Simple SSL/TLS - Some Questions
Jill Ramonsky
Jill.Ramonsky at aculab.com
Fri Oct 3 12:55:25 EDT 2003
Having been greatly encouraged by people on this list to go ahead with a
new SSL implementation, it looks like I am going to go for it, but I'd
kinda like to not make any enemies in the process so I'll try to keep
this list up to date with progress and decisions and stuff ... and I
will ask a lot of questions.
It's worth summing up the design goals here, so nobody gets confused.
Trouble is, I haven't figured out what they should all be. The main
point of confusion/contention right now seem to be (1) should it be in C
or C++?, (2) should it support SSL or TLS or both?
There are plenty of things I am really sure about, however. The two main
design goals people seem to want are (1) lightweight, and (2) easy to
use. (Plus the "obvious" goals of (3) it actually /will/ implement
SSL/TLS and not something else, and (4) it shouldn't be full of bugs. I
figure those go without saying).
Regarding the choice of language, I think I would want this library (or
toolkit, or whatever) to be somehow different from OpenSSL - otherwise
what's the point? I mean ... this may be a dumb question, but ... if
people want C, can they not use the existing OpenSSL? Or is it simply
that OpenSSL is too complicated to use, so a "simpler than OpenSSL" C
version is required. What I mean is, I don't want to duplicate effort.
That seems dumb.
C++ has many advantages, which include SECURITY advantages. Proper use
of constructors, destructors, exceptions, std::strings, std::vectors,
smart pointers, and so on can eliminate memory leaks, dangling pointers,
buffer overruns, and just about everything else than can bring a good
toolkit down. I already have a very nice, working, C++ secure
big-integer library [here's one I wrote earlier]. By "secure" in this
context, I mean that all big-integers get zeroed on deletion, so no
crypto keys are ever left lying around in memory. Sure, these sort of
things are all also possible in C, but it's so much more work to be
/sure/ that every error condition is dealt with. Is embedded C++
non-existant then? I'm pretty sure it's possible to compile C++ to C
(instead of to assembler) so a C++ to C wrapper can't be that difficult.
(By contrast, a C to C++ wrapper would be easier, but the toolkit would
have more bugs!) My inclination is still to go with C++, and figure out
a way of turning it into C later if necessary ... but if majority
opinion says otherwise I'll reconsider.
Now - SSL or TLS - this confuses me. From what I've read in Eric's book,
SSL version 3.0 or below is called SSL, wheras SSL version 3.1 or above
is called TLS. Have I misunderstood that? In any case, I note the bit in
Eric's book (p73 in my edition) where it says "In general, it is
expected that an implementation speaks all lesser versions" ... even if
lesser versions become known to be insecure. I'm not sure I like this -
and in any case, it goes against the design goal of "lightweight". If
you want to implement only TLS (for example, in a closed private network
where all parties are known to be using the same version of the same
protocol), why should you have to lug around SSL as well? I suppose I
/want/ the solution to be "allow the toolkit to generate either
SSL-only, or TLS-only, or SSL+TLS" ... but what I'm not sure about is,
is the "TLS-only" option forbidden by the standard?
And now some questions about SSL/TLS itself....
THE HANDSHAKE PHASE
The assumption in Eric's book, roughly translated into Alice and Bob
scenarios, goes something like this: Bob (client) says hello to Alice
(server). Alice sends Bob her certificate (which is basically a copy of
her public key, signed by a third party, Carol). Bob validates Alice's
key (which is only possible if he already has a copy of Carol's public
key), and then uses Bob's (now validated) public key to start sending
encrypted messages. (There's more, but that's the important part).
Now, this scenario is all very well for banks and big businesses, but I
guess I want to do "SSL for the rest of us". You see, the above scenario
contains a couple of assumptions. It assumes (1) that Bob does not
already have Alice's key - otherwise why would she need to send it? It
further assumes (2) that Bob /does/ have Carol's key, /and that he
trusts Carol/. Okay, fine, but what if these assumptions aren't met? I
mean, let's assume that Bob already has Alice's key. (Let's say for sake
of argument that she gave it to him personally). Now this means we can
save on bandwidth by not having to transmit Alice's cert ... but already
there are two problems: (1) would it be a violation of the protocol to
omit the cert?, and (2) without the cert, we would need some /other/
kind of message with which to replace it - one which says, simply, "Hi,
this is Alice, use the copy of my key which you already have". So
already I have questions - how free am I to allow variations in the
handshake?
THE CIPHER SUITE
The list on page 74 of Eric's book looks a little limiting to me - not
merely because the list is too short, but also because it's very design
is wrong (in lumping all of the encryption ciphers together into a
single 16-bit value with no internal structure). What if Alice would
like to use, say, some elliptic curve function as her asymmetric
algorithm?, or CAST-5 as her symmetric algorithm?, or SHA-256 as her
hash function? We could maybe fix this up by adding more entries to the
list, but it's a global list, so who has the authority to add entries to
it? I believe that Alice and Bob should be able to communicate with
whatever ciphers they wish, and should not need the permission of any
global authority to do this. Are there any values in the range (0x0000
to 0xFFFF) which are reserved for private use between consenting parties?
It is even possible for Alice and Bob to use a proprietry cipher. For
example, what if the chosen encryption algorithm is "one-time-pad",
using a block of bits communicated out of band (e.g. via so-called
quantum cryptography, or that hard-drive alternative discussed in
another thread). How can this be communicated in the CipherSuite field?
I would like to believe there is a way of doing this ... but if not, I'd
like to know that too, so I can find a neat way of extending the
protocol to /make/ it possible.
THE COMPRESSION METHOD
Exactly the same question. Alice and Bob are consenting adults, and they
want to use the BZIP compression algorithm. I'm not going to tell them
they can't. (I suspect though that the answer to the previous query will
also answer this one).
THE CERTIFICATE
Can Alice and Bob each create their own certificates? With (for example)
Alice's key signed by Bob, and Bob's key signed by Alice, as is often
done in GPG? Who counts as the "Issuer" in this case? How can Alice (or
a piece of software working on Alice's behalf) construct an X.500
Distinguished Name to describe herself /and be absolutely sure that it
is globally unique/? On page 12 of Eric's book it explains that a DN is
a sequence of RDNs, each of which only needs to be locally unique, so
the whole sequence becomes globally unique. That's all very well, but
it's still a global namespace overall, so who controls it? Let me be
clear that Alice and Bob have no intention to give even a single penny
to Verisign or any other entity, just so that they can talk to each
other in private.
FINISHED
Well, that's enough questions for now. Hopefully someone can answer some
of them. Encouragement is great, and I appreciate it, but practical
answers to the above would be even better.
Cheers,
Jill
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list