Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:

To: <mrex at sap.com>, <simon at josefsson.org>
Subject: Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
From: <Pasi.Eronen at nokia.com>
Date: Wed, 4 Nov 2009 15:13:42 +0100
Accept-language: en-US
Acceptlanguage: en-US
Cc: channel-binding at ietf.org, Nicolas.Williams at sun.com, sasl at ietf.org, tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <200911021635.nA2GZAEp004639 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <87hbtcc457.fsf at mocca.josefsson.org> from "Simon Josefsson" at Nov 2, 9 04:55:48 pm <200911021635.nA2GZAEp004639 at fs4113.wdf.sap.corp>
Thread-index: Acpb2oJKfqzhjVd9R8G4op2bkJ4pBABfRgKw
Thread-topic: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:

Martin Rex wrote:

> > That was my conclusion as well, hence
> > http://tools.ietf.org/html/draft-josefsson-sasl-tls-cb-00
> > which uses the TLS PRF interface.
> >
> > For -02 I also added hashing the Finished message, to match the
> > semantics for connection/session (regardless of its definition) of
> > draft-altman-tls-channel-bindings, but I'd prefer to avoid it
> > completely.
> 
> If you refer to the TLS-extractor interface with TLS PRF, that does
> unconditionally include the client.random and server.random in the
> computation and therefore the output will differ for different
> incarnations (resumes) of the same TLS session.  That is comparable
> to keying to the _most_recent_ finished message -- with __NO__
> special cased for TLS session resume and TLS renogiation.

Note that just extracting some bytes from the TLS master secret (with
TLS extractor) is not sufficient to produce a channel binding,
because with RSA cipher suites, a man-in-the-middle could cause two
TLS sessions to have the same TLS master secret (this is explained in
draft-ietf-tls-extractor-07, Section 5). But those two sessions would
have different Finished messages.

(Version -00 of draft-josefsson-sasl-tls-cb had this problem. Newer
versions avoid it by including the handshake messages (either hashed, 
or via the Finished message) in the calculation.)

Best regards,
Pasi

References:
- Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
  - From: Simon Josefsson
- Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
  - From: Martin Rex

Prev by Date: Re: [TLS] [CHANNEL-BINDING] RESOLVED (Re: [sasl] lasgt call comments (st Call:
Next by Date: Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard))
Previous by thread: Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
Next by thread: Re: [TLS] [CHANNEL-BINDING] RESOLVED (Re: [sasl] lasgt call comments (st Call:
Index(es):
- Date
- Thread

Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.