On 10/5/20 10:21, Christopher Patton wrote:
A couple pointers for getting started:

Thank you for providing these links!  I'm going through
the first one now and will note that it does not even
mention the HelloRetryRequest message.  So while I am
confident there has been quite a bit of study of a
ClientHello -> ServerHello handshake, there may not
have been much study of ClientHello1 -> HelloRetryRequest
-> ClientHello2 -> ServerHello handshakes.

I'm especially concerned about the fact that a "stateless"
server does not even remember what the ClientHello1 or
HelloRetryRequest messages were when it receives the
second ClientHello.  Load-balanced data centers seem to
do this based on some of the discussion I've had this
week.

The protocol handles the missing ClientHello1 message by
replacing it with hash-of-ClientHello1, but then you're
supposed to rely on the client to tell you this value in
its ClientHello2.  Even if nothing funny is happening,
how is the (stateless) server supposed to put the
HelloRetryRequest message in the Transcript-Hash?  Where
does it get this value from if it's not also somehow in
the "cookie" (which is how the client reminds the server
of hash-of-ClientHello1)?

And how would you put the HelloRetryRequest message into
the cookie extension when the cookie itself is a part of
the HelloRetryRequest?

Just trying to imagine the code I'd have to write to do
this correctly makes my head spin:

  0)  [disable "TCP Fast Open" so I don't do lots of
      processing without knowing there's a routable
      address associated with the client]

  1)  receive ClientHello1

  2)  generate HelloRetryRequest message without cookie

  3)  package ClientHello1 and HelloRetryRequest-minus-
      cookie into a data structure, encrypt + MAC to
      create a cookie

  4)  insert the cookie into the HelloRetryRequest,
      remembering to update the length of the extensions

  5)  send HelloRetryRequest (with cookie) to client

  6)  erase all memory of what just happened!!!

  7)  receive ClientHello2

  8)  ensure it has a cookie extension (well I should
      at least remember the fact that I already sent a
      HelloRetryRequest and not be completely stateless,
      right?  Otherwise the client may be able to send
      many ClientHelloN's without a cookie)

  9)  check MAC on the cookie and if it's valid, decrypt
      it to determine the contents of ClientHello1 and
      the HelloRetryRequest (without cookie) messages

  10) MAKE SURE ClientHello2 is valid according to what
      was received in ClientHello1 (RFC 8446 has a list
      of things a client is allowed to do; I would want
      to check all of them, so a hash of ClientHello1
      is inadequate in my opinion).  This seems to be a
      necessary thing to do even for stateful servers.

  11) Recreate the actual HelloRetryRequest message
      that was sent to the client by putting the cookie
      into HRR-minus-cookie (in the same place within
      the list of extensions as was already done in step
      4, but since we threw it away, do it again)

  12) Hash the ClientHello1 and add this hash to the
      Transcript-Hash along with the HelloRetryRequest
      message

And I didn't even handle the possibility of replay.........

Can a cryptographer (I don't claim to be one) please take a
few moments to look at the possibilities for a server which
doesn't implement step 8 and allows multiple ClientHello's
without a cookie on the same connection?  Or a server that
doesn't put the entire ClientHello1 into the cookie and can
not check whether ClientHello2 is conformant to the list of
allowed changes?  Or a server that has to maybe "guess" the
content of HelloRetryRequest based on ClientHello2 since it
just sent hash-of-ClientHello1 in the cookie?  And if it
guesses wrong and the Transcript-Hash ends up different
from the client, the peers will not be able to communicate
(denial of service to legitimate clients).

Implementers -- how do you put a HelloRetryRequest message
into the Transcript-Hash if you are "stateless" and threw
it in the bin along with ClientHello1?

Mike


 1. Check out Dowling et al.'s recent analysis. Published a month or
    so ago, it's the most recent proof of security of the full
    handshake (also includes PSK modes): https://eprint.iacr.org/2020/1044
 2. Check out Paterson and van der Merwe's survey of the body of
    papers that helped to shape TLS 1.3. It also overviews the myriad
    attacks against TLS 1.2 and below that catalyzed a more proactive
    design approach for 1.3:
    https://link.springer.com/chapter/10.1007/978-3-319-49100-4_7

If you're unable to download the second (2.), the same paper appears in a slightly different form in van der Merwe's PhD thesis.

No analysis is perfect, but so far, 1.3 appears to be far superior to 1.0-1.2.

Best,
Chris P.

_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls

Reply via email to