-0003NR-1C; Mon, 12 Jul 2010 23:37:18 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id A4F9E633A; Mon, 12 Jul 2010 23:37:15 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX18iQCC5oyGDkmoJbV8LVtvY68F8eLFQ2Y0=
Message-ID: <4C3BA72E.9030809@extendedsubset.com>
Date: Mon, 12 Jul 2010 18:37:18 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.10) Gecko/20100527 Thunderbird/3.0.5
MIME-Version: 1.0
To: Stefan Santesson <stefan@aaa-sec.com>
References: <C8615980.C7C6%stefan@aaa-sec.com>
In-Reply-To: <C8615980.C7C6%stefan@aaa-sec.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] New cached-info draft 09 posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2010 23:37:53 -0000

On 07/12/2010 04:45 PM, Stefan Santesson wrote:
> We had a very long debate about this and we finally reached an agreement.
> Can we stick with it or do we have to redesign this over and over again?

We're almost there!

> I don't see the benefit of using a hash that is stronger than the hash
> function used to generate the finished message.
>
> We only need an identifier.

Note that the Finished message was not designed to be used as an identifier.

> The only security requirement identified after a
> very long debate is that we want to make sure that we preserve the security
> properties of the Finished message. That we do if we use the same hash
> function.

One little wrinkle is that it's not just a simple hash function that 
generates the Finished message. It's from the PRF which is a redundant, 
recursive application of HMAC (itself redundant). In order to calculate 
his Finished verify_data, a TLS 1.0 server has to invoke hash functions 
a total of 16 times (AFAICT, might be off a factor of two there). IMHO 
it's the most robust part of TLS by far.

Since HMAC is dynamically keyed by the master secret it eliminates a lot 
of precomputation attacks. Perhaps this is why verify_data was not 
expected to need collision resistance and is only 12 bytes (96 bits) 
long. For some purposes the client and server's Finished messages may 
function as a longer 24 byte value.

So the Finished.verify_data has some very particular properties that are 
impossible to duplicate precisely for the cached_info identifier.

from -09:
>    The hash algorithm used to calculate hash values SHALL be the hash
>    algorithm that was used to generate the Finished message in the
>    handshake exchange from which the hashed information was cached. Hash

For TLS 1.0 and 1.1, would this amount to MD5(data)+SHA-1(data)? That's 
36 bytes.

I think the closest we can come is by using the PRF with a static 
secret. For collision resistance we could go with the total amount of 
verify_data, 24 bytes.

How about something like:

[...]

The hash values SHALL be generated using the same PRF that was used to 
generate the Finished messages in the handshake exchange from which the 
hashed information was cached. Although normally the PRF would be 
initialized from the master_secret, this usage requires a hashing 
algorithm which remains stable across multiple handshakes. To accomplish 
this the fixed label string is simply supplied again in place of the 
secret input for PRF initialization.

[...]

    opaque hash_value<hash_value_length>;

    hash_value
       PRF(fixed_value, cached_info_label, Hash(cached_object_data))
           [0..hash_value_length-1];

    hash_value_length
       Twice the length of a single Finished.verify_data message for
       the current handshake. For all current versions of TLS, this
       is 24 bytes.

    fixed_value and cached_info_label
       The string "cached info" for both.

- Marsh

v2.23.0 | Report a Bug | By Email