Re: [TLS] CCS and key reset and renegotiation

Jeffrey Walton <noloader@gmail.com> Thu, 05 June 2014 21:52 UTC

Return-Path: <noloader@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DDB71A0292 for <tls@ietfa.amsl.com>; Thu, 5 Jun 2014 14:52:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p1hjcdjc6tEC for <tls@ietfa.amsl.com>; Thu, 5 Jun 2014 14:52:04 -0700 (PDT)
Received: from mail-vc0-x229.google.com (mail-vc0-x229.google.com [IPv6:2607:f8b0:400c:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BB751A0188 for <tls@ietf.org>; Thu, 5 Jun 2014 14:52:04 -0700 (PDT)
Received: by mail-vc0-f169.google.com with SMTP id la4so1965381vcb.0 for <tls@ietf.org>; Thu, 05 Jun 2014 14:51:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:content-type:content-transfer-encoding; bh=kIjvRXLij8Tz7jZi34riQXtNm9OPRmiQRAL1Sj31LQ0=; b=SGL1AuoecLwWxtRvmJmxS8jQCX/CB7iOqg6Mo4ojISawNotmDsuL9ZVZhgqvSJRyii MFZJIQvyxOR0n44QGZijf+2O9crC7183gBAAPPhrfFbjkW/cB0QChPcyxdhj2fMEnFXL 23l8xPK8qwjR9NRJddFqlxB1vo3w9PAFd/WT/Hm6yPqj+hDgxpq/i1EPpvZ1tahlUnKM vgB2q6/nhfFMtOlrP4QnmzQyyDRFbGYfSMv+rvC2ViZuM1XvyDTHmHuo1pvjSeVIud4k nT+f7Q7oomikn3IWNBKqRjdjE1+VSb1A5VmZI24Wxq6qJtnX4hPVhOcLtnyjqmWGHOpX LcFQ==
MIME-Version: 1.0
X-Received: by 10.58.143.13 with SMTP id sa13mr685452veb.44.1402005117383; Thu, 05 Jun 2014 14:51:57 -0700 (PDT)
Received: by 10.220.227.7 with HTTP; Thu, 5 Jun 2014 14:51:57 -0700 (PDT)
In-Reply-To: <CACsn0c=O5Xp82JqsxXsik+4NEG5h-0HSJ-NM1zhywJVg_oX1Dg@mail.gmail.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C7130F434981@USMBX1.msg.corp.akamai.com> <CACsn0c=O5Xp82JqsxXsik+4NEG5h-0HSJ-NM1zhywJVg_oX1Dg@mail.gmail.com>
Date: Thu, 5 Jun 2014 17:51:57 -0400
Message-ID: <CAH8yC8=r2QatJLshJBoXx5nux9U_xoxCG1pcDG51wWCu0ei1sg@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: tls@ietf.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/zrwhvC05phCvSrkEZX1hPjhsyIw
Subject: Re: [TLS] CCS and key reset and renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: noloader@gmail.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jun 2014 21:52:07 -0000

On Thu, Jun 5, 2014 at 11:25 AM, Watson Ladd <watsonbladd@gmail.com> wrote:
>
> On Jun 5, 2014 8:12 AM, "Salz, Rich" <rsalz@akamai.com> wrote:
>>
>> Have folks seen this yet?
>>
>> http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html
>>
>> I think it adds weight to my concern about using ChangeCipherSpec to do
>> key reset.  I still prefer the trade-offs of having a “slow the TLS but keep
>> the TCP layer open” and starting over.  Much simpler to prove it’s correct.
>
> What can change when that happens? Furthermore, rekeying is a matter of
> getting more PRF output: how does that introduce security concerns.
>
> I don't see why the incompetence of implementors should govern our
> decisions. If something cannot be implemented correctly it must be removed,
> but why is rekeying such a thing?

I'm reading two points in that last statement: first, some
implementers are incompetent; and second, the TLS WG does not make bad
decisions.

For the first point, I think its too easy to blame an implementer.
Perhaps there's a gap that needs to be addressed for implementers. Has
the TLS WG considered providing a comprehensive test framework to
ensure their designs are realized in an implementation?

The working group is in a unique position to offer the best and most
complete set of tests. They are in that position because they
understand what they want, they know why they want it, and they know
what they rejected. So a testing framework with positive and negative
self tests would probably be very helpful to implementers. And that's
all implementers, and not just the ones that are labeled incompetent.

Plus, the implementers should *NOT* be asked to create their own test
cases. That's simply bad engineering, and the problem has been known
for years. Gutmann and Anderson talk about in their respective books
on security and engineering. Those books are 10 or 15 years old, so
its not bleeding edge knowledge.

For the second point, Authenticate-then-Encrypt has proven to be
problematic for years. I would not blame the implementers or call them
incompetent for subtle problems in the construction. Especially when
it took a formal analysis by practicing cryptographers to uncover and
present the problems [0].

The problems with Authenticate-then-Encrypt have been known since at
least 2000 [0]. I question why the folks responsible for the standard
did not acknowledge the problem and provide safer or better
alternatives more expediaently. Nearly ten [1] or fifteen years [2] to
address the [re-occuring] problem seems a bit excessive to me.

The folks responsible for the standard are collectively smarter people
than the folks implementing the standard and using the standard. We
(the dumb users) need the group to act expediently when gaps are
uncovered.

For completeness, CompSci 101 mistakes are an implementers problem.

-----

[0] H. Krawczyk. The Order of Encryption and Authentication for
Protecting Communications,
http://www.iacr.org/archive/crypto2001/21390309.pdf
[1] J. Salowey, et al. AES Galois Counter Mode (GCM) Cipher Suites for
TLS, http://tools.ietf.org/html/rfc5288
[2] P. Gutmann. Encrypt-then-MAC for TLS,
http://tools.ietf.org/html/draft-gutmann-tls-encrypt-then-mac-00