Re: [TLS] TLS renegotiation issue

To: Martin Rex <mrex at sap.com>
Subject: Re: [TLS] TLS renegotiation issue
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Thu, 5 Nov 2009 11:13:08 -0600
Cc: Eric Rescorla <ekr at rtfm.com>, tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <200911051711.nA5HBfOl028765 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <73843DF9-EFCB-4B8D-913E-FE2235E5BDD3 at rtfm.com> <200911051711.nA5HBfOl028765 at fs4113.wdf.sap.corp>
User-agent: Mutt/1.5.7i

On Thu, Nov 05, 2009 at 06:11:41PM +0100, Martin Rex wrote:
> One conceivable approach would be a TLS extension for secure renegotiation
> with roughly the following semantics:
> 
> 
>  - on initial TLS handshakes (aka Re-nego of a TLS_NULL_WITH_NULL_NULL)
>    the client that supports secure renegotiation should send the
>    TLS extension in the client hello with an empty extension data
>    to signal to the server that it support secure renegotation.
> 
>  - on TLS session renegotiations, the client should sent the TLS extension
>    with the extension data containing the client.random and server.random
>    from the existing session.

The MITM can make sure they match.

Why not just send an extension with the tls-unique channel binding for
the first/outer connection, and then make sure that that gets fed as an
input for the PRF in the second/inner connection?  I.e., proper channel
binding.  The MITM _cannot_ make sure that the tls-unique CB of the
client<->MITM and MITM<->server outer connections match.

>  - A server that receives a ClientHello without the TLS extension for
>    secure renegotiation should NOT perform old-style renegotiation
>    for that session (and get apps with flawed assumptions into trouble),
>    i.e. NOT support delayed authentication for those TLS clients.

Right.

>  - A server that receives a ClientHello on an initial TLS handshake
>    with a TLS extension (empty data) for secure renegotiation may decide to
>    delay client-cert authentication to a securely renegotiated session

Right.

>  - A server that receives a ClientHello with a TLS extension for secure
>    negotiation and a reference to a previous session MUST compare the
>    client.random and server.random from the extension data to that of
>    the current session (and abort if they do not match).  And the
>    server should probably insist on doing a ChangeCipherSpec on both
>    directions in the renegotiation handshake.

See above.

> Since Larry is looking for a means to uniquely identify a single
> TLS "connection" independent of whether its a single TLS handshake
> or renegotiated, we should check whether we can carry-over some
> information form the initial handshake on a connection along
> with the client.random&server.random.  Technically there is no
> limit on the number of renegotiations, so a simple pointer
> only one TLS session into the past does not seem sufficient
> for that purpose.

See above.  Use tls-unique.

Nico
--

Follow-Ups:
- Re: [TLS] TLS renegotiation issue
  - From: Nicolas Williams
- Re: [TLS] TLS renegotiation issue
  - From: Martin Rex

References:
- [TLS] TLS renegotiation issue
  - From: Eric Rescorla
- Re: [TLS] TLS renegotiation issue
  - From: Martin Rex

Prev by Date: Re: [TLS] TLS renegotiation issue
Next by Date: Re: [TLS] TLS renegotiation issue
Previous by thread: Re: [TLS] TLS renegotiation issue
Next by thread: Re: [TLS] TLS renegotiation issue
Index(es):
- Date
- Thread

Re: [TLS] TLS renegotiation issue

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.