Re: [TLS] Quest for Unified Solution to TLS Renegotiation
Martin Rex <mrex@sap.com> Thu, 26 November 2009 18:01 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3D3B33A689C for <tls@core3.amsl.com>; Thu, 26 Nov 2009 10:01:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.183
X-Spam-Level:
X-Spam-Status: No, score=-6.183 tagged_above=-999 required=5 tests=[AWL=0.066, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oHO-24n+cyfs for <tls@core3.amsl.com>; Thu, 26 Nov 2009 10:01:57 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 28D143A67E4 for <tls@ietf.org>; Thu, 26 Nov 2009 10:01:56 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nAQI1o6c022242 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 26 Nov 2009 19:01:50 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911261801.nAQI1nCd015456@fs4113.wdf.sap.corp>
To: david-sarah@jacaranda.org
Date: Thu, 26 Nov 2009 19:01:49 +0100
In-Reply-To: <4B0EB97A.6010106@jacaranda.org> from "David-Sarah Hopwood" at Nov 26, 9 05:23:06 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Quest for Unified Solution to TLS Renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2009 18:01:58 -0000
David-Sarah Hopwood wrote: > > The previous_verify_data is not necessarily secret, so this requires the > PRF to be secure against related-key attack. The particular PRFs used in > SSLv3 and TLS 1.0 to 1.2 should be secure in that sense, but (if we > decide to use this approach) I still prefer what I suggested before: > > verify_data = > PRF(master_secret, finished_label, Hash(handshake_messages) > + previous_verify_data) > [0..verify_data_length-1]; > > which uses the PRF in a more conventional way. I strongly recommend against such an approach. It's going to be a big mess implementation-wise. You'll have to keep double the state around in order to be able to calculate the Server.Finished of the Renegotiation, and then transfer shift the oldest verify_data out after Server.Finished. It's more code, it doesn't address the CertificateVerify at all and to interop-test this reliably, you will need to perform at least two rengotiations on a communication channel to be sure that the shifting of the Finished messages works correctly. Most implementations that offer renegotiation do not have usage scenarios to test dual-renegotiations, requiring additional test tools to be built. One of the reasons why I wanted to add the verify_data early into the handshake is that the session only needs to provide room for one of them, making it much easier to implement when you don't have to special case around while calculating the finished messages and temporarilyy parking of the new Client.Finished before the new Server.Finished processing has completed. I think that adding the Client.Finished.verify_data at the very beginning of a renegotiation handshake message hash, maybe even prefixed with a bogus Finished message header 0x14 0x00 0x00 0x77 would address the theoretical attack that you brought up. -Martin
- [TLS] Quest for Unified Solution to TLS Renegotia… Michael D'Errico
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Marsh Ray
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Stefan Santesson
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Eric Rescorla
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Hovav Shacham
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Eric Rescorla
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Yoav Nir
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Marsh Ray
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Stephen Farrell
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Yoav Nir
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Nelson B Bolyard
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Nelson B Bolyard
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Kyle Hamilton
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Eric Rescorla
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood