IETF Logo Mail Archive

Re: [TLS] New TLS version negotiation mechanism, take 2

Dave Garrett <davemgarrett@gmail.com> Fri, 27 March 2015 21:53 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E30A1B2B1D for <tls@ietfa.amsl.com>; Fri, 27 Mar 2015 14:53:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UK4jSU16P4dd for <tls@ietfa.amsl.com>; Fri, 27 Mar 2015 14:53:20 -0700 (PDT)
Received: from mail-qg0-x233.google.com (mail-qg0-x233.google.com [IPv6:2607:f8b0:400d:c04::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF7231B2B1B for <tls@ietf.org>; Fri, 27 Mar 2015 14:53:19 -0700 (PDT)
Received: by qgep97 with SMTP id p97so145952373qge.1 for <tls@ietf.org>; Fri, 27 Mar 2015 14:53:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=2f+MMn0D7Y+eBt0IxQfqya4NN/9jiA+IzqSkef5zrwU=; b=WJxPH9k7oPL4xujuzfuGYizm4E1Boq0rLW5qyyjo8M9mfsUOYIpqC+NKA6r5c1JCg1 m7aZKTkR8Zaq71nrbL/5YosL0Vgd7qpxp/udAPeU+YyjKLmcQCtVQqT9muxyrMhiIrUy 1gxi2fqc/o3lfLYxCcet0yd2lWMC5m6zrIv1ShixOb5X27+RcFHXSHFxbljJ8amGra1P 7fwlvl3xOCI2t+8El0jUbOl0wwFvqwCugcwqzwwou0OJegCkEvf2lWISav5w/UykfdgR z3ak7n5Ic0bre3R8Z3SlJpXrN4oZvWzCKePLjB26SQNvQY55CkC8zIotgsi+BtBq3Lll OHrg==
X-Received: by 10.229.122.70 with SMTP id k6mr11997387qcr.27.1427493199244; Fri, 27 Mar 2015 14:53:19 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by mx.google.com with ESMTPSA id d49sm2380936qge.19.2015.03.27.14.53.18 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 27 Mar 2015 14:53:18 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: Xiaoyin Liu <xiaoyin.l@outlook.com>
Date: Fri, 27 Mar 2015 17:53:17 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-71-generic-pae; KDE/4.4.5; i686; ; )
References: <201503260330.43588.davemgarrett@gmail.com> <201503271153.34569.davemgarrett@gmail.com> <BAY180-W16CB11289DEAA0E2A2681BFF090@phx.gbl>
In-Reply-To: <BAY180-W16CB11289DEAA0E2A2681BFF090@phx.gbl>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201503271753.17526.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/yQCY_JfX5pzB1SLmkOCvOg_NCQI>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New TLS version negotiation mechanism, take 2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Mar 2015 21:53:22 -0000

On Friday, March 27, 2015 03:46:05 pm Xiaoyin Liu wrote:
> > > > + Only one extension with one fixed length value
> > > 
> > > But here you lose the benefit, as the client can't inform the server
> > > that it supports multiple TLS 1.3 drafts if the field is of fixed
> > > length.
> > 
> > Yes. If we'd like to go back to the list idea, I'm not wholly against
> > it.
> > 
> > In this mechanism, the client may support only one draft, but the
> > server may support multiple just fine.
>
> I support the list idea. Besides being able to support draft versions,
> there is another benefit. If, for instance, after TLS 1.5 is released,
> someone finds a weakness that only exists in TLS 1.4, which makes TLS 1.4
> insecure. But TLS 1.3 and TLS 1.5 are still secure to use, and TLS 1.5 is
> better than TLS 1.3. Then with this version negotiation mechanism,
> clients can very easily mitigate the TLS 1.4 vulnerability by removing
> TLS 1.4 from the supported version list. But with the current version
> negotiation, clients would have to either set highest client version to
> TLS 1.3 or set to TLS 1.5 but fallback to TLS 1.3 if servers try to
> negotiate TLS 1.4.
>
>I know this is quite unlikely to happen, but I don't think we can safely
>assume this will never happen.
>
>Also this mechanism enables implementations to skip versions for whatever
>reasons, such as that some versions are not widely negotiated, like TLS
>1.1 today.

This was my exact reasoning for my first proposal:
https://www.ietf.org/mail-archive/web/tls/current/msg15441.html

Brian Smith posted a detailed review here:
https://www.ietf.org/mail-archive/web/tls/current/msg15470.html

His argument against the list method is that:
1) The client should not be announcing support for old versions that may be weaker than its highest supported version, and that this constitutes an unnecessary security risk.
2) The added complexity of negotiating with potentially non-continuous version support lists is not worth the risk of implementors botching it.

Personally, every time the general argument that announcing specific versions of something gives an attacker too much information, I'm not really convinced. That said, I don't really oppose limiting announced information, either.

I don't think the added complexity would make things significantly more likely to break, but I don't dispute that it's a valid argument.

The complexity differences between the current proposal and a list based proposal are that:
a) The ClientHello version field would be frozen and meaningless in a list negotiation, whereas the current proposal recycles it in a manner that avoids clients offering TLS 1.2 without supporting it.
b) List negotiation would vary the size of the extension. An arbitrary list size limit would not be a bad idea. It would nonetheless increase bandwidth usage slightly.
c) Clients will undoubtedly not all send the lists ordered properly and servers will have to sort through it to hunt for a best match to negotiate.
d) On the plus side, a list based negotiation would not be checking any version ranges anymore. It would be only looking for the highest overlapping value between the client and server's lists.

I would also add the argument that TLS should not make it more than a few major versions into the future. (DTLS is another story, and there may not even be a need for a new version negotiation mechanism there) TCP needs to be replaced with something that is reliable, fast, and secure. Something QUIC based will probably be the start, eventually. Based on that logic, super future-proofing TLS is counter-productive.

Honestly, I think the list based route could be done cleaner, though. Yeah, we might not really need things generalized this much, and non-continuous version support may not in demand, but it might work better. I'm not really opposed to the single max version route either.

That said, as I think about and work on the current WIP changeset, I am noting pitfalls that need mentioning that I think can be side-stepped with a list based solution (which might end up with its own, of course :p ).


Dave

v2.23.0 | Report a Bug | By Email