IETF Logo Mail Archive

Re: [TLS] Server validation of a second ClientHello

Hubert Kario <hkario@redhat.com> Tue, 12 February 2019 12:53 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C418F12F1A6 for <tls@ietfa.amsl.com>; Tue, 12 Feb 2019 04:53:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M7rMvaX4swZX for <tls@ietfa.amsl.com>; Tue, 12 Feb 2019 04:53:10 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF45512DF71 for <tls@ietf.org>; Tue, 12 Feb 2019 04:53:09 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7E75E37E88; Tue, 12 Feb 2019 12:53:09 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (unknown [10.43.21.83]) by smtp.corp.redhat.com (Postfix) with ESMTP id EFFFB19C7D; Tue, 12 Feb 2019 12:53:08 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: tls@ietf.org
Date: Tue, 12 Feb 2019 13:52:43 +0100
Message-ID: <1549980018.5oto7EOJll@pintsize.usersys.redhat.com>
In-Reply-To: <1549842219.465443.1655100776.7BADB4DA@webmail.messagingengine.com>
References: <1549596678.898774.1653407000.2B2ACE8E@webmail.messagingengine.com> <3192766.6rApcoU5jf@pintsize.usersys.redhat.com> <1549842219.465443.1655100776.7BADB4DA@webmail.messagingengine.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart4181887.LOKayHmXMs"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Tue, 12 Feb 2019 12:53:09 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/uKN0w1HeUWQYcpHcdS9PucwWN2I>
Subject: Re: [TLS] Server validation of a second ClientHello
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2019 12:53:12 -0000

On Monday, 11 February 2019 00:43:39 CET Martin Thomson wrote:
> On Fri, Feb 8, 2019, at 23:53, Hubert Kario wrote:
> > the cookie can be up to 2^16 bytes long, even if client sends all 50
> > extensions and spaces them with unknown extensions between, that's at most
> > 20 bytes per extension = 1000 bytes total extra space needed in cookie
> > (32 bytes and 1600 bytes if you want to be very conservative)
> 
> Yeah, that's ridiculously large.  With quite a few extensions supported, and
> many more unknown to us, the only way we might realistically ensure that
> the ClientHello doesn't change is to save a hash snapshot at every boundary
> where the cookie extension might be inserted or where an extension might be
> changed.  SHA-2 has a fairly small state to capture, but that's still
> nearly unbounded state.  With an amplification factor of up to 8, meaning
> that it could be more efficient to send the client its entire ClientHello
> in the cookie.

I definitely won't claim that it is easy or straight-forward to do, I do claim 
that it is possible. Yes, sometimes it may mean that sending the literal CH in 
cookie may be more bandwidth efficient.

And regarding the specific extension in question, to verify that it didn't 
change between Hello's it is only 2 bytes extra in cookie. If that is too much 
already, I don't think that stateless HRR is something we will see in 
implementations for years to come.

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

v2.23.0 | Report a Bug | By Email