Re: [TLS] Proposal for hybrid solution using most of the ideas

To: Stefan Santesson <stefan at aaa-sec.com>
Subject: Re: [TLS] Proposal for hybrid solution using most of the ideas
From: Yoav Nir <ynir at checkpoint.com>
Date: Thu, 19 Nov 2009 10:47:29 +0200
Accept-language: en-US
Acceptlanguage: en-US
Cc: "tls at ietf.org" <tls at ietf.org>
Delivered-to: tls at core3.amsl.com
In-reply-to: <C72ABBEB.6712%stefan at aaa-sec.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <C72ABBEB.6712%stefan at aaa-sec.com>
Thread-index: Acpo9PB/RiF17Z0FSc6+eU2RxmlhSA==
Thread-topic: [TLS] Proposal for hybrid solution using most of the ideas

On Nov 19, 2009, at 10:10 AM, Stefan Santesson wrote:
> 
> I disagree.
> 
> I think we agree that an upgraded finished calculation is not a dirty hack.
> This is what future versions of TLS will use by default.
> 
> Remains then the signaling C->S and S->C client.
> 
> The RI proposal also includes the use of a magic cipher suite, so that dirty
> hack is in both proposals.
> 
> Which leaves us with S->C signaling. Here I'm not sure we have exhausted all
> options.

I've got one more.  

Change the Finished message calculation to include the old verify_data.  That's in all proposals.

I would add to that to also change the Finished message calculation in the initial negotiation, and use a single zero byte for the old verify_data, but do this for the client only.

That way, the client can attempt to calculate the Finished message in both the old and new way, and recognize if the server is patched or not.

I realize this is less than optimal, because in the normal handshake, the client's ChangeCipherSpec and Finished message precede the server's, so we can't alter the client's Finished message in the same way without breaking connectivity with un-patched servers.

References:
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Stefan Santesson

Prev by Date: [TLS] Need for S->C signaling
Next by Date: Re: [TLS] Need for S->C signaling
Previous by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Next by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Index(es):
- Date
- Thread

Re: [TLS] Proposal for hybrid solution using most of the ideas

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.