Re: [TLS] CCS and key reset and renegotiation
Jeffrey Walton <noloader@gmail.com> Thu, 05 June 2014 21:52 UTC
Return-Path: <noloader@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DDB71A0292 for <tls@ietfa.amsl.com>; Thu, 5 Jun 2014 14:52:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p1hjcdjc6tEC for <tls@ietfa.amsl.com>; Thu, 5 Jun 2014 14:52:04 -0700 (PDT)
Received: from mail-vc0-x229.google.com (mail-vc0-x229.google.com [IPv6:2607:f8b0:400c:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BB751A0188 for <tls@ietf.org>; Thu, 5 Jun 2014 14:52:04 -0700 (PDT)
Received: by mail-vc0-f169.google.com with SMTP id la4so1965381vcb.0 for <tls@ietf.org>; Thu, 05 Jun 2014 14:51:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:content-type:content-transfer-encoding; bh=kIjvRXLij8Tz7jZi34riQXtNm9OPRmiQRAL1Sj31LQ0=; b=SGL1AuoecLwWxtRvmJmxS8jQCX/CB7iOqg6Mo4ojISawNotmDsuL9ZVZhgqvSJRyii MFZJIQvyxOR0n44QGZijf+2O9crC7183gBAAPPhrfFbjkW/cB0QChPcyxdhj2fMEnFXL 23l8xPK8qwjR9NRJddFqlxB1vo3w9PAFd/WT/Hm6yPqj+hDgxpq/i1EPpvZ1tahlUnKM vgB2q6/nhfFMtOlrP4QnmzQyyDRFbGYfSMv+rvC2ViZuM1XvyDTHmHuo1pvjSeVIud4k nT+f7Q7oomikn3IWNBKqRjdjE1+VSb1A5VmZI24Wxq6qJtnX4hPVhOcLtnyjqmWGHOpX LcFQ==
MIME-Version: 1.0
X-Received: by 10.58.143.13 with SMTP id sa13mr685452veb.44.1402005117383; Thu, 05 Jun 2014 14:51:57 -0700 (PDT)
Received: by 10.220.227.7 with HTTP; Thu, 5 Jun 2014 14:51:57 -0700 (PDT)
In-Reply-To: <CACsn0c=O5Xp82JqsxXsik+4NEG5h-0HSJ-NM1zhywJVg_oX1Dg@mail.gmail.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C7130F434981@USMBX1.msg.corp.akamai.com> <CACsn0c=O5Xp82JqsxXsik+4NEG5h-0HSJ-NM1zhywJVg_oX1Dg@mail.gmail.com>
Date: Thu, 05 Jun 2014 17:51:57 -0400
Message-ID: <CAH8yC8=r2QatJLshJBoXx5nux9U_xoxCG1pcDG51wWCu0ei1sg@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: tls@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/zrwhvC05phCvSrkEZX1hPjhsyIw
Subject: Re: [TLS] CCS and key reset and renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: noloader@gmail.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jun 2014 21:52:07 -0000
On Thu, Jun 5, 2014 at 11:25 AM, Watson Ladd <watsonbladd@gmail.com> wrote: > > On Jun 5, 2014 8:12 AM, "Salz, Rich" <rsalz@akamai.com> wrote: >> >> Have folks seen this yet? >> >> http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html >> >> I think it adds weight to my concern about using ChangeCipherSpec to do >> key reset. I still prefer the trade-offs of having a “slow the TLS but keep >> the TCP layer open” and starting over. Much simpler to prove it’s correct. > > What can change when that happens? Furthermore, rekeying is a matter of > getting more PRF output: how does that introduce security concerns. > > I don't see why the incompetence of implementors should govern our > decisions. If something cannot be implemented correctly it must be removed, > but why is rekeying such a thing? I'm reading two points in that last statement: first, some implementers are incompetent; and second, the TLS WG does not make bad decisions. For the first point, I think its too easy to blame an implementer. Perhaps there's a gap that needs to be addressed for implementers. Has the TLS WG considered providing a comprehensive test framework to ensure their designs are realized in an implementation? The working group is in a unique position to offer the best and most complete set of tests. They are in that position because they understand what they want, they know why they want it, and they know what they rejected. So a testing framework with positive and negative self tests would probably be very helpful to implementers. And that's all implementers, and not just the ones that are labeled incompetent. Plus, the implementers should *NOT* be asked to create their own test cases. That's simply bad engineering, and the problem has been known for years. Gutmann and Anderson talk about in their respective books on security and engineering. Those books are 10 or 15 years old, so its not bleeding edge knowledge. For the second point, Authenticate-then-Encrypt has proven to be problematic for years. I would not blame the implementers or call them incompetent for subtle problems in the construction. Especially when it took a formal analysis by practicing cryptographers to uncover and present the problems [0]. The problems with Authenticate-then-Encrypt have been known since at least 2000 [0]. I question why the folks responsible for the standard did not acknowledge the problem and provide safer or better alternatives more expediaently. Nearly ten [1] or fifteen years [2] to address the [re-occuring] problem seems a bit excessive to me. The folks responsible for the standard are collectively smarter people than the folks implementing the standard and using the standard. We (the dumb users) need the group to act expediently when gaps are uncovered. For completeness, CompSci 101 mistakes are an implementers problem. ----- [0] H. Krawczyk. The Order of Encryption and Authentication for Protecting Communications, http://www.iacr.org/archive/crypto2001/21390309.pdf [1] J. Salowey, et al. AES Galois Counter Mode (GCM) Cipher Suites for TLS, http://tools.ietf.org/html/rfc5288 [2] P. Gutmann. Encrypt-then-MAC for TLS, http://tools.ietf.org/html/draft-gutmann-tls-encrypt-then-mac-00
- Re: [TLS] CCS and key reset and renegotiation Viktor Dukhovni
- [TLS] CCS and key reset and renegotiation Salz, Rich
- Re: [TLS] CCS and key reset and renegotiation Watson Ladd
- Re: [TLS] CCS and key reset and renegotiation Nico Williams
- Re: [TLS] CCS and key reset and renegotiation Salz, Rich
- Re: [TLS] CCS and key reset and renegotiation Martin Thomson
- Re: [TLS] CCS and key reset and renegotiation Peter Gutmann
- Re: [TLS] CCS and key reset and renegotiation Watson Ladd
- Re: [TLS] CCS and key reset and renegotiation Nico Williams
- Re: [TLS] CCS and key reset and renegotiation Viktor Dukhovni
- Re: [TLS] CCS and key reset and renegotiation Yoav Nir
- Re: [TLS] CCS and key reset and renegotiation Viktor Dukhovni
- Re: [TLS] CCS and key reset and renegotiation Yoav Nir
- Re: [TLS] CCS and key reset and renegotiation Jeffrey Walton
- Re: [TLS] CCS and key reset and renegotiation Peter Gutmann
- Re: [TLS] CCS and key reset and renegotiation Watson Ladd
- Re: [TLS] CCS and key reset and renegotiation Salz, Rich
- Re: [TLS] CCS and key reset and renegotiation Watson Ladd
- Re: [TLS] CCS and key reset and renegotiation Salz, Rich
- Re: [TLS] CCS and key reset and renegotiation Paul Lambert
- Re: [TLS] CCS and key reset and renegotiation Salz, Rich
- Re: [TLS] CCS and key reset and renegotiation Peter Gutmann
- Re: [TLS] CCS and key reset and renegotiation Michael StJohns