Re: [TLS] First TLS cached information draft posted

To: martin.rex at sap.com
Subject: Re: [TLS] First TLS cached information draft posted
From: Simon Josefsson <simon at josefsson.org>
Date: Tue, 09 Jun 2009 15:55:49 +0200
Cc: TLS at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <200906091223.n59CNqov028494 at fs4113.wdf.sap.corp> (Martin Rex's message of "Tue, 9 Jun 2009 14:23:52 +0200 (MEST)")
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <87ab4hisev.fsf at mocca.josefsson.org> <200906091223.n59CNqov028494 at fs4113.wdf.sap.corp>
User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.94 (gnu/linux)

Here is a modified idea.  Replace the CachedInformationHash with this
structure:

struct {
           HashAlgorithm hash;
           uint32 datasize;       /* NEW.  Size of hashed data.
                                     MUST be >= 4 * hashsize(hash) */
           opaque hash_value<0..255>;
      } CachedInformationHash;

The server respond by indicating whether it supports cached data in
principle, but defers until later in the handshake to decide whether to
replace data or not.  This addresses Martin's concern.

Then add text to say that datasize MUST be >= 4 * hashsize(hash) where
hashsize is the hash output size, i.e., 20 for SHA-1.  Smaller objects
cannot be cached with this extension.

The server can decide, when constructing later handshake packets,
whether to replace the generated data with a hash or not.  Typically,
the server would generate the data as normal.  Then if the client
provided a cache extension type for the object, it will compare a hash
of the generated data with the hash provided by the client.  If they
match, it will send the CachedInformationHash value instead of the
generated data.

The client parses the response, and can by looking at the size of each
object decide whether it is a hash or real data.

This runs into a problem if the server instead of returning a hash
returned data that was considerably smaller than the value cached by the
client.  The client could then be confused whether the returned data is
real data or a hash value.  A type-specific tag could be constructed
here -- for both certificate_list and certificate_authorities it could
be some invalid ASN.1 followed by the CachedInformationHash.

This is a compromise, but it seems difficult to solve both Martin's
concern and my concern that clients needs to reliably be able to decode
incoming data.  Better ideas welcome.

/Simon

References:
- Re: [TLS] First TLS cached information draft posted
  - From: Simon Josefsson
- Re: [TLS] First TLS cached information draft posted
  - From: Martin Rex

Prev by Date: Re: [TLS] First TLS cached information draft posted
Next by Date: Re: [TLS] First TLS cached information draft posted
Previous by thread: Re: [TLS] First TLS cached information draft posted
Next by thread: Re: [TLS] First TLS cached information draft posted
Index(es):
- Date
- Thread

Re: [TLS] First TLS cached information draft posted

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.