IETF Logo Mail Archive

Re: [TLS] Triple Handshake Fix.

Geoffrey Keating <geoffk@geoffk.org> Wed, 30 April 2014 22:05 UTC

Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C16A81A09AC for <tls@ietfa.amsl.com>; Wed, 30 Apr 2014 15:05:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fl4sA7ZZoniO for <tls@ietfa.amsl.com>; Wed, 30 Apr 2014 15:05:00 -0700 (PDT)
Received: from dragaera.releasedominatrix.com (dragaera.releasedominatrix.com [216.129.105.14]) by ietfa.amsl.com (Postfix) with ESMTP id EC5951A094C for <tls@ietf.org>; Wed, 30 Apr 2014 15:04:59 -0700 (PDT)
Received: by dragaera.releasedominatrix.com (Postfix, from userid 501) id 5DF7633D04B; Wed, 30 Apr 2014 22:04:58 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: Karthik Bhargavan <karthik.bhargavan@gmail.com>
References: <CAL9PXLyGjM0R-NRdqzbfKWOvbLjT+mwE9uT0BQTpiFt5p27ATQ@mail.gmail.com> <m2lhunwy32.fsf@localhost.localdomain> <CA+_8ft7XCoZ5LsRns8o+aMik5zCFB_L9TbASWv+n9P+nJsmHfw@mail.gmail.com>
From: Geoffrey Keating <geoffk@geoffk.org>
Date: Wed, 30 Apr 2014 15:04:58 -0700
In-Reply-To: <CA+_8ft7XCoZ5LsRns8o+aMik5zCFB_L9TbASWv+n9P+nJsmHfw@mail.gmail.com>
Message-ID: <m2ha5awk1h.fsf@localhost.localdomain>
Lines: 37
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/wvAolvozUL7n0sY6ZCNbN2HVOko
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Triple Handshake Fix.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2014 22:05:02 -0000

Karthik Bhargavan <karthik.bhargavan@gmail.com> writes:

> > I read this and couldn't work out how it interacted with
> > renegotiation.  I'm surprised there's no discussion of renegotiation
> > at all in section 3.  Does 'handshake_messages' include:
> >
> > a) Only the first handshake; or
> >
> 
> for each session, handshake_messages includes messages in the full
> handshake that set up the session.
> each full renegotiation handshake sets up a new session and hence a new
> session hash.
> 
> the session hash countermeasure is meant to link resumed connection with
> the original connections where the session was created.
> independently, we still need renegotiation indication (rfc4726) to link
> different handshakes on the same connection.
> in other words, the session hash complements rfc5746, it does not replace
> it.

So, I think the draft actually means b out of my original list of
choices.  I would not have guessed that.

The draft definitely needs to explain this.

The draft should also say something about requiring RFC5746.

Would it be better if we tweaked this draft so that if you use it you
don't need RFC5746?  It would be easy to do so and would make the
analysis simpler.  You could just include the previous Finished
messages in the hash, I think.

There should also be something in the security considerations section
about message sequence.  Some implementations might accept, say, a
second ServerCertificate message before the Finished, which would probably
be bad.

v2.23.0 | Report a Bug | By Email