Re: [TLS] New cached-info draft 09 posted
Marsh Ray <marsh@extendedsubset.com> Mon, 12 July 2010 23:37 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1823B3A6CFF for <tls@core3.amsl.com>; Mon, 12 Jul 2010 16:37:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.787
X-Spam-Level:
X-Spam-Status: No, score=-1.787 tagged_above=-999 required=5 tests=[AWL=0.812, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6d4rsvB83wf5 for <tls@core3.amsl.com>; Mon, 12 Jul 2010 16:37:52 -0700 (PDT)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id F103F3A6D1E for <tls@ietf.org>; Mon, 12 Jul 2010 16:37:09 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OYSYo-0003NR-1C; Mon, 12 Jul 2010 23:37:18 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id A4F9E633A; Mon, 12 Jul 2010 23:37:15 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX18iQCC5oyGDkmoJbV8LVtvY68F8eLFQ2Y0=
Message-ID: <4C3BA72E.9030809@extendedsubset.com>
Date: Mon, 12 Jul 2010 18:37:18 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.10) Gecko/20100527 Thunderbird/3.0.5
MIME-Version: 1.0
To: Stefan Santesson <stefan@aaa-sec.com>
References: <C8615980.C7C6%stefan@aaa-sec.com>
In-Reply-To: <C8615980.C7C6%stefan@aaa-sec.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] New cached-info draft 09 posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2010 23:37:53 -0000
On 07/12/2010 04:45 PM, Stefan Santesson wrote: > We had a very long debate about this and we finally reached an agreement. > Can we stick with it or do we have to redesign this over and over again? We're almost there! > I don't see the benefit of using a hash that is stronger than the hash > function used to generate the finished message. > > We only need an identifier. Note that the Finished message was not designed to be used as an identifier. > The only security requirement identified after a > very long debate is that we want to make sure that we preserve the security > properties of the Finished message. That we do if we use the same hash > function. One little wrinkle is that it's not just a simple hash function that generates the Finished message. It's from the PRF which is a redundant, recursive application of HMAC (itself redundant). In order to calculate his Finished verify_data, a TLS 1.0 server has to invoke hash functions a total of 16 times (AFAICT, might be off a factor of two there). IMHO it's the most robust part of TLS by far. Since HMAC is dynamically keyed by the master secret it eliminates a lot of precomputation attacks. Perhaps this is why verify_data was not expected to need collision resistance and is only 12 bytes (96 bits) long. For some purposes the client and server's Finished messages may function as a longer 24 byte value. So the Finished.verify_data has some very particular properties that are impossible to duplicate precisely for the cached_info identifier. from -09: > The hash algorithm used to calculate hash values SHALL be the hash > algorithm that was used to generate the Finished message in the > handshake exchange from which the hashed information was cached. Hash For TLS 1.0 and 1.1, would this amount to MD5(data)+SHA-1(data)? That's 36 bytes. I think the closest we can come is by using the PRF with a static secret. For collision resistance we could go with the total amount of verify_data, 24 bytes. How about something like: [...] The hash values SHALL be generated using the same PRF that was used to generate the Finished messages in the handshake exchange from which the hashed information was cached. Although normally the PRF would be initialized from the master_secret, this usage requires a hashing algorithm which remains stable across multiple handshakes. To accomplish this the fixed label string is simply supplied again in place of the secret input for PRF initialization. [...] opaque hash_value<hash_value_length>; hash_value PRF(fixed_value, cached_info_label, Hash(cached_object_data)) [0..hash_value_length-1]; hash_value_length Twice the length of a single Finished.verify_data message for the current handshake. For all current versions of TLS, this is 24 bytes. fixed_value and cached_info_label The string "cached info" for both. - Marsh
- [TLS] Second Last Call: draft-ietf-tls-rfc4366-bi… The IESG
- Re: [TLS] Second Last Call: draft-ietf-tls-rfc436… Paul Hoffman
- [TLS] New cached-info draft 09 posted Stefan Santesson
- Re: [TLS] New cached-info draft 09 posted Michael D'Errico
- Re: [TLS] New cached-info draft 09 posted Marsh Ray
- Re: [TLS] New cached-info draft 09 posted Michael D'Errico
- Re: [TLS] New cached-info draft 09 posted Marsh Ray
- Re: [TLS] New cached-info draft 09 posted Michael D'Errico
- Re: [TLS] New cached-info draft 09 posted Brian Smith
- Re: [TLS] New cached-info draft 09 posted Marsh Ray
- Re: [TLS] New cached-info draft 09 posted Stefan Santesson
- Re: [TLS] New cached-info draft 09 posted Marsh Ray
- Re: [TLS] New cached-info draft 09 posted Stefan Santesson
- Re: [TLS] New cached-info draft 09 posted Marsh Ray
- Re: [TLS] New cached-info draft 09 posted Martin Rex
- Re: [TLS] New cached-info draft 09 posted Stefan Santesson
- Re: [TLS] New cached-info draft 09 posted Marsh Ray
- Re: [TLS] New cached-info draft 09 posted Stefan Santesson
- Re: [TLS] New cached-info draft 09 posted Simon Josefsson
- Re: [TLS] New cached-info draft 09 posted Marsh Ray
- Re: [TLS] New cached-info draft 09 posted Michael D'Errico
- Re: [TLS] New cached-info draft 09 posted Simon Josefsson
- Re: [TLS] New cached-info draft 09 posted Stefan Santesson