RE: [TLS] Record layer corner cases
<Pasi.Eronen@nokia.com> Wed, 13 December 2006 14:52 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GuVTY-0002Lx-Qc; Wed, 13 Dec 2006 09:52:52 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GuVTY-0002Ls-4h for tls@ietf.org; Wed, 13 Dec 2006 09:52:52 -0500
Received: from smtp.nokia.com ([131.228.20.171] helo=mgw-ext12.nokia.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GuVTW-0000k7-LU for tls@ietf.org; Wed, 13 Dec 2006 09:52:52 -0500
Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com [172.21.138.213]) by mgw-ext12.nokia.com (Switch-3.2.5/Switch-3.2.5) with ESMTP id kBDEq7I3028507; Wed, 13 Dec 2006 16:52:21 +0200
Received: from esebh102.NOE.Nokia.com ([172.21.138.183]) by esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 13 Dec 2006 16:52:44 +0200
Received: from esebe105.NOE.Nokia.com ([172.21.143.53]) by esebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 13 Dec 2006 16:52:43 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [TLS] Record layer corner cases
Date: Wed, 13 Dec 2006 16:52:46 +0200
Message-ID: <B356D8F434D20B40A8CEDAEC305A1F240388E736@esebe105.NOE.Nokia.com>
In-Reply-To: <B356D8F434D20B40A8CEDAEC305A1F240377EAF7@esebe105.NOE.Nokia.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] Record layer corner cases
Thread-Index: AccP7G5vuFMik7AjR3aGa8EoqaL8lwDx1bCgAsQvgNA=
From: Pasi.Eronen@nokia.com
To: bmoeller@acm.org, tls@ietf.org
X-OriginalArrivalTime: 13 Dec 2006 14:52:43.0856 (UTC) FILETIME=[58628D00:01C71EC6]
X-Nokia-AV: Clean
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 5a9a1bd6c2d06a21d748b7d0070ddcb8
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Pasi Eronen wrote: > Bodo Moeller wrote: > > Now that I come to think of it, if we want to change the words of > > the specification for TLS 1.2, we might just as well simply take the > > current description of fragmentation and add "And we mean > > it" ... :-) > > > > Seriously, if we rule out some odd cases of fragmentation, I don't > > think it is unreasonable to require all implementations to > > be able to properly process fragmented handshake messages. > > My worry is that just adding "And we mean it" wouldn't change the > current situation: since receiving-side processing is so poorly > implemented, the sending side can't really rely on it. I did some more thinking about how we could handle this... .One idea I came up with would be to add a "Top Implementation Pitfalls" section (probably as non-normative appendix) that would draw special attention to the most important things that have caused problems for implementers in the past and/or are expected to cause confusion (e.g. because something was changed in TLS 1.2). E.g. something along these lines: o Do you correctly handle handshake messages that are fragmented to multiple TLS records? Also corner cases like a ClientHello that is split to several small fragments? o Do you ignore the TLS record layer version number in all TLS records before ServerHello (see Section X.Y.Z)? o When using Diffie-Hellman key exchange, do you correctly strip leading zero bytes from the negotiated key (see Section 8.1.2)? If you don't, roughly once out of 256 connection attempts will fail. o When encountering an error in RSA-encrypted Premaster Secret, do you continue the handshake to avoid the Bleichenbacher attack (see Section 7.4.7.1)? o What countermeasures do you use against timing attacks against RSA private key operations (decryption and signing)? o When verifying RSA signatures, do you accept both NULL and missing parameters (see Section X.Y.Z)? Do you verify that there is no additional data after the hash value? o Do you use a strong and, most importantly, properly seeded random number generator for generating the premaster secret, Diffie-Hellman private values, the DSA "k" parameter, and other security-critical values? Do you think something like this would be an effective way of saying "And we mean it"? Best regards, Pasi _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- RE: [TLS] Record layer corner cases Peter Williams
- [TLS] Record layer corner cases Pasi.Eronen
- Re: [TLS] Record layer corner cases Bodo Moeller
- Re: [TLS] Record layer corner cases Peter Gutmann
- Re: [TLS] Record layer corner cases Rob Dugal
- RE: [TLS] Record layer corner cases Pasi.Eronen
- Re: [TLS] Record layer corner cases Mike
- RE: [TLS] Record layer corner cases Pasi.Eronen
- Re: [TLS] Record layer corner cases Mike
- Re: [TLS] Record layer corner cases Martin Rex
- Re: [TLS] Record layer corner cases Peter Gutmann
- RE: [TLS] Record layer corner cases Peter Williams
- RE: [TLS] Record layer corner cases Peter Williams
- RE: [TLS] Record layer corner cases Peter Gutmann
- Re: [TLS] Record layer corner cases Bodo Moeller
- RE: [TLS] Record layer corner cases Peter Williams
- RE: [TLS] Record layer corner cases Kemp, David P.
- Re: [TLS] Record layer corner cases Martin Rex
- RE: [TLS] Record layer corner cases Peter Williams
- RE: [TLS] Record layer corner cases Kemp, David P.
- Re: [TLS] Record layer corner cases Mike
- Re: [TLS] Record layer corner cases Martin Rex
- RE: [TLS] Record layer corner cases Kemp, David P.
- Re: [TLS] Record layer corner cases Martin Rex
- Re: [TLS] Record layer corner cases Mike
- RE: [TLS] Record layer corner cases Peter Gutmann
- RE: [TLS] Record layer corner cases Peter Gutmann
- Re: [TLS] Record layer corner cases Kyle Hamilton
- Re: [TLS] Record layer corner cases Steven M. Bellovin
- Re: [TLS] Record layer corner cases Bodo Moeller
- Re: [TLS] Record layer corner cases Martin Rex
- RE: [TLS] Record layer corner cases Kemp, David P.
- Re: [TLS] Record layer corner cases Kyle Hamilton
- RE: [TLS] Record layer corner cases Peter Gutmann
- Re: [TLS] Record layer corner cases Bodo Moeller
- RE: [TLS] Record layer corner cases Pasi.Eronen
- Re: [TLS] Record layer corner cases Mike
- RE: [TLS] Record layer corner cases Kemp, David P.
- RE: [TLS] Record layer corner cases Kemp, David P.
- RE: [TLS] Record layer corner cases Peter Williams
- Re: [TLS] Record layer corner cases Martin Rex
- RE: [TLS] Record layer corner cases Peter Gutmann
- Re: [TLS] Record layer corner cases Martin Rex
- RE: [TLS] Record layer corner cases Peter Gutmann
- RE: [TLS] Record layer corner cases Kemp, David P.
- RE: [TLS] Record layer corner cases Pasi.Eronen
- Re: [TLS] Record layer corner cases Bodo Moeller
- Re: [TLS] Record layer corner cases Mike
- Re: [TLS] Record layer corner cases Bodo Moeller
- RE: [TLS] Diffie-Hellman parameters are unsigned … Pasi.Eronen
- Re: [TLS] Record layer corner cases Bodo Moeller
- RE: [TLS] Record layer corner cases Peter Williams