Re: [TLS] MITM Attacks on Client Authentication after Resumption

Karthik Bhargavan <karthik.bhargavan@gmail.com> Wed, 05 March 2014 13:08 UTC

Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 818721A006B for <tls@ietfa.amsl.com>; Wed, 5 Mar 2014 05:08:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pz6XPFuzmdcs for <tls@ietfa.amsl.com>; Wed, 5 Mar 2014 05:08:03 -0800 (PST)
Received: from mail-ve0-x235.google.com (mail-ve0-x235.google.com [IPv6:2607:f8b0:400c:c01::235]) by ietfa.amsl.com (Postfix) with ESMTP id D07D91A04C1 for <tls@ietf.org>; Wed, 5 Mar 2014 05:07:59 -0800 (PST)
Received: by mail-ve0-f181.google.com with SMTP id oy12so987216veb.26 for <tls@ietf.org>; Wed, 05 Mar 2014 05:07:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=8Ll9fw2JzvmqVrD+BUW3EnIPDms/Y19cWWeEa7ewSp0=; b=ZZz3vFkxH1ksGej3mIcOHSgkXPAa/CetZbB9RHb/oIm4aYMZX+FE89Xg5rjgov/9SX FwVlQj64YWoDPEWoHFWcqPlOa1qq0ExSZlJEG62Apd9otVX41ooUa9vVokCV6giSLNjJ WD+UiabRPqJj1W13KHHSUE04GtHZncyZr/zGGD/x69WnD3d7HwSq9yK1a3pOEuUXh8Sn kyT16tGu02kmnalEgBoY/UPWOqcY9niYP64o5iLqNf99Vkrn7Bi9oUubhCQt9/qn3EmM Pk985fMtWwTA27Qltts7bW47IC+/Zq/KHZk88SpZX5dGxCBZvU1CPhbpYbaZqXdV848V U6Xg==
X-Received: by 10.52.69.146 with SMTP id e18mr3633844vdu.15.1394024876128; Wed, 05 Mar 2014 05:07:56 -0800 (PST)
MIME-Version: 1.0
Received: by 10.52.96.195 with HTTP; Wed, 5 Mar 2014 05:07:36 -0800 (PST)
In-Reply-To: <20140305125642.0B9871AC3E@ld9781.wdf.sap.corp>
References: <20140303231316.03E2E1AC37@ld9781.wdf.sap.corp> <20140305125642.0B9871AC3E@ld9781.wdf.sap.corp>
From: Karthik Bhargavan <karthik.bhargavan@gmail.com>
Date: Wed, 5 Mar 2014 14:07:36 +0100
Message-ID: <CA+_8ft4HxYeBohwjo8D2dzAKaJNeyVOnYdiB8Ktd1bvRj1Bmcw@mail.gmail.com>
To: mrex@sap.com
Content-Type: multipart/alternative; boundary=20cf3071cd0e8cc04804f3dbb5a6
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/2OaoYQx1PEM1kViktKqDZYJ1kRM
X-Mailman-Approved-At: Wed, 05 Mar 2014 05:11:37 -0800
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] MITM Attacks on Client Authentication after Resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2014 13:10:31 -0000

> The only "non-static" data covered by the Finished handshake messages of
> the abbbreviated TLS handshake (i.e. that goes into the renegotiation_info
> of the resumed TLS handshake are):
>
>     ClientHello.random
>     ServerHello.random
>     ClientHello.session_id == ServerHello.session_id
>

Renego Indication uses the client and server verify data:

verify_data = PRF(master_secret, label, Hash(handshake_message)

So, it is bound to the master_secret

-K.