IETF Logo Mail Archive

Re: [TLS] Fwd: Clarification on interleaving app data and handshake records

Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Sun, 06 December 2015 16:05 UTC

Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38EF61AD063 for <tls@ietfa.amsl.com>; Sun, 6 Dec 2015 08:05:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yoL82JZJ0QR2 for <tls@ietfa.amsl.com>; Sun, 6 Dec 2015 08:05:05 -0800 (PST)
Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7611E1AD062 for <tls@ietf.org>; Sun, 6 Dec 2015 08:05:04 -0800 (PST)
Received: by wmec201 with SMTP id c201so134432523wme.0 for <tls@ietf.org>; Sun, 06 Dec 2015 08:05:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:subject:mime-version:content-type:in-reply-to:date:cc :message-id:references:to; bh=DOnHK17lLiTt+BkStjY2ERmRnXXnvvAP5fEQ78Jz+2g=; b=JkH1tVO+RqW4GfEyKsYAcpFt0PcwQn6O2/Lb5LAPgsiQcUWmQldXpFguzZsXti2Srl Wyj0i4cM8Suo3hlF57jPO/Rhfkl5kGSvX10fhuqZ9/WO+OvEc8UrwplT67gi4bXdAIVT z/xk9xiV2114f94CDcIeU0IEzGmUoPU4gEDXgYvItBBRfT9zIzrc2S4rSts5w7c+fL5Y LOxiAgPhAymWp6C9cG07Ji04aZH9SUj6Di5pynm4x9dfyhuW7UJkAEkkYFWfVmXXXm+b zT8qYl8CVd2e15BqO+yr5XAHOXKUt0RUNYnR05b1sK3bzIYqiEk5g5RJgrZzFlpsfmCq tboA==
X-Received: by 10.28.9.138 with SMTP id 132mr16112685wmj.19.1449417903102; Sun, 06 Dec 2015 08:05:03 -0800 (PST)
Received: from [192.168.0.12] (89-156-8-219.rev.numericable.fr. [89.156.8.219]) by smtp.gmail.com with ESMTPSA id l7sm20913066wjx.14.2015.12.06.08.05.01 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 06 Dec 2015 08:05:02 -0800 (PST)
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
X-Google-Original-From: Karthikeyan Bhargavan <karthikeyan.bhargavan@inria.fr>
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
Content-Type: multipart/signed; boundary="Apple-Mail=_CE96B18A-D604-4EAD-BFEC-675059A1E0EF"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.6b2
In-Reply-To: <2024935.xrVgKcrptC@pintsize.usersys.redhat.com>
Date: Sun, 06 Dec 2015 17:04:59 +0100
Message-Id: <1DDA0CBD-4D73-43A4-A647-10ED73CE1A99@inria.fr>
References: <20151015130040.9F1BB1A2EF@ld9781.wdf.sap.corp> <2348468.lpGyMim7ub@pintsize.usersys.redhat.com> <9A043F3CF02CD34C8E74AC1594475C73F4B9B3DA@uxcn10-5.UoA.auckland.ac.nz> <2024935.xrVgKcrptC@pintsize.usersys.redhat.com>
To: Hubert Kario <hkario@redhat.com>
X-Mailer: Apple Mail (2.3096.5)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/38LDkgVnIeS4pNTpUBhXYJdF9pc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Fwd: Clarification on interleaving app data and handshake records
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Dec 2015 16:05:07 -0000

Our state machine design in miTLS was quite deliberate, and based on our interpretation of the TLS 1.2 spec. It is possible that we got this interpretation wrong, but maybe the protocol authors can clarify the intended behavior.

However, I think that looking at the Handshake protocol message sequence (Figure 1) for guidance is misleading, because this sequence only concerns the first handshake and does not handle renegotiation. Otherwise, all messages would be marked as optionally encrypted. A proper interpretation of this issue must take into account the two-layer Record/Handshake split that is inherent to TLS 1.2. For example, one interpretation is that the CCS message changes Record state and Application Data can then directly interact with Record without necessarily being aware of Handshake status.

In any case, a note about the miTLS security theorem. In miTLS, every application data fragment is labeled by the epoch in which it is sent and received. miTLS itself does not concatenate data from different epochs, but gives applications enough information about the two epochs so that it can choose to combine data from different epochs (say if the  certificates used in the two epochs are the same.)

So, the miTLS security theorem shows that sending and accepting data during a renegotiation handshake is fine, as long as:
(a) this data is treated as belonging to the previous epoch, not the next one, and
(b) no data is sent or accepted between CCS and Finished in either direction.
Notably, this means that if the new epoch uses new certificates for the client and/or server, any application data sent during the handshake does not get to be authorized with the new certificates, since it still belongs to the old epoch. If the current handshake completes and then new data is sent, the new data will be labeled with the new epoch. Now, the application on top of TLS gets to decide whether it wants to concatenate the data streams from the two epochs.

For other implementations, I do agree that sending or accepting data once renegotiation has begun but before the new handshake has finished can be dangerous, because it is sometimes unclear whether this data will be associated with the as-yet-unconfirmed parameters of the new handshake.

Best,
-K.



> On 06 Dec 2015, at 16:50, Hubert Kario <hkario@redhat.com> wrote:
> 
> On Saturday 05 December 2015 23:54:25 Peter Gutmann wrote:
>> Hubert Kario <hkario@redhat.com> writes:
>>> miTLS does accept Application Data when it is send between Client
>>> Hello and Client Key Exchange and rejects it when it is sent between
>>> Change Cipher Spec and Finished.
>> 
>> Given that miTLS is a formally verified implementation, would this
>> imply that there's a problem with the verification?  "Beware of bugs
>> in the above code; I have only proved it correct, not tried it"?
> 
> This behaviour is dictated by the TLS 1.2 RFC, although partially
> indirectly:
> - the acceptance of application data during subsequent handshakes is
>   explicit
> - the no application data between CCS and Finished is implicit, as it
>   is only stated that the Finished MUST be the next message directly
>   following CCS. And since CCS and Finished have different content
>   types, that means that the limitation is cross-content type, unlike
>   for other handshake messages
> 
> So on the face of it, behaviour of miTLS is correct.
> 
> Now, as we've discussed on the OpenSSL bug tracker. This does cause
> problems if we have certificate based client authentication and the TLS
> library returns client authentication data from *new* handshake while it
> still has not received and processed Finished message. If that is the
> case, then the attacker may force the server to process messages under
> authority it still didn't verify.
> 
> --
> Regards,
> Hubert Kario
> Senior Quality Engineer, QE BaseOS Security team
> Web: www.cz.redhat.com
> Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic_______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email