Re: [TLS] merging recent ideas into one new proposal

To: tls at ietf.org
Subject: Re: [TLS] merging recent ideas into one new proposal
From: Michael D'Errico <mike-list at pobox.com>
Date: Fri, 20 Nov 2009 14:06:49 -0800
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=bM/ZV2M1oZyP LSpLmcoVs5UvK60=; b=fuhA5St16s7rAUxoW44uq7q5MMKC3tIbi8wCrPGSiasF jmQ6mP5v7pEROi64a45J8Af4M5VyOwjG8wuf6LyparIzwpvNDmw8I/hGV1lhxHW2 s010vq3A3z4XgvqDXnnuKUl81V8aP5w51LUnln4BhX1i6hTyHiGCKE4vfJQR2wg=
Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=s03pUA 5hP4QH1lpmNU+MldoqpvMfntXP+yj3BvaJMBV/aOGM/J0T06RyyuqHm3RMPMZTuU foq5SRN05+fgMBvGKBmTd1gTG/KhYRVfsW782vDmiQg2+tOWImszhHWDmmDqzLhF 7u8J5xazNVbBPgX2Z2ZTMnsWWLRl42sqvgKpc=
In-reply-to: <200911202154.nAKLsdeG029681 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <200911202154.nAKLsdeG029681 at fs4113.wdf.sap.corp>
User-agent: Thunderbird 2.0.0.23 (Macintosh/20090812)

It might be possible to truncate the verify_data to something less
than all 12 bytes, similar to how we have the option to truncate
the HMAC.  Plus for SSLv3, the verify_data is 36 bytes!  Also maybe
only one byte of flags instead of 2.

Mike




Martin Rex wrote:

I was just on the phone with Nasko Oskov and he came up with another
very interesting idea about how to get the verify data into the
handshake message hash of the renegotiation.  I like that idea
even better than mine!  So combined with Steve's idea to
signal S->C through ServerHello.cipher_suite, this is the result:


And this will fit into the SSL Version 2 ClientHello
(which is still permitted by RFC-5246 Appendix E !).
TLS/SSL ClientHello.Random  maps to  V2 ClientHello.challenge,
they're both 32-bytes


So the entire new scheme looks like this:


We put the first 12 bytes of the verify_data of the finished
messages into the Hello.Random of renegotiation handshakes.
This will obviate the need to hash them manually, they will
go into the handshake message hash through the respective
Randoms.

A new (single) magic ciphersuite ID, where the client requests
to talk the updated protocol.  This must be first in the
ClientHello.cipher_suites.


ClientHello.Random

   original               new, initial HS        new, renegotiation HS
{

uint32 gmt_unix_time uint32 gmt_unix_time uint32 gmt_unix_timeopaque random[32] uint16 new_flags uint16 new_flags

                        uint16 reserved        uint16 reserved
                        opaque random[12]      opaque random[12]
                        opaque random[12]      opaque cli.verify_data[12]
}
   = 32 bytes             = 32 bytes             = 32 bytes

When an updated server sees the new magic ciphersuite ID, then it
writes the magic cipher suite ID into ServerHello.cipher_suite
in order to confirm to the client the use of the changed protocol
and writes the real negotiated cipher suite ID into the new definition
of the ServerHello.Random:


ServerHello.Random

   original               new, initial HS         new, renegotiation HS

uint32 gmt_unix_time uint32 gmt_unix_time uint32 gmt_unix_timeopaque random[32] uint16 new_flags uint16 new_flags

                        uint16 cipher_suite    uint16 cipher_suite
                        opaque random[12]      opaque random[12]
                        opaque random[12]      opaque srv.verify_data[12]
}
   = 32 bytes             = 32 bytes             = 32 bytes


For those wondering whether it is a good idea or safeto actually
cut into the Hello.Random that much?

I'm not a cryptographer, but I think it is safe.

The 2x 16 bit that I'm cutting with flags and relocated ciphersuite
is admittedly a loss in randomness.  But it should be bearable.

What about the 12 bytes for the verify_data in the renegotiation
handshake?  That should actually _not_ have an impact!

What are the necessary properties for Random, which serves as
a challenge for both communication peers.

   - unique ?           yes
   - non-predictable ?  yes
   - secret ?           no, it is sent in the clear

For the authentication of the previous session in the renegotiation
handshake, we actually assume for the verify_data of the finished
messages the following attributes:

  - unique
  - non-predictable

Of course, we should run this by cryptographers, but to me, it
does _not_ fundamentally flawed, but OK.


And what do I need that 16 bits of flags for?

Well, I think they do come in handy to grow a little fruit.
Those of the low hanging kind.  :)


Possible uses of that Bitfield:

#define TLS_FLAG_SECURE_RENGOTIATE           (1u<< 0)
#define TLS_FLAG_RENEGOTIATE_SAME_IDENTITY   (1u<< 1)
#define TLS_FLAG_INITIAL_HANDSHAKE           (1u<< 2)
#define TLS_FLAG_WILL_NOT_RENEGOTIATE        (1u<< 3)
#define TLS_FLAG_HAVE_NO_CERT                (1u<< 4)



-Martin

References:
- [TLS] merging recent ideas into one new proposal
  - From: Martin Rex

Prev by Date: Re: [TLS] merging recent ideas into one new proposal
Next by Date: Re: [TLS] Consensus Call for draft-ietf-tls-renegotiation-00.txt
Previous by thread: Re: [TLS] merging recent ideas into one new proposal
Next by thread: Re: [TLS] merging recent ideas into one new proposal
Index(es):
- Date
- Thread

Re: [TLS] merging recent ideas into one new proposal

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.