Re: [TLS] Proposal for hybrid solution using most of the ideas

To: Chris.Newman at Sun.COM (Chris Newman)
Subject: Re: [TLS] Proposal for hybrid solution using most of the ideas
From: Martin Rex <mrex at sap.com>
Date: Sat, 21 Nov 2009 01:02:12 +0100 (MET)
Cc: tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <72F218683F2638BF41208A6D at 446E7922C82D299DB29D899F> from "Chris Newman" at Nov 20, 9 03:24:09 pm
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: mrex at sap.com

Chris Newman wrote:
> 
> --On November 19, 2009 22:23:43 +0100 Martin Rex <mrex at sap.com> wrote:
> > Asking SSLv3 implementations to improve on their extensions-intolerance
> > is still OK.  Requiring them to implement generic TLS extensions
> > is not, because it has nothing to do with the problem and is
> > an unnecessary complexity for the fix.
> 
> What if we require SSLv3 compatible clientHello and SSLv3 serverHello to 
> list RI first and at least ignore additional extensions, waiving the 
> requirement for full extension support for SSLv3-only implementations?

I don't see how this would solve the problem.

How to you interoperate with installed base SSLv3 and TLSv1.0 that
is extensions-intolerant without being vulnerable to downgrade attacks?

The restriction that this extension must be first comes very unnatural
and is bound to result in interop problems, because it will usually
not show up in tests that have generic TLS extension functionality.
It seems like dangerous design.

Maybe this explains the abstract problem better:

If you look at the two different possibilities to get the verify_data
into the handshake message hash on renegotiation:

   1)  put them into a handshake message and they will be hashed
       automatically

   2)  have each peer add them manually to the handshake message
       hash directly after ServerHello

which of the two is better engineering-wise?

Definitely (2).  (1) is incomplete and fails unsafe.

It is unlikely that if (2) was used that _everyone_ would implement
it incorrectly.  If implemented incorrectly, you will get interop
problems when testing with regular old and new peers.
So this approach fails safe.

No matter how poorly you implement (1), you will always interoperate.
What is missing in (1) is the requirement, that the verify_data in
the handshake messages is actually verified by the receiver!
If you have implementors that actually forget to perform
the comparison, you will NEVER notice this in interop-tests.
You will actually need to build yourself attack-tools to make
sure that your implementations actually verify that data.
So approach (2) fails UNsafe. 

It is true that I did add (2) to my last proposal by including
the verify_data in the Hello.Random elements.  *I* still prefer
to call the hash function manually, because it will fail safe.

-Martin

Follow-Ups:
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Chris Newman

References:
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Chris Newman

Prev by Date: Re: [TLS] Proposal for hybrid solution using most of the ideas
Next by Date: [TLS] Another critical problem with RI
Previous by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Next by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Index(es):
- Date
- Thread

Re: [TLS] Proposal for hybrid solution using most of the ideas

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.