IETF Logo Mail Archive

Re: [TLS] Abbreviated Handshake != Renegotiated Handshake

Ravi Ganesan <ravi@findravi.com> Sat, 19 December 2009 23:07 UTC

Return-Path: <ravi@findravi.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 75C7D3A6996 for <tls@core3.amsl.com>; Sat, 19 Dec 2009 15:07:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.189
X-Spam-Level:
X-Spam-Status: No, score=-2.189 tagged_above=-999 required=5 tests=[AWL=-0.212, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M2t9ILfQzCIU for <tls@core3.amsl.com>; Sat, 19 Dec 2009 15:07:44 -0800 (PST)
Received: from mail-pw0-f50.google.com (mail-pw0-f50.google.com [209.85.160.50]) by core3.amsl.com (Postfix) with ESMTP id 6D13C3A6911 for <tls@ietf.org>; Sat, 19 Dec 2009 15:07:44 -0800 (PST)
Received: by pwi20 with SMTP id 20so2797369pwi.29 for <tls@ietf.org>; Sat, 19 Dec 2009 15:07:27 -0800 (PST)
MIME-Version: 1.0
Received: by 10.114.86.5 with SMTP id j5mr3695042wab.0.1261264046813; Sat, 19 Dec 2009 15:07:26 -0800 (PST)
In-Reply-To: <20091219221416.46E066C89B6@kilo.networkresonance.com>
References: <3561bdcc0912190913t7bf4ea3fkc3ec29117b268b96@mail.gmail.com> <4B2D22C6.9090109@extendedsubset.com> <3561bdcc0912191343n33b51ebdh260d8048ecd0857f@mail.gmail.com> <20091219221416.46E066C89B6@kilo.networkresonance.com>
Date: Sat, 19 Dec 2009 15:07:26 -0800
Message-ID: <3561bdcc0912191507y45ec359bma3b32f12dbcad07@mail.gmail.com>
From: Ravi Ganesan <ravi@findravi.com>
To: Eric Rescorla <ekr@networkresonance.com>
Content-Type: multipart/alternative; boundary="00504502e13b7a7277047b1ceb15"
Cc: tls@ietf.org
Subject: Re: [TLS] Abbreviated Handshake != Renegotiated Handshake
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Dec 2009 23:07:45 -0000

I agree completely with the comments below, and those of Mike, that a smart
app completely aware of the doings of the ssl stack, can ensure the ssl
stack underneath it does not do something unexpected. One could by the same
token claim that a smart app aware of the doings of the ssl stack would not
have mixed up the before and after of the 'pizza order' in your exposition
of the original attack. I figured the goals were to save a not-so-smart app
from itself to extent possible.

Anyway, for my taste, if one side says I want to renegotiate, and the other
responds with a message that results in NON-renegotiation it makes no sense
to allow it within TLS itself.  I have not seen any use case where this
peculiar behaviour should be tolerated. And if such a use case does not
exist, it might be wise to be parsimonious and disallow it.




On Sat, Dec 19, 2009 at 2:14 PM, Eric Rescorla <ekr@networkresonance.com>wrote:

> At Sat, 19 Dec 2009 13:43:00 -0800,
> > ii) You say: "Why couldn't a client offer resumption of a previously
> > client-authed session in response to a server-initiated renegotiation?".
> In
> > re-reading RFC 5246 my take away is that this is implicitly forbidden,
> but
> > maybe that is just my reading.
>
> I don't see any text in 5246 that seems to forbid this.
>
>
> > -  imagine an application requirement to change key material every 24
> hours,
> > because after that an attacker gathers up enough ciphertext or chosen
> > plaintext to render continuing to use the same key material dangerous.
>
> IMO, this is a bogus requirement:
>
> 1. Modern ciphers do not suffer from key exhaustion. You should be able
>   to use the same key for effectively any plausible amount of ciphertext.
> 2. To the exten to which you *are* worried about key exhaustion (or
>   something like CBC rollover), then merely re-deriving the keys from
>   the original master secret is quite sufficient. There is no need
>   to do a new public key exchange.
>
>
> > - app developer instructs his (server) SSL stack to do 'renegotiation'
> every
> > 24 hours.
> > - applications (server) SSl stack sends renegottation message'.
> > - In your scenario (client) stack at other end says "oh come on, not all
> > over again, lets just resume" and commences abbreviated handshake using
> same
> > master_secret.
> > - In your scenario the (server) SSL stack proceeds, and the app "thinks"
> it
> > is refreshing key material every 24 hours, and in fact it is not!!!
>
> Either side has the option to decide to do a full handshake. If they
> want that, then either the client should not offer resumption or the
> server should not accept it. It's not clear to me why such a restriction
> would need to be in TLS proper.
>
> -Ekr
>
>
>


-- 
Ravi Ganesan
ravi@findravi.com
www.findravi.com

v2.23.0 | Report a Bug | By Email