IETF Logo Mail Archive

RE: [TLS] Record layer corner cases

<Pasi.Eronen@nokia.com> Wed, 13 December 2006 14:52 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GuVTY-0002Lx-Qc; Wed, 13 Dec 2006 09:52:52 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GuVTY-0002Ls-4h for tls@ietf.org; Wed, 13 Dec 2006 09:52:52 -0500
Received: from smtp.nokia.com ([131.228.20.171] helo=mgw-ext12.nokia.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GuVTW-0000k7-LU for tls@ietf.org; Wed, 13 Dec 2006 09:52:52 -0500
Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com [172.21.138.213]) by mgw-ext12.nokia.com (Switch-3.2.5/Switch-3.2.5) with ESMTP id kBDEq7I3028507; Wed, 13 Dec 2006 16:52:21 +0200
Received: from esebh102.NOE.Nokia.com ([172.21.138.183]) by esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 13 Dec 2006 16:52:44 +0200
Received: from esebe105.NOE.Nokia.com ([172.21.143.53]) by esebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 13 Dec 2006 16:52:43 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [TLS] Record layer corner cases
Date: Wed, 13 Dec 2006 16:52:46 +0200
Message-ID: <B356D8F434D20B40A8CEDAEC305A1F240388E736@esebe105.NOE.Nokia.com>
In-Reply-To: <B356D8F434D20B40A8CEDAEC305A1F240377EAF7@esebe105.NOE.Nokia.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] Record layer corner cases
Thread-Index: AccP7G5vuFMik7AjR3aGa8EoqaL8lwDx1bCgAsQvgNA=
From: Pasi.Eronen@nokia.com
To: bmoeller@acm.org, tls@ietf.org
X-OriginalArrivalTime: 13 Dec 2006 14:52:43.0856 (UTC) FILETIME=[58628D00:01C71EC6]
X-Nokia-AV: Clean
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 5a9a1bd6c2d06a21d748b7d0070ddcb8
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Pasi Eronen wrote:
> Bodo Moeller wrote:
> > Now that I come to think of it, if we want to change the words of
> > the specification for TLS 1.2, we might just as well simply take the
> > current description of fragmentation and add "And we mean 
> > it" ... :-)
> > 
> > Seriously, if we rule out some odd cases of fragmentation, I don't
> > think it is unreasonable to require all implementations to 
> > be able to properly process fragmented handshake messages.
> 
> My worry is that just adding "And we mean it" wouldn't change the
> current situation: since receiving-side processing is so poorly
> implemented, the sending side can't really rely on it.

I did some more thinking about how we could handle this... .One idea I
came up with would be to add a "Top Implementation Pitfalls" section
(probably as non-normative appendix) that would draw special attention
to the most important things that have caused problems for
implementers in the past and/or are expected to cause confusion
(e.g. because something was changed in TLS 1.2).

E.g. something along these lines:

o  Do you correctly handle handshake messages that are fragmented
   to multiple TLS records? Also corner cases like a ClientHello
   that is split to several small fragments?

o  Do you ignore the TLS record layer version number in all TLS
   records before ServerHello (see Section X.Y.Z)?

o  When using Diffie-Hellman key exchange, do you correctly strip
   leading zero bytes from the negotiated key (see Section 8.1.2)? 
   If you don't, roughly once out of 256 connection attempts will fail.

o  When encountering an error in RSA-encrypted Premaster Secret,  
   do you continue the handshake to avoid the Bleichenbacher 
   attack (see Section 7.4.7.1)?

o  What countermeasures do you use against timing attacks against
   RSA private key operations (decryption and signing)?

o  When verifying RSA signatures, do you accept both NULL and missing
   parameters (see Section X.Y.Z)? Do you verify that there is no
   additional data after the hash value?

o  Do you use a strong and, most importantly, properly seeded random
   number generator for generating the premaster secret, Diffie-Hellman

   private values, the DSA "k" parameter, and other security-critical 
   values?

Do you think something like this would be an effective way of 
saying "And we mean it"?

Best regards,
Pasi

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email