Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:

Martin Rex <Martin.Rex@sap.com> Wed, 04 November 2009 00:32 UTC

Return-Path: <Martin.Rex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7681828C0FB; Tue, 3 Nov 2009 16:32:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.201
X-Spam-Level:
X-Spam-Status: No, score=-6.201 tagged_above=-999 required=5 tests=[AWL=0.048, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YEW5NsrzOqbn; Tue, 3 Nov 2009 16:32:08 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 447BC3A690A; Tue, 3 Nov 2009 16:32:08 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nA40WRch023726 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 4 Nov 2009 01:32:27 +0100 (MET)
From: Martin Rex <Martin.Rex@sap.com>
Message-Id: <200911040032.nA40WQNB004167@fs4113.wdf.sap.corp>
To: Nicolas.Williams@sun.com (Nicolas Williams)
Date: Wed, 4 Nov 2009 01:32:26 +0100 (MET)
In-Reply-To: <20091103222352.GJ1105@Sun.COM> from "Nicolas Williams" at Nov 3, 9 04:23:53 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Cc: mrex@sap.com, channel-binding@ietf.org, tls@ietf.org, sasl@ietf.org
Subject: Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2009 00:32:09 -0000

Nicolas Williams wrote:
> 
> On Mon, Nov 02, 2009 at 03:59:44PM +0100, Martin Rex wrote:
> > Nicolas Williams wrote:
> > > 
> > > Another problem that Larry has is that in his implementation what I call
> > > a "TLS connection" is called a "security context", and if the
> > > application re-handshakes (e.g., to authenticate a user) then the result
> > > is a second security context -- we need to be extra clear that it's the
> > > client Finished message from the _first_ "security context" that we're
> > > after.
> > 
> > OooopS.
> > 
> > The session that results from a re-handshake is an entirely new and
> > independent session from what it started from, it does NOT modify
> > the state of the original session (as identified by its TLS session ID).
> 
> What "oops"?  We need to identify one, and only one, client Finished
> message to use.  The name of the thing that that message is related to
> is only relevant to writing the text for this channel binding type's
> definition.

The OooopS refers to the fact, that a TLS session that is renegotiated
results in an entirely different TLS session with an independent
MasterSecret, and I am violently opposed to having to memorize in
the new re-negotiated TLS session anything from a completely unrelated
TLS session.


A full TLS-handshake and a later TLS session are still the same
underlying TLS session, sharing the master secret.  (they do have
connection-specific and direction specific crypto keys, of course).


When a Web Browser loads a new page containing several elements
(style sheets, buttons, icons, frames, etc.), then it first needs
to retrieve the top level document over a single network connection.
Doing so, a new TLS session can be created and added to the
session cache.  The session can be added to the cache as soon
as the TLS handshake is successfully completed, even before
any application data has been transferred.

Having received the top-level document, the browser determines
that it will have to load another dozen or so elements in order
to render the page, and will then usually open several network
connections in parallel (and probably reuse the one it just used
if it is HTTP 1.1 keep-alive).  If session caching on both sides
is working correctly, then the client can resume the original
TLS session on all additional parallel network connections
directly.

If there is one top-level-page, 12 elements and up to 4 parallel
network connections per server, then this will result in
a single full TLS handshake and 3 TLS session resumes and 
one session in the session caches of client and server.

  1st page:  1 full,  3 resumes,  1 session in the server session cache
  2nd page:  4 resumes, 1 session in the server session cache


If your server is a Microsoft IIS with special configuration,
then it goes like this:

1 full TLS-handshake plus 1 renegotiate (=1 full TLS-handshake)
plus 3 TLS-resumes, each followed by a renegotiate (=3 full TLS-handshakes)


  1st page: 5 full, 3 resumes, 5 sessions in the server session cache
  2nd page: 4 full, 4 resumes, 9 session in the server session cache


A full TLS handshake is typically at least 10x more expensive than
a TLS session resume (that is the crypto of the TLS handshake alone,
not counting any fancy certificate path validation or revocation
checking).


> 
> > 
> > The TLS specs do not describe API semantics, however, only the
> > network protocol and TLS session state, so your terminology is
> > IMHO confusing.
> 
> All of that is irrelevant.

No, it isn't.  With channel bindings, you are actually looking/asking for
a particular API semantic.

IMHO, a renegotiation is a problem for both TLS PRF ("extractors")
and channel bindings, because on the wire and at the TLS protocol
level (concerning the TLS session state), renegotiation restarts
everything from scratch.  It does so under protection of a previously
negotiated TLS session, but still, the original and the re-negotiated
session are completely distinct and will void all assumptions that
the application may have associated with the originally established
TLS session.


-Martin