Re: [TLS] MITM Attacks on Client Authentication after Resumption

"Salz, Rich" <rsalz@akamai.com> Mon, 03 March 2014 23:32 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 223831A00E2 for <tls@ietfa.amsl.com>; Mon, 3 Mar 2014 15:32:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.345
X-Spam-Level:
X-Spam-Status: No, score=-3.345 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xmF0esDfyX5s for <tls@ietfa.amsl.com>; Mon, 3 Mar 2014 15:32:48 -0800 (PST)
Received: from prod-mail-xrelay02.akamai.com (prod-mail-xrelay02.akamai.com [72.246.2.14]) by ietfa.amsl.com (Postfix) with ESMTP id A9B3F1A00B6 for <tls@ietf.org>; Mon, 3 Mar 2014 15:32:47 -0800 (PST)
Received: from prod-mail-xrelay02.akamai.com (localhost [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id D32A128578; Mon, 3 Mar 2014 23:32:42 +0000 (GMT)
Received: from prod-mail-relay02.akamai.com (prod-mail-relay02.akamai.com [172.17.50.21]) by prod-mail-xrelay02.akamai.com (Postfix) with ESMTP id BE7D728577; Mon, 3 Mar 2014 23:32:42 +0000 (GMT)
Received: from usma1ex-cashub.kendall.corp.akamai.com (usma1ex-cashub5.kendall.corp.akamai.com [172.27.105.21]) by prod-mail-relay02.akamai.com (Postfix) with ESMTP id B686BFE229; Mon, 3 Mar 2014 23:32:42 +0000 (GMT)
Received: from USMBX1.msg.corp.akamai.com ([169.254.1.228]) by USMA1EX-CASHUB5.kendall.corp.akamai.com ([172.27.105.21]) with mapi; Mon, 3 Mar 2014 18:32:42 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 3 Mar 2014 18:32:36 -0500
Thread-Topic: [TLS] MITM Attacks on Client Authentication after Resumption
Thread-Index: Ac83K1DgqEl+P4ZCTEq0iA+SB4zYAQADC4Ag
Message-ID: <2A0EFB9C05D0164E98F19BB0AF3708C711EFC3909C@USMBX1.msg.corp.akamai.com>
References: <BB2FE60E-A7CA-4EA7-BFC8-AB794EC6FF00@inria.fr> <5314AF9B.8000402@drh-consultancy.co.uk> <CACsn0cmc=zDLeUWi-cNEK=rNzmZs7OBjwArSwtj15N+=RAT5XQ@mail.gmail.com>
In-Reply-To: <CACsn0cmc=zDLeUWi-cNEK=rNzmZs7OBjwArSwtj15N+=RAT5XQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_2A0EFB9C05D0164E98F19BB0AF3708C711EFC3909CUSMBX1msgcorp_"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/1NYWxuCCYRh3I82_YjG51IXK1rM
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] MITM Attacks on Client Authentication after Resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2014 23:32:50 -0000

> both of which were previously noticed in 2009 with the Rex/Ray attack.

Hmm…  Four-plus years is a pretty darn good record, I’d say.

> why users should continue to trust TLS with confidential information.

At the risk of being flip or snarky, because it’s the only thing we have. Therefore everyone uses it and therefore there are lots more “interesting” places for an adversary to attack.  As the old joke goes, I don’t have to outrun the bear, I just have to outrun you.

At one point, the most common way banks transferred money amongst themselves was PGP signed data over FTP. I don’t know if it’s still true. The US Federal Reserve requires TLS over direct leased lines for banks doing transactions more than $10Million.

> Username password and cookies continue to be widely used in part because client authentication in TLS has not had a good run.

You mean because client certs are not widely deployed, right?  Perhaps some name/pbkdf2 is better?
                /r$

--
Principal Security Engineer
Akamai Technology
Cambridge, MA