Does the sentinel have to be the first N bytes?
RFC 5246 (S7.4.1.2) specifies Random as a combination of a uint32 time value
and 28 random bytes.
Rather than risk breaking backwards compatibility by changing the definition of
the first 4 bytes, perhaps the sentinel can be moved to another location within
the ServerRandom field? Either the second set of N bytes or the last set of N
bytes? Where the sentinel is located shouldn’t really matter. Subsequently, the
sentinel can be chosen with more freedom. As I recall, one reason (but not the
only reason) the length was extended to 8 bytes due to the gmt_unix_time issue;
is an 8-byte sentinel still needed if it’s not overlapping the gmt_unix_time
(yes, I’m concerned about a reduction of entropy by 25%)?
In extending this, should the ClientHello random value also include the
sentinel? (Yes, I know this again reduces entropy.) A MITM can implement a
downgrade attack in either direction. The server can terminate the connection
that much earlier. (Risk: ~2^{-64} that an older client might be rejected for
having a mismatched sentinel/version.)
Viktor Dukhovni had proposed a ~5 byte sentinel:
struct {
uint32 gmt_unix_time;
opaque random_bytes[23];
uint8 sentinel[5];
} Random;
--
-Todd Short
// tsh...@akamai.com<mailto:tsh...@akamai.com>
// "One if by land, two if by sea, three if by the Internet."
On Oct 17, 2015, at 7:02 PM, Viktor Dukhovni
<ietf-d...@dukhovni.org<mailto:ietf-d...@dukhovni.org>> wrote:
On Sat, Oct 17, 2015 at 03:20:08PM -0700, Eric Rescorla wrote:
I don't feel strongly about this, but I don't see how what you suggest
is any simpler than the version number encoding I proposed. Arguably,
it's more complicated since you can't implement the sentinel check with
memcmp().
The simplicity I have in mind minimality of the design, not so much
the implementation.
The bit in question could be the high bit of of the first octet of
server random. The code doing the comparing would need a mutable
copy of the test value, and would clone the bit in question from
the input to the test value, then memcmp.
tls13 = peerrand[0] & 0x80;
sentinel[0] = tls13 | (sentinel[0] & 0x7f);
if (memcmp(srand, test, len) == 0) {
if (tls13) {
/* Peer indicates TLS >= 1.3 support */
...
} else {
/* Peer indicates TLS 1.2 support */
...
}
}
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
