Re: [TLS] TLS renegotiation issue

To: ekr at rtfm.com (Eric Rescorla)
Subject: Re: [TLS] TLS renegotiation issue
From: Martin Rex <mrex at sap.com>
Date: Thu, 5 Nov 2009 18:11:41 +0100 (MET)
Cc: tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <73843DF9-EFCB-4B8D-913E-FE2235E5BDD3 at rtfm.com> from "Eric Rescorla" at Nov 4, 9 07:26:59 pm
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: mrex at sap.com

Eric Rescorla wrote:
> 
> Marsh Ray, the initial discoverer, has been working with a bunch of
> people in the security community to deal with this issue and develop
> a fix. Tomorrow AM I'll be posting an initial draft that describes
> the obvious fix, which is to cryptographically bind negotiations
> to any enclosing connection (if any). I won't be in Hiroshima but
> I expect the WG will want to discuss this topic.


One conceivable approach would be a TLS extension for secure renegotiation
with roughly the following semantics:


 - on initial TLS handshakes (aka Re-nego of a TLS_NULL_WITH_NULL_NULL)
   the client that supports secure renegotiation should send the
   TLS extension in the client hello with an empty extension data
   to signal to the server that it support secure renegotation.

 - on TLS session renegotiations, the client should sent the TLS extension
   with the extension data containing the client.random and server.random
   from the existing session.

 - A server that receives a ClientHello without the TLS extension for
   secure renegotiation should NOT perform old-style renegotiation
   for that session (and get apps with flawed assumptions into trouble),
   i.e. NOT support delayed authentication for those TLS clients.

 - A server that receives a ClientHello on an initial TLS handshake
   with a TLS extension (empty data) for secure renegotiation may decide to
   delay client-cert authentication to a securely renegotiated session

 - A server that receives a ClientHello with a TLS extension for secure
   negotiation and a reference to a previous session MUST compare the
   client.random and server.random from the extension data to that of
   the current session (and abort if they do not match).  And the
   server should probably insist on doing a ChangeCipherSpec on both
   directions in the renegotiation handshake.


Since Larry is looking for a means to uniquely identify a single
TLS "connection" independent of whether its a single TLS handshake
or renegotiated, we should check whether we can carry-over some
information form the initial handshake on a connection along
with the client.random&server.random.  Technically there is no
limit on the number of renegotiations, so a simple pointer
only one TLS session into the past does not seem sufficient
for that purpose.



-Martin

Follow-Ups:
- Re: [TLS] TLS renegotiation issue
  - From: Nicolas Williams
- Re: [TLS] TLS renegotiation issue
  - From: Marsh Ray

References:
- [TLS] TLS renegotiation issue
  - From: Eric Rescorla

Prev by Date: Re: [TLS] Channel binding versus keying material exporters
Next by Date: Re: [TLS] TLS renegotiation issue
Previous by thread: Re: [TLS] TLS renegotiation issue
Next by thread: Re: [TLS] TLS renegotiation issue
Index(es):
- Date
- Thread

Re: [TLS] TLS renegotiation issue

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.