IETF Logo Mail Archive

Re: [TLS] WGLC for draft-ietf-tls-cached-info-19

Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 24 August 2015 16:39 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF6831A889D for <tls@ietfa.amsl.com>; Mon, 24 Aug 2015 09:39:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.711
X-Spam-Level:
X-Spam-Status: No, score=-0.711 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GeJsYzmTWkB8 for <tls@ietfa.amsl.com>; Mon, 24 Aug 2015 09:39:46 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B3EF1ACD63 for <tls@ietf.org>; Mon, 24 Aug 2015 09:39:44 -0700 (PDT)
Received: from [192.168.131.138] ([80.92.122.31]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0Lkwpt-1YvgUd1J5B-00anbq; Mon, 24 Aug 2015 18:39:42 +0200
Message-ID: <55DB489C.80505@gmx.net>
Date: Mon, 24 Aug 2015 18:38:52 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: Martin Thomson <martin.thomson@gmail.com>, Joseph Salowey <joe@salowey.net>
References: <CAOgPGoBivgXGKpZH=4mSkrVaKyg9YPi05rphs3VOcvuiFfPzrg@mail.gmail.com> <CABkgnnU++z-r3m2p-+k-6i8BwE5o9wXULS0RVJfCG1+nmkY13Q@mail.gmail.com>
In-Reply-To: <CABkgnnU++z-r3m2p-+k-6i8BwE5o9wXULS0RVJfCG1+nmkY13Q@mail.gmail.com>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="0UN3E5u2kDco2IS2B1rXE1b9tMW6h9FCk"
X-Provags-ID: V03:K0:RpCh6lsCjc4FXOUU4rQ0ZRpVnyFhJ8RtwdkIY7DlEkXr95+PN/Y AeUrZQ/G7ukwBnlaYTvIOsAPP8K8aCRR9xUbbSkdr7UN/RqeIS0nrzAwM+XFOCkvD8WmwOw GBY3aZVENk7F3iA7NQNuiCwJvwbnZIQSkrW92zs05bzrrF440BNTXzVakg5iaNeDY6580yZ 5fX4/kncOK18E0ylneQHA==
X-UI-Out-Filterresults: notjunk:1;V01:K0:030+xPHA/qY=:VW+5mkSh6/QX8qKoXNFlYT 7s+iV6OzA6yQevPjCtWXTiF79rYVp8R4Gsyq5Cx4pJB/27gyDRuLeptUuzpKvBzca0KWf0x8G kXGx/YJFKKIeHTeIjsM3SCMSvWG8diMEFisxRve/pAEsbR+/t1I5a2SDrK36Xr8X9rMDbq9o9 LeBhy/Bj9m4JDt6ChUUaq/1E0U/RYtoCvWYxDnkv+N8hQeH8b+0fUQqp6tdnIWwNazTwPL0KL xByfEw2vxPoEu7+ouPuvEMWRpGhko/SMzNZafWtHcgjvpmV16lfRI7cNvSMu+iUzM28KQV8WL hPZhgVu3FrkQH4YkTkHpedpoChG1doGjEbkipK4vaMOqjnKtnmj9UnkT1jgbzzN1q0ld8HiXv ol5VGC58QcTyl/Mikuu1miHv/vmJyR41/ZSxf0poLcDo9VGGYg9tnyTY+x/CnsRmLnxuh3/sq nl9AopxDJ3QXo6rnjt5Y3MDwnq2edeOlfykiGM/lo+R4DRoZCHO7w13BH0HIsG5aHtEmKMbK9 Lwro22DEY9P7ISw0ueRcAULav5StJSyfG/cW4peOboVyK0x6sv13V4ajJu/eGNos0hHOCl4Or NYWrdrpSD/l4ETwQNZU4wz9o/ZBm3UYkYYBAV/hI4MJ6yHAs9f6MDCoTsNoPX1Exc448a4YQA zh0BORixzcohOr4eR2S2Y8arOp8p0eixJBPret+SMTQEc1CUCtMK7K9M/fBf7GyE4yZM5oSOs IVY1RT6UiXRxAfdy
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/y_zhKC42PgaaiMLiTEFLYIX7enU>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] WGLC for draft-ietf-tls-cached-info-19
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2015 16:39:49 -0000

Hi Martin,

thanks for your review.

On 08/06/2015 10:33 PM, Martin Thomson wrote:
> I've read this draft before, but this is considerably different to
> what I read, and I haven't been following the discussion, so consider
> this as a review with fresh eyes.
> 
> First the high points.  I think that this is useful, the right scope,
> and reasonably well formulated.  I have a couple of minor points
> 
> Figure 2 is in error: it shows CertificateRequest instead of Certificate.

Good catch. A copy-and-paste error.

> 
> I'd like to see the document explicitly note that msg_type and length
> from the handshake message are not covered by the hash.  The
> description of what is covered is a little too terse (and badly
> formatted).

There are multiple message type / message length fields included in the
message and I am not sure which of those you rare referring to.

The msg_type and msg_length from the record layer is not part of the
fingerprint calculation. The spec only focuses on the certificate
message in Section 4.1 and the CertificateRequest message in Section
4.2. These message do, however, also contain length information.

I included an example into the document. See Appendix A:
https://github.com/hannestschofenig/tschofenig-ids/blob/master/tls-cached-info/draft-ietf-tls-cached-info-20.txt

> 
> I'm not sure that I like the lack of both negotiation and signaling
> for the hashes that are used here.

We had a negotiation capability in earlier versions of the document but
it appeared to be an overkill.

What is there now is essentially an indication of the hash algorithm
based on what the client presents with the CachedInformationType
structure. If you need support for a new algorithm then add a new type
(and the implementation). We could make it easier to add new algorithms
(via the expert review process). We could also register another
algorithm already now, if found necessary.

>  Though I think the chances of a
> collision being found, or that a collision would lead to an attack,
> are slim, I would rather see this use the PRF hash so we have at least
> that much flexibility.

While there is indeed a possibility for hash collisions those will still
lead to a failed exchange since the TLS server will not possess the
correct private key that corresponds to the cached certificate.

>  If the current design is retained, I would
> like to see a little discussion of this in the document.  A little
> analysis of the properties we expect the hash to provide would also be
> good.
> 
> I think that truncated hashes might be advantageous from the server
> side.  Given that the server only uses hashes to identify which of the
> offered (available, known?) cached information is in use, is there any
> reason you can't save additional space by arbitrarily truncating the
> hash?  In many cases I would imagine that the client would be offering
> only one option and even if there were a small number of options
> presented, a single byte would suffice to disambiguate.
> 
> I'm trying to think why you might want the full-length hash on the
> client side, but I believe that the only problem there is that there
> might be a collision between the certificates that a server might
> offer if you truncate too aggressively.  The connection still relies
> on the server presenting proof of knowledge of a key that the client
> extracts from a certificate bound to the server identity, so I believe
> that it would be equally secure if you removed all mention of
> certificates from the protocol.  And that makes me nervous, because
> I'm fairly sure that Karthik will tell me that I'm wrong very shortly;
> since we've put in a lot of work to cover key fields in the handshake
> hash, and I'm concerned that this could be exploited somehow.
> 
> The more I think about this, the more I think that we need a little
> more analysis on this point (i.e., what properties the hash function
> needs to provide and why).  If it has already happened, mention of
> that in the security considerations is needed.
> 
> (I think that truncation on the server side is safe if the client uses
> a strong hash function to identify the certificate, but I'm frequently
> wrong about these things.)
> 
There are three designs possible for referencing the cached state, namely

1) The client creates the reference.

This is the current approach. The client creates a reference (via the
use of the hash function) and tells the server that it has seen certain
parameters before and that there is no need to re-transmit them.

2) The server creates the reference.

In this design the server allocates the reference and sends it to the
client. The client

3) There is no reference at all.

The client just tells the server not to send certain payloads because it
has cached something already previously. While the server does not get
told what has been cached the worst thing that can happen is that the
exchange fails (in which case the client has to fall back to a full
exchange).

Which approach do you prefer? We had various iterations of this
throughout the lifetime of the document.

Independently of these three approaches it is certainly true that fewer
bytes transmitted over the wire are preferable.

Ciao
Hannes

> 
> On 6 August 2015 at 10:24, Joseph Salowey <joe@salowey.net> wrote:
>> Hi Folks,
>>
>> This is the Working Group last call for draft-ietf-tls-cached-info-19.  This
>> document has undergone modification since last WGLC so another WGLC is
>> appropriate.  This document is a dependency for the DICE working group
>> TLS/DTLS profile. Please send your comments to the TLS list by September 2,
>> 2015.
>>
>> Thanks,
>>
>> J&S
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email