[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Comments on TLS identity protection

To: "EKR" <ekr@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [TLS] Comments on TLS identity protection
From: <home_pw@xxxxxxx>
Date: Fri, 29 Dec 2006 21:15:56 -0800
Cc: tls@xxxxxxxx
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <20061229215440.25C961CC37@xxxxxxxxxxxxxx>

In SSLv3 one can choose to changeCipherSuite to a null encryption and
null mac state, and merely use the fragmentation, sequencing andreassembly
functions of the SSL protocol machine.


The what? SSL offers no capabilities here that are not offered
by the reliable transport it must ride on top of.


Your missing my point.

Im not putting SSL record layer over TCP.... My SSL application is nothttps, it isitself an SSL Connection, sending record_layer records data over...record_types of

an currently active (underlying) TLS Connection.

Like Ldap and HTTP1.1 update an TCP session to turn TLS Connection's on andofffor certain TCP fragments, I do the same with my outer SSL connection. Whenmy upper layer(inner SSL connection) sends a certain custom record_type into the stream,this isrecognized by the outer SSL Connection which does a certain class and typeof handshake...

I'm doing nothing here that TLS Evidence is not suggesting (albeit byabusing alerts!)

Hopefully, I can read the 2nd half of your TLS/SSL book tomorrow, focusingon the

engineering discussion, rather than the protocol discussion.

(Nothing in SSLv3 states how the
seq_num is calculated , note. It can be simple or fancy (provided itstarts
at zero, when the connection state is initialized or assigned).)


I don't have the v3 spec in front of me, but if that's true, it's
a bug in the spec, IMO.



Perhaps!

"Each party maintains separate sequence numbers for transmitted and receivedmessages for each connection. When a party sends or receives a change cipherspec message, the appropriate sequence number is set to zero. Sequencenumbers are of type uint64 and may not exceed 264-1. "

For TLS1.0, one may assume that increment means uint64++ (which seemsreasonable, when writing a

conformance/value/state checker)

   "Sequence numbers are of type uint64 and may not
      exceed 2^64-1. A sequence number is incremented after each
      record: specifically, the first record which is transmitted under
      a particular connection state should use sequence number 0."

I think SSLv3 is clearer than TLS, concerning when sequence number is set tozero. FOr SSL3,

its changedfor any variant of the change cipher spec message. For TLS, its
the :first: message under "a particular connection state". If TLS Evidence
changes the notion of Connection state (which it seems to do, being an

extension of connection state machine), we now now have alerts settingseq_num=0.

They jury is only going to ask what went before .... if the seq_num for
the audited handshake starts at 9225.

Hmm.

-Ekr


_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Comments on TLS identity protection
  - From: EKR

References:
- Re: [TLS] Comments on TLS identity protection
  - From: EKR

Prev by Date: Re: [TLS] Re: I-D ACTION:draft-ietf-tls-srp-13.txt
Next by Date: Re: [TLS] Comments on TLS identity protection
Previous by thread: Re: [TLS] Comments on TLS identity protection
Next by thread: Re: [TLS] Comments on TLS identity protection
Index(es):
- Date
- Thread