IETF Logo Mail Archive

Re: [TLS] TLSrenego - possibilities, suggestion for SSLv3

Martin Rex <mrex@sap.com> Wed, 11 November 2009 20:08 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 772A83A69B2 for <tls@core3.amsl.com>; Wed, 11 Nov 2009 12:08:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.152
X-Spam-Level:
X-Spam-Status: No, score=-6.152 tagged_above=-999 required=5 tests=[AWL=0.097, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vjUcRqpEG3wC for <tls@core3.amsl.com>; Wed, 11 Nov 2009 12:08:45 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id 4BF5D3A69AB for <tls@ietf.org>; Wed, 11 Nov 2009 12:08:45 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id nABK99wF017626 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 Nov 2009 21:09:10 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911112009.nABK98u2017868@fs4113.wdf.sap.corp>
To: Yair.Elharrar@audiocodes.com
Date: Wed, 11 Nov 2009 21:09:08 +0100
In-Reply-To: <CE2A65CAAFE55048BA6682475F9A7DBF5EA6E601BC@ACLMAIL01.corp.audiocodes.com> from "Yair Elharrar" at Nov 11, 9 09:43:09 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] TLSrenego - possibilities, suggestion for SSLv3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2009 20:08:46 -0000

Yair Elharrar wrote:
> 
> Martin Rex wrote:
> 
> > So the smallest possible change to a server that could be used
> > to signal to ANY client that it believes to be doing an initial
> > handshake might be to set the most significant octet of the
> > gmt_unix_time to zero in order for a server to signal in an
> > extremely backward compatible fashion to the client that it
> > is performing an initial TLS handshake on a connection.
> 
> It would probably be better if the entire 32-bit gmt_unix_time was
> set to one of two predefined magic values: one indicating an initial
> connection ('INIT'), the other indicating a renegotiation ('RNEG').
>
> A client receiving 'RNEG' on an initial handshake would know the
> session is under attack.
> A client receiving 'INIT' on an initial handshake would know the
> session is safe.

 asctime(gmtime("INIT")) = Sun Dec 21 13:49:08 2008  GMT

 asctime(gmtime("RNEG")) = Fri Oct  4 04:34:15 2013  GMT

In theory, 28 random octets provide sufficient room for
probabilistic collision resistance, unless the server
has a real shortage of randomness or a very poorly implemented
function to produce the Random for the ServerHello.

> Any other value would indicate the server is running an
> insecure implementation.


I really do not like to label these an _insecure_.

Any other value gives the client no clue whether the server
is doing an initial or renegotiation handshake, because
it does not contain this change.


-Martin

v2.23.0 | Report a Bug | By Email