Re: Handling NULL key exchange for NULL_ ciphersuite from Tim Dierks on 1997-01-31 (ietf-tls@w3.org from January to March 1997)

From: Tim Dierks <timd@consensus.com>
Date: Thu, 30 Jan 1997 23:58:17 -0800
To: Tom Weinstein <tomw@netscape.com>
Cc: Ned Smith <nsmith@ibeam.jf.intel.com>, ietf-tls@www10.w3.org
Message-Id: <v0302070daf1753db499d@[206.86.17.90]>

At 1:14 PM -0800 1/30/97, Tom Weinstein wrote:
>Ned Smith wrote:
>>
>> What is the correct way to interpret handling of the NULL ciphersuite
>> for key exchange?
>>
>> The TLS spec (excerpts provided below) appears to be vague in its
>> description of how key exchange handling is done if the NULL
>> ciphersuite is negotiated. I don't recall seeing any statement
>> indicating it is illegal to negotiate a NULL ciphersuite. My
>> assumption is the NULL ciphersuite could be negotiated anytime it is
>> legal to negotiate any other ciphersuite (its regular).

I believe this is the intent. I know that people have discussed negotiating
NULL_WITH_NULL_NULL as an efficiency measure when implementations wish to
transmit data which is pre-encrypted and/or authenticated. For example, one
could consider an application which negotiated a TLS connection, exchanged
some control information, then transmitted a number of S/MIME messages.
Negotating NULL_WITH_NULL_NULL would aid in performance. However, remember:
this might leave one open to attacks which altered the stream of messages
either by replaying or deleting messages. For security, all communications
should be protected by a progressive MAC construction.

I will clarify the spec: my understanding is that NULL_WITH_NULL_NULL
doesn't require a Certificate or Key exchange message from either end: as
such, the negotiation would take the following form:

      Client               Server
   client hello						       Includes the option of N_W_N_N
                        server hello       Specifies N_W_N_N
                         hello done
     finished
change cipher spec
                          finished
                     change cipher spec

>I assume you mean TLS_NULL_WITH_NULL_NULL.  Although the spec does not
>explicitly forbid negotiating to this cipher suite, it should.  If an
>implementation allows negotiation to this cipher suite, it is open to
>a rollback attack.

It's not clear to me what you mean here, Tom. Since the original
negotiation of a connection occurs under NULL_WITH_NULL_NULL, I don't
understand how a later re-negotiation on the same communications channel
could be less secure than a new connection. Which rollback attack do you
mean? Cipher suites or SSL 2?

Note: I do not recommend using NULL_WITH_NULL_NULL except unless you know
exactly why you want to and you know for a fact that you understand your
risk model. It provides no security over plain TCP/IP and I wouldn't want
anyone to think otherwise just because it's got "TLS" in the name.

  - Tim

Tim Dierks - timd@consensus.com - www.consensus.com
     Software Haruspex - Consensus Development
  Developer of SSL Plus: SSL 3.0 Integration Suite

Received on Friday, 31 January 1997 03:06:23 UTC