Re: Closing on shared-key authentication from Tom Weinstein on 1996-10-11 (ietf-tls@w3.org from October to December 1996)

From: Tom Weinstein <tomw@netscape.com>
Date: Fri, 11 Oct 1996 10:44:45 -0700
To: Michael Warner <m.warner@trl.telstra.com.au>
CC: ietf-tls@w3.org
Message-ID: <325E878D.1372@netscape.com>

Michael Warner wrote:
> 
> > The lack of a general extension mechanism in SSL v3 is a feature,
> > not a bug.  This is a security protocol, and so susceptibility to
> > analysis is a good thing.  Simplicity and rigidity are features
> > here.  SSL does provide for forwards compatibility by allowing
> > version negotiation and protection from version rollback attacks.
>
> I must take exception here - not with the advantages of making
> security protocols easy to analyse, but with the implicit assertion
> that SSL - and in particular the RSA based authentication/key exchange
> - are easily analysed.   As presented in the current RFC, SSL v3 is
> just about the most complex security protocol I have ever looked at.

Frankly, I'm baffled by this assertion.  Yes, SSL v3 is somewhat more
complex than some other security protocols, but I don't think it is
particularly resistant to analysis.  Bruce Schneier and David Wagner
have performed an analysis of the protocol, and their paper contains no
such complaints.

> In particular, determining whether it is vulnerable to "man in the
> middle" attacks is extremely difficult - I'm still not entirely sure
> whether it is for cases where the server has no certificate.

There is an obvious man in the middle attack when the server has no
certificate since client authentication is expressly forbidden in this
case.

> The combination of hashing mechanisms, and the way in which they are
> used make it virtually impossible to determine the effects of any
> properties (including weaknesses) inherent in the actual algorithms.

Yes, Schneier and Wagner also suggested the use of "ad hoc MAC
algorithms" was to be discouraged.  This is certainly one area in which
SSL v3 could be improved.

> I would very much like to see SSL support different (and simpler)
> authentication mechanisms.   Many have already been standardised -
> X.509 being a notable example.

SSL does use X.509v3 certificates.  What kind of different
authentication mechanisms are you talking about?

-- 
You should only break rules of style if you can    | Tom Weinstein
coherently explain what you gain by so doing.      | tomw@netscape.com

Received on Friday, 11 October 1996 13:46:11 UTC