[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [TLS] Open Issue: verify_data processing

To: <Vipul.Gupta@xxxxxxx>, <tls@xxxxxxxx>
Subject: RE: [TLS] Open Issue: verify_data processing
From: <Pasi.Eronen@xxxxxxxxx>
Date: Wed, 18 Oct 2006 18:14:54 +0300
Cc:
In-reply-to: <769A35F3-CC26-4EF8-A523-81D35E359836@xxxxxxx>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Thread-index: AcbyYdVYuOt75PdvSRi+EwUKDul6iQAYsA/w
Thread-topic: [TLS] Open Issue: verify_data processing

Vipul Gupta wrote:
> I would also prefer hashing. Our research team has successfully
> created a TLS stack for tiny, wireless sensor devices like the
> Berkeley "motes" with only 4KB of RAM (see
> http://research.sun.com/spotlight/2004-12-20_vgupta.html
> http://research.sun.com/projects/crypto/guptav_sizzle_pmc.pdf).
> If the spec were modified to require storing the handshake messages
> in full, then TLS (and derivatives like DTLS) would pretty much
> be ruled out for this emerging class of devices.

Is it obvious that hashing the messages requires less memory? Much of
the information in the handshake messages is either static, or has to
be kept around anyway -- and running hashes requires state, too.

For example, consider a TLS server that has just sent ServerHelloDone,
and has negotiated an RSA-based ciphersuite. At this point, the only
pieces of information from the handshake messages the server can
safely discard are:

- ClientHello.compression_methods (usually 2 bytes)
- ClientHello.cipher_suites (hmm.. 22 bytes with 10 ciphersuites?)
- ClientHello.session_id (just 1 byte if not resuming)
- Any unrecognized extensions in ClientHello (usually none)

All the rest has to be kept around anyway (at this point); and I'm
assuming the server certificate is static, so it's kept around 
anyway (once, not separately for each TLS session).

In other words: at this particular point-of-time, hashing would allow
discarding ~25 bytes of information, at the cost of storing the hash
context -- which in e.g. OpenSSL is 96 bytes for SHA-1 and 216 bytes 
for SHA-512. 

If we're using RSA ciphersuites and a PRF that requires only one pass
over the data, the client can start calculating verify_data as soon as
ServerHello has been received, so it's not obvious that first
calculating
a hash and then running PRF over the hash would actually save anything. 

Best regards,
Pasi

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Open Issue: verify_data processing
  - From: Martin Rex

References:
- Re: [TLS] Open Issue: verify_data processing
  - From: Vipul Gupta

Prev by Date: [TLS] Agenda for IETF67
Next by Date: Re: [TLS] Open Issue: verify_data processing
Previous by thread: Re: [TLS] Re: Open Issue: verify_data processing
Next by thread: Re: [TLS] Open Issue: verify_data processing
Index(es):
- Date
- Thread