Re: [TLS] Cached Info extension - Draft 01

To: stefan at aaa-sec.com (Stefan Santesson)
Subject: Re: [TLS] Cached Info extension - Draft 01
From: Martin Rex <Martin.Rex at sap.com>
Date: Thu, 2 Jul 2009 18:33:49 +0200 (MEST)
Cc: simon at josefsson.org, tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <C6721D2F.2ECF%stefan at aaa-sec.com> from "Stefan Santesson" at Jul 2, 9 08:15:43 am
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: martin.rex at sap.com

Stefan Santesson wrote:
> 
> On 09-07-02 1:00 AM, "Martin Rex" <Martin.Rex at sap.com> wrote:
> > 
> > If the real data is no longer part of the SSL handshake, but instead
> > either a weak hash or even a static "cache handle", then there is
> > a change in the cryptographic properties of the SSL handshake using
> > cached handshake data and the full handshake with the real data.
> 
> I don't believe this conclusion is correct.

I think you might be misreading my conclusion.

I think that we're cryptographically safe in modyfying the handshake
by making a strong (agile) hash value over the original data part
of the handshake instead.  This is even safe for handling errors.

If we drop the cryptographic binding of the original data in
the handshake, we might create problems that we haven't thought
of so far, and the architecure becomes brittle to handling errors.
Without the cryptographic binding, cache poisoning will become
feasible.  The (server) endpoint identification that many/most
clients currently perform is so ridiculously weak that I'm
worried about cache poisoning.  And how about caching of
handshake data from incomplete TLS-handshakes that are
incomplete, common and non-malicious?  (like when a server
requests a client cert, the client doesn't send one, and the
server terminates the handshake with a fatal alert?
Without the cryptographic binding of the original data to
the cache-using handshake, we should probably need to explicitly
prohibit caching there. 

For the TLS extension client certificate URL the previously optional
hash over the client cert was made mandatory.  I think that it is
a sensible action to play safe and to try to maintain the
cryptographic binding to the full SSL handshake by including
a strong agile hash value over the original handshake data
when the original data is omitted or replaced by a weak reference.

-Martin

References:
- Re: [TLS] Cached Info extension - Draft 01
  - From: Stefan Santesson

Prev by Date: Re: [TLS] Cached Info extension - Draft 01
Next by Date: [TLS] Agenda Items for TLS
Previous by thread: Re: [TLS] Cached Info extension - Draft 01
Next by thread: Re: [TLS] Cached Info extension - Draft 01
Index(es):
- Date
- Thread

Re: [TLS] Cached Info extension - Draft 01

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.