Re: [TLS] Need for S->C signaling

To: tls at ietf.org
Subject: Re: [TLS] Need for S->C signaling
From: Michael D'Errico <mike-list at pobox.com>
Date: Fri, 20 Nov 2009 12:11:25 -0800
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=3taDIZee8SPq lrZiibxHd76Vjvg=; b=oETcuxSHGuCmELLtrOPCi4EqsVlm7pDbqkKGTt9+ge0t Yp3xqVJROy5GEW9RSDG7wzz8TFtrE2qnJUR10H6m4zUPKCprKOKe8cvP3Rt1035I Y+/+OgEnCF8UiBy1ogtrVZkJPAs66zRY6vYtkcpV7BMxcJS+Djy6L5wJ/HvEn/g=
Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=pJYBHH M95taba/n9ehUTiVMtD+AA8RRpEx3ZOvMAC3PL/6ttvsb5UhOiC8bjIFf4N6bE14 t9roxhegNeHSI+3aQhcK7beaEwm4NI2lWctUCSF13sZF0NWn1vGaI57Zqf/r3WMX bfQNgYATL6DCfaXwvxXmZU9JjTxTgKKVyOhMo=
In-reply-to: <200911201921.nAKJLfcs020068 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <200911201921.nAKJLfcs020068 at fs4113.wdf.sap.corp>
User-agent: Thunderbird 2.0.0.23 (Macintosh/20090812)

I agree that something along these lines might be an improvement.
I found it difficult to explain how the upper bit of version is
set, but is not really a version change.

But messing with gmt_unix_time might cause trouble since it's
possible that _something_ out there might rely on it (for what
I have no idea).  So since the bottom few bytes of the random
have no restriction whatsoever, putting the actual cipher suite
there would not break anything.

I'm not convinced that we need a field of flags, though, since
we have TLS extensions.  We should point out in our spec. that
this solution is a HUGE compromise in the quest for backward
compatibility, and that future fixes MAY require extensions.
"You've been warned", etc.

Mike




Martin Rex wrote:

Actually we could use your idea for a more symmetric signaling!

Stephen, I REALLY like this idea!


Since there are people that didn't like the gmt_unix_time
in Random anyway, we could just re-purpose it entirely.

Add a single magic ciphersuite as first(!) in ClientHello.cipher_suites
and then the field "ClientRandom.gmt_unix_time" must be interpreted

  ClientHello.Random =
    {
      uint16   field_of_flags
      uint16   reserved
      opaque   random_bytes[28]
    }

  And when the server sees that magic cipher suite and implements
  this protocol extension, then it will return the magic cipher suite
  as negotiated ServerHello.cipher_suite and then the definition
  of the ServerHello.Random will be this:

  ServerHello.Random =
   {
     uint16       field_of_flags
     CipherSuite  cipher_suite      /* real negotiated cipher_suite */
     opaque       random_bytes[28]
   }

Those implementors who want to keep a gmt_unix_time in their Random

to provide uniqueness, will need to put it somewhere into random_bytes,
like in the first 4 octets of that element.


This would give us 16 free bits for bi-directional signaling in
ClientHello and ServerHello at the cost of 2 Bytes in ClientHello.

The fun part: these bit-flags are not only protected by the
handshake message hash, they actually go into the PRF for
the session keys.  Some kind of extra protection.  :)


-Martin

PS: the session ID is used by servers to manage their cache
    and may also be used by server-side load-balancers.
    the session ID is only "random"-equivalent for the client

Follow-Ups:
- [TLS] merging recent ideas into one new proposal
  - From: Martin Rex
- Re: [TLS] Need for S->C signaling
  - From: Yoav Nir
- Re: [TLS] Need for S->C signaling
  - From: Martin Rex

References:
- Re: [TLS] Need for S->C signaling
  - From: Martin Rex

Prev by Date: Re: [TLS] TLS Protocol Version
Next by Date: Re: [TLS] Need for S->C signaling
Previous by thread: Re: [TLS] Need for S->C signaling
Next by thread: Re: [TLS] Need for S->C signaling
Index(es):
- Date
- Thread

Re: [TLS] Need for S->C signaling

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.