Re: [TLS] TLS renegotiation issue

To: Nicolas.Williams at sun.com (Nicolas Williams)
Subject: Re: [TLS] TLS renegotiation issue
From: Martin Rex <mrex at sap.com>
Date: Thu, 5 Nov 2009 18:45:46 +0100 (MET)
Cc: ekr at rtfm.com, tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <20091105171308.GY1105 at Sun.COM> from "Nicolas Williams" at Nov 5, 9 11:13:08 am
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: mrex at sap.com

Nicolas Williams wrote:
> 
> On Thu, Nov 05, 2009 at 06:11:41PM +0100, Martin Rex wrote:
> > One conceivable approach would be a TLS extension for secure renegotiation
> > with roughly the following semantics:
> > 
> > 
> >  - on initial TLS handshakes (aka Re-nego of a TLS_NULL_WITH_NULL_NULL)
> >    the client that supports secure renegotiation should send the
> >    TLS extension in the client hello with an empty extension data
> >    to signal to the server that it support secure renegotation.
> > 
> >  - on TLS session renegotiations, the client should sent the TLS extension
> >    with the extension data containing the client.random and server.random
> >    from the existing session.
> 
> The MITM can make sure they match.

Not a problem.

If it does, that will become obvious in the verification of
the finished messages of the renegotiation handshake.

In addition to the Finished Message verification, such doctoring
will be detected in the ClientVerify verification by the server
when that is a signature over all previous handshake messages
(which is the default).

I'm usually prefer low-impact improvements, which can be added
to existing codebase with ease.  client.random | server.random
from the existing connection seems like a good candidate to me.

-Martin

References:
- Re: [TLS] TLS renegotiation issue
  - From: Nicolas Williams

Prev by Date: Re: [TLS] TLS renegotiation issue
Next by Date: Re: [TLS] TLS renegotiation issue
Previous by thread: Re: [TLS] TLS renegotiation issue
Next by thread: Re: [TLS] TLS renegotiation issue
Index(es):
- Date
- Thread

Re: [TLS] TLS renegotiation issue

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.