IETF Logo Mail Archive

Re: [TLS] Revision 10: possible attack if client authentication is allowed during PSK

Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Sun, 01 November 2015 09:20 UTC

Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE9241A6F03 for <tls@ietfa.amsl.com>; Sun, 1 Nov 2015 01:20:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_22=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F8ExFdmGnMzo for <tls@ietfa.amsl.com>; Sun, 1 Nov 2015 01:20:02 -0800 (PST)
Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0A0B1A6EF4 for <tls@ietf.org>; Sun, 1 Nov 2015 01:20:01 -0800 (PST)
Received: by wmff134 with SMTP id f134so39124721wmf.0 for <tls@ietf.org>; Sun, 01 Nov 2015 01:20:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=pF7nQlk/cD6++qCg5T38OtoSyT/IjbfQbDHSxZJvBdo=; b=A4Eam+ocNefBxHx/GmIaIl40gz1//0e3m8O8RHTCb9143HHZH0AK3p/aklrEWNchzU oVC5w4y9ddpeoO4wwkjtpDk/qQoQuL96+GtyKR/PIus1QXQgejLPYO7Sw7AgHdw9Plew dwX7qKIl7jfN6oiXI27htJu2PjK29oeTf3QkO5JF9j3noUy1Y2YPR42WhVKVlS2toZgy 80XUlboBXnzl66Kr6DzkuDRHdVcnQKtB5BFQNEfIicAzx95CCUQtGUXAKSOCSlLMJ1/6 riUhahw2vWA9NnICsz8s46vm3/MG9hsku5VG99gBw50AdzsKNKkHiZ9UGXqZ7CMdBPm0 nnlw==
X-Received: by 10.28.174.130 with SMTP id x124mr7887619wme.12.1446369600153; Sun, 01 Nov 2015 01:20:00 -0800 (PST)
Received: from [192.168.0.12] (89-156-8-219.rev.numericable.fr. [89.156.8.219]) by smtp.gmail.com with ESMTPSA id iw8sm16133953wjb.5.2015.11.01.01.19.58 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 01 Nov 2015 01:19:59 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_24AF774C-C51B-40E2-A74A-A7C47EB67057"
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
In-Reply-To: <5634A3B8.7070701@gmail.com>
Date: Sun, 01 Nov 2015 10:19:58 +0100
Message-Id: <E9B7FFA7-4ED7-4BCF-8B8A-62DEBC97DCC3@gmail.com>
References: <5634A3B8.7070701@gmail.com>
To: Sam Scott <sam.scott89@gmail.com>
X-Mailer: Apple Mail (2.3096.5)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/3OvJMWJ8vvhcRjns2exmuO7lNdU>
Cc: tls@ietf.org
Subject: Re: [TLS] Revision 10: possible attack if client authentication is allowed during PSK
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Nov 2015 09:20:04 -0000

Nice analysis! I think that the composition of different mechanisms in the protocol is likely to
be where many subtle issues lie, and analyses like this one support that concern.

Several other composition examples were already discussed on this list (for previous drafts).
For example, when composing 0-RTT with 1-RTT in the most natural way, many attacks appeared:
   (1) 0-RTT application data  may be replayed (See note (2) in 6.2.2.)
   (2) an unknown key share attack on 0-RTT encryption keys (leading to the inclusion of ServerCertificate in 0-RTT handshake hash in 7.2.1)
   (3) a key compromise impersonation attack on 0-RTT (See note (3) in 6.2.2)

The addition of resumption, PSK, and client-auth provide plenty of further composition possibilies
that are (in my surely biased opinion) best handled by automated formal analysis. 
So, I’m looking forward to the full Tamarin results!

Best,
Karthik

> On 31 Oct 2015, at 12:19, Sam Scott <sam.scott89@gmail.com> wrote:
> 
> Dear all,
> 
> We [1] are in the process of performing an automated symbolic analysis
> of the TLS 1.3 specification draft (revision 10) using the Tamarin
> prover [2], which is a tool for automated security protocol analysis.
> 
> While revision 10 does not yet appear to permit certificate-based client
> authentication in PSK (and in particular resumption using PSK), we modelled
> what we believe is the intended functionality. By enabling client
> authentication either in the initial handshake, or with a post- handshake
> signature over the handshake hash, our Tamarin analysis finds an attack. The
> result is a complete breakage of client authentication, as the attacker can
> impersonate a client when communicating with a server:
> 
> Suppose a client Alice performs an initial handshake with Charlie. Charlie,
> masquerading as Alice, subsequently performs a handshake with Bob. Following a
> PSK resumption, Bob requests authentication from Charlie (impersonating Alice).
> Charlie then requests authentication from Alice, and the returned signature
> will also be a valid signature for the session with Bob.
> 
>         Initial h/s                                      Initial h/s
>      |<-------------->|                               |<-------------->|
>      |  exchange PSK  |                               |  exchange PSK  |
>      |                |                               |                |
>      |Start PSK resume|                               |Start PSK resume|
>      |--------------->|                               |--------------->|
>      |client_random nc|                               |client_random nc|
>      |                |                               |                |
>      |  Accept resume |                               |  Accept resume |
> Alice|<---------------|(as Charlie) Charlie (as Alice)|<---------------|Bob
>      |server_random ns|                               |server_random ns|
>      |                |                               |                |
>      |                |                               |                |
>      |Client auth req |                               |Client auth req |
>      |<---------------|                               |<---------------|
>      |                |                               |                |
>      |  Client auth   |                               |  Client auth   |
>      |--------------->|                               |--------------->|
>        sign nc,ns,...                                  relay signature
> 
> 
> 
> This attack is possible because the client signature is over the handshake
> hash, which only covers the nonces and other easily duplicated information,
> and in particular does not contain the server certificate (because none is
> presented in PSK mode [3]) or the server Finished.
> 
> While the modifications proposed in PR#316 [4] explicitly allow client
> authentication in these contexts, the PR also redefines the client signature
> based on a new "Handshake Context" value which includes the server Finished
> message. Intuitively, this new definition appears to address the attack
> because the attacker cannot transplant the Finished message between
> connections. We are currently working towards a Tamarin proof that PR#316
> indeed prevents our attack.
> 
> Therefore we would like to support the inclusion of Finished as
> part of the handshake context, in order to address this problem.
> 
> Many thanks,
> 
> Sam Scott
> 
> [1] Cas Cremers, Marko Horvat - University of Oxford;
>     Thyla van der Merwe, Sam Scott - Royal Holloway, University of London.
> [2] http://www.infsec.ethz.ch/research/software/tamarin.html <http://www.infsec.ethz.ch/research/software/tamarin.html>
> [3] Except in 0-RTT where the server's Certificate is explicitly
>     included.
> [4] https://github.com/tlswg/tls13-spec/pull/316/ <https://github.com/tlswg/tls13-spec/pull/316/>_______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email