Re: [TLS] Triple Handshake Fix.
Nico Williams <nico@cryptonector.com> Wed, 30 April 2014 22:09 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D95601A09B8 for <tls@ietfa.amsl.com>; Wed, 30 Apr 2014 15:09:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2hklQTdnuX8k for <tls@ietfa.amsl.com>; Wed, 30 Apr 2014 15:09:58 -0700 (PDT)
Received: from homiemail-a95.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 429FD1A094C for <tls@ietf.org>; Wed, 30 Apr 2014 15:09:58 -0700 (PDT)
Received: from homiemail-a95.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a95.g.dreamhost.com (Postfix) with ESMTP id 87DDA1E05D for <tls@ietf.org>; Wed, 30 Apr 2014 15:09:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=MCKC3cK2CeyqMOmg9BIE y8hukCY=; b=YK2xqz+TtgpM5EJvaIlnaS7WM+0MnhxKePED+2lE2WpXydXY9PEl 4YpziLEoApMuv1kI46Co9niaKzEmE6Yzhtq3ZLBa1/5JViz6+JIP97TivUj9sExw bAwVDhAKKVtEDBDLElTY2N4H92qTBaQ9fxuQnj1Bqkb8Q8tJlD8gVVE=
Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a95.g.dreamhost.com (Postfix) with ESMTPSA id 360BC1E059 for <tls@ietf.org>; Wed, 30 Apr 2014 15:09:56 -0700 (PDT)
Received: by mail-we0-f182.google.com with SMTP id u57so2344080wes.13 for <tls@ietf.org>; Wed, 30 Apr 2014 15:09:55 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.194.62.176 with SMTP id z16mr3942803wjr.67.1398895795071; Wed, 30 Apr 2014 15:09:55 -0700 (PDT)
Received: by 10.216.29.200 with HTTP; Wed, 30 Apr 2014 15:09:54 -0700 (PDT)
In-Reply-To: <CA+_8ft7fwatXJjDmcsHvXG5W+CRPAx8N1+cT9Mh86pntQ7=_vQ@mail.gmail.com>
References: <CAL9PXLyGjM0R-NRdqzbfKWOvbLjT+mwE9uT0BQTpiFt5p27ATQ@mail.gmail.com> <CALR0ui+RfdFiQ4-1Odb8DKa3Kc_Ont__eBnpMNa9Obm1FeCi2A@mail.gmail.com> <CADMpkc+JeDDebHs0G3G3f17AGw9EjOe=EcK1dh_mikKjyF1DbQ@mail.gmail.com> <CA+_8ft7fwatXJjDmcsHvXG5W+CRPAx8N1+cT9Mh86pntQ7=_vQ@mail.gmail.com>
Date: Wed, 30 Apr 2014 17:09:54 -0500
Message-ID: <CAK3OfOgrXFeBEx8EWHaxvp7ZtQJ2YAap1myn5BHWKesTMCYEXA@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Karthik Bhargavan <karthik.bhargavan@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/wmcVJcaknBPjhXKX6MsHGeloYgk
Cc: "tls@ietf.org" <tls@ietf.org>, Alfredo Pironti <alfredo@pironti.eu>
Subject: Re: [TLS] Triple Handshake Fix.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2014 22:09:59 -0000
On Wed, Apr 30, 2014 at 8:25 AM, Karthik Bhargavan <karthik.bhargavan@gmail.com> wrote: > On Wed, Apr 30, 2014 at 2:15 PM, Bodo Moeller <bmoeller@acm.org> wrote >> Thanks, but haven't we seen that this alone doesn't actually fix the >> problem? I think we'll need a requirement for clients and servers >> implementing this spec to do one of the following, because an attacker can't >> be expected to opt in to extended master secrets in its handshakes: >> >> (1) If the current session does not use an extended master secret, don't >> allow renegotiation. >> >> (2) If a session does not use an extended master secret, don't allow it to >> be resumed. Why not both? > I agree that the first approach is probably more palatable for legacy > applications. We should require no-renegotiation, and strongly recommend > that application not use channel bindings or exported TLS keys (or PRFs) in > this case. That's difficult. It requires first-class APIs for getting CB, which many libraries lack. Nico --
- [TLS] Triple Handshake Fix. Adam Langley
- Re: [TLS] Triple Handshake Fix. Alfredo Pironti
- Re: [TLS] Triple Handshake Fix. Yngve N. Pettersen
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Martin Rex
- Re: [TLS] Triple Handshake Fix. Martin Thomson
- Re: [TLS] Triple Handshake Fix. Geoffrey Keating
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Watson Ladd
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Karthik Bhargavan
- Re: [TLS] Triple Handshake Fix. Karthik Bhargavan
- Re: [TLS] Triple Handshake Fix. Geoffrey Keating
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Martin Thomson
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Watson Ladd
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Bodo Moeller