Re: [TLS] Cached Info extension - Draft 01

To: <martin.rex at sap.com>
Subject: Re: [TLS] Cached Info extension - Draft 01
From: Stefan Santesson <stefan at aaa-sec.com>
Date: Thu, 02 Jul 2009 08:15:43 +0200
Cc: simon at josefsson.org, tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <200907012300.n61N0rf7003442 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Thread-index: Acn63IeCQkNa6oM20keMPL4NQf09UA==
Thread-topic: [TLS] Cached Info extension - Draft 01
User-agent: Microsoft-Entourage/12.19.0.090515

Martin,

On 09-07-02 1:00 AM, "Martin Rex" <Martin.Rex at sap.com> wrote:

> If the real data is no longer part of the SSL handshake, but instead
> either a weak hash or even a static "cache handle", then there is
> a change in the cryptographic properties of the SSL handshake using
> cached handshake data and the full handshake with the real data.

I don't believe this conclusion is correct.

The handshake will proceed exactly as it would have if the real data was
exchanged, preserving the cryptographic properties of a full handshake with
the original data.

This is true with only one exception. It changes the data used to calculate
the finished message. With cached data, the finished message is calculated
over the "weak" hashes instead of the original data.

For this to be turned into an attack, you have to make it plausible that one
could force two different TLS sessions to produce colliding finished
messages through a "weak" caching hash. This can't be the case if the hash
algorithm used to calculate the finished message is solid.

Follow-Ups:
- Re: [TLS] Cached Info extension - Draft 01
  - From: Martin Rex

References:
- Re: [TLS] Cached Info extension - Draft 01
  - From: Martin Rex

Prev by Date: Re: [TLS] DTLS record layer processing
Next by Date: Re: [TLS] Cached Info extension - Draft 01
Previous by thread: Re: [TLS] Cached Info extension - Draft 01
Next by thread: Re: [TLS] Cached Info extension - Draft 01
Index(es):
- Date
- Thread

Re: [TLS] Cached Info extension - Draft 01

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.