Re: [TLS] Proposal for hybrid solution using most of the ideas

To: noskov at microsoft.com (Nasko Oskov)
Subject: Re: [TLS] Proposal for hybrid solution using most of the ideas
From: Martin Rex <mrex at sap.com>
Date: Thu, 19 Nov 2009 19:45:39 +0100 (MET)
Cc: tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <B197003731D4874CA41DE7B446BBA3E829CCF80E at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com> from "Nasko Oskov" at Nov 19, 9 01:23:41 am
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: mrex at sap.com

Nasko Oskov wrote:
> 
> Michael D'Errico wrote:
> >
> > Also the Certificate message is optional, so it would cause
> > trouble for some cipher suites.
> 
> Fair point.
> 
>
> > And even more importantly, there is only ServerHello sent
> > when you resume an old session!
> 
> Session resumption is already secure since it uses existing crypto state
> as part of the negotiation. There are no problems in that case.

I'm confused by the latter.  It doesn't sound right.

A resumed TLS session can certainly be reneogitated later, and
of course, we neither a TLS session resume to be proxied into
the reneogitation of a server, nor do we want a TLS renegotiation
on a resumes session to be unprotected/insecure like in the past.

Althouh TLS session resume seems to have been disabled during renegotiation
by at last some implementations, it would actually the first choice
if all that the client wants to do is rekeying (huge data transfers
an only RC4 or 3DES ciphersuites), because it would be the most
efficient.

TLS session resume avoids the PKI crypto overhead of the full handshake,
_but_ will derive new session keys from the master secret of the cached
session plus ClientHello.Random and ServerHello.Random
and reinitialize the SecurityParameters of the connection state.

A client initiating a TLS renegotiation would know whether it wants
to rekey (and would significantly benefit from a TLS session resume)
or when it wants to change the cryptographic characteristics of
the TLS session.

When the Client receives a ClientHelloRequest from the server,
then it doesn't know what the Server is trying to achieve by that.
The most common usage scenario for TLS renegotiation seems to
be delayed or on-demand authentication, and there a TLS session
resume wouldn't help.  But then, the server gets actually to
choose whether it performs a full TLS handshake or whether 
it agrees to a TLS session resume proposed by the client.

From a technical point of view, a client proposing TLS resume on a
client-initiated TLS renegotiation is the same as disconnecting,
reconnecting and proposing TLS resume on the new connection.

-Martin

References:
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Nasko Oskov

Prev by Date: Re: [TLS] Proposal for hybrid solution using most of the ideas
Next by Date: Re: [TLS] Proposal for hybrid solution using most of the ideas
Previous by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Next by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Index(es):
- Date
- Thread

Re: [TLS] Proposal for hybrid solution using most of the ideas

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.