IETF Logo Mail Archive

Re: [TLS] simplistic renego protection

Michael D'Errico <mike-list@pobox.com> Tue, 17 November 2009 17:15 UTC

Return-Path: <mike-list@pobox.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BEA763A6986 for <tls@core3.amsl.com>; Tue, 17 Nov 2009 09:15:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.468
X-Spam-Level:
X-Spam-Status: No, score=-2.468 tagged_above=-999 required=5 tests=[AWL=0.131, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tryu946IoOgk for <tls@core3.amsl.com>; Tue, 17 Nov 2009 09:15:27 -0800 (PST)
Received: from sasl.smtp.pobox.com (a-pb-sasl-quonix.pobox.com [208.72.237.25]) by core3.amsl.com (Postfix) with ESMTP id 979F93A67CC for <tls@ietf.org>; Tue, 17 Nov 2009 09:15:27 -0800 (PST)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id C145E801D9 for <tls@ietf.org>; Tue, 17 Nov 2009 12:15:25 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=Gxlu8yxxJYLB v3kU8byV7vtnYHw=; b=nBne99vFKDJanJk/5dqW4DxXatyLQCkNYOhAb+8sDtbt 9r88AaND5jbSzInDB170d88FLD/Hz3RzKrNPiKJBimnsF8aN1TDfFAkRxtcdtB8B 5s9oo5gCngSF7gWJMNVVVqmPTBQ8ppdpDMy1nWZi0iQBjBbY3CMhx26eb1ce89A=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=VToEM9 zv9Sw8U1Y3yGxHtBI5P37PBvHChLKD2MafPOOqV72NOzPDVzb8niJRfKs/2ud69f 4Iw19CZ8I5fh7OR0X3qQD0bw2kAtz0FcxkSScMUiEtXh80SskBQZvlj2gb+Zl58j mgffokQjpeYv8QtsYP9IEgikF2PsddJraIq98=
Received: from a-pb-sasl-quonix. (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 61D2B801D8 for <tls@ietf.org>; Tue, 17 Nov 2009 12:15:25 -0500 (EST)
Received: from administrators-macbook-pro.local (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTPSA id DEAD2801D7 for <tls@ietf.org>; Tue, 17 Nov 2009 12:15:24 -0500 (EST)
Message-ID: <4B02DA71.5020202@pobox.com>
Date: Tue, 17 Nov 2009 09:16:33 -0800
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
References: <200911161725.nAGHPWaA014181@fs4113.wdf.sap.corp> <089F31C221374096B0FE619F@446E7922C82D299DB29D899F> <4B02A084.9030903@cs.tcd.ie> <4B02CE81.1000607@pobox.com> <B197003731D4874CA41DE7B446BBA3E829CC8286@TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com>
In-Reply-To: <B197003731D4874CA41DE7B446BBA3E829CC8286@TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: CBB26ABC-D39C-11DE-B4DA-9F3FEE7EF46B-38729857!a-pb-sasl-quonix.pobox.com
Subject: Re: [TLS] simplistic renego protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2009 17:15:28 -0000

Nasko Oskov wrote:
> 
> It was indicated that some implementations use random value for the
> timestamp part of the random values exchanged. If this is correct and there
> are no interop issues with it, then we can use the timestamp as place to
> include a few bits as well. If we reserve the top 4 bit of the most
> significant byte, we can set them to predefined values to signal what we
> want. The side effect will be forwarding time enough in the future to allow
> us to move a newer version of the protocol:
> 
> $ date -d @`echo "ibase=16; F0000000" | bc`
> Mon Aug  5 01:04:00 PST 2097
> $ date -d @`echo "ibase=16; E0000000" | bc`
> Tue Feb  1 03:39:44 PST 2089
> 
> The benefit of using the timestamp is that it will be the same signal both
> ways. We don't have to alternate between cipher suites and other methods on
> the other way. I believe this will also be easier to implement, since new
> alert messages and unexpected server extensions will requre a lot more code
> change and case specific logic.
> 
> Using two values allows both client and server to maintain the calculation
> of the finished message intact, but have knowledge if the handshake is
> expected to be initial or renegotiated. If expectations don't match,
> handshaking is terminated.
> 
> Just an idea for signaling, since we are enumerating ideas.

Since there are implementations that randomize the timestamp, then with only
4 bits, there is a 1-in-16 chance that these implementations will randomly
generate one of the patterns.  If the full 32 bits were used, the odds go
down considerably.  Two specific dates could be used, one for client and one
for the server.

Though personally I prefer using the cipher suite and server version (just an
opinion).

Mike

v2.23.0 | Report a Bug | By Email