Re: [TLS] Inter-protocol attacks
Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr> Fri, 15 August 2014 08:45 UTC
Return-Path: <antoine@delignat-lavaud.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1B461A0972 for <tls@ietfa.amsl.com>; Fri, 15 Aug 2014 01:45:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J_P9tv2YXL8M for <tls@ietfa.amsl.com>; Fri, 15 Aug 2014 01:45:20 -0700 (PDT)
Received: from argon.maxg.info (argon.maxg.info [IPv6:2001:41d0:2:7f22::1]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 624781A092B for <tls@ietf.org>; Fri, 15 Aug 2014 01:45:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=delignat-lavaud.fr; s=dkim; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=yqIqVpnI8HBU+sipJTgpzVm8znXXmJ8hJ0vnoTdH+P0=; b=PmDYl7Wo075q94jmmFBNx6tg5RZSQNUaeXCDx6QKRpIdBEYew38JMYOozibz6EE8L9/GbAEtB4Sl09yKCRcE5COFTO+dygIA4QmbXRTnXbWP3FxrHzFBYOW6VER/SEIQ;
Received: from localhost (authenticated.user.IP.removed [::1]) by argon.maxg.info with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (envelope-from <antoine@delignat-lavaud.fr>) id 1XID8B-0001yC-2u ; Fri, 15 Aug 2014 10:45:03 +0200
Message-ID: <53EDC889.5030704@delignat-lavaud.fr>
Date: Fri, 15 Aug 2014 09:44:57 +0100
From: Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: mrex@sap.com, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
References: <20140815015630.D29521AE0D@ld9781.wdf.sap.corp>
In-Reply-To: <20140815015630.D29521AE0D@ld9781.wdf.sap.corp>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/3qZvYxnNqK6BMvE--wKot5_mK2o
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Inter-protocol attacks
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Aug 2014 08:45:24 -0000
Le 8/15/2014 2:56 AM, Martin Rex a écrit : > But I still fail to see how session resumption would aggravate > any bogosities performed by applications as long as the servers > certificates on both handshakes (resumption an full) > will properly *PASS* the usual server endpoint identification checks, > which is what has been asserted. As I explained before, the reason why it is the case is because TLS authorization is not context free: it depends on the application context. In HTTP, application context boils down to origin, because the same origin policy is the only security context that makes sense in a browser. Any TLS authorization for the Web that uses a context broader than origin is going to be a source of attack. This applies to both server and client. The problem with resumption is that unlike full handshakes, it uses implicit authorization. This can be easily blamed on protocol implementations, but TLS could have made resumption authorization more explicit. On the server side, most web servers use a very simple authorization policy, which is basically "return true" regardless of the context. This is bad, because there are many reasons why a server would want to reject certain resumption requests, in particular when the application context (domain / SNI) of the resumption is different from the one in the initial connection. For instance, if the session being resumed is user authenticated, the server may want to use a different CA on the domain of the resumption, or an anonymous session. It may also prefer to use another certificate (such as an extended validation one) for this domain (even though the initial one may also work, say because it has a wildcard), or a different cipher, or avoid using the same Channel ID, or many other reasons. The new domain of the resumption may not be handled by the server (in fact, if the server uses multiple certificates, or a shared ticket key, it can even be that the requested domain is not in the certificate of the original session), in which case authorizing the resumption is guaranteed to break the same origin policy. These are all real attacks that can be found against top websites (see https://bh.ht.vc). On the client side, clients typically use a resumption policy based on the domain associated with the session. This works great for HTTPS because protocol+domain is almost as good as origin (port being part of origin is a mistake). However, SPDY uses a resumption policy that assumes that authorization of the initial connection extends to other domains in the certificate. This is not the case: the original authorization was granted in a different application context, and it is in fact necessary to re-authorize the connection in the new context. See http://youtu.be/7zNWKTDs99g for a concrete exploit. Overall, I am well aware that little can be done in the TLS protocol to solve the shortcomings of application authorization. Since SNI provides a good application context indication even outside HTTPS, the change that I was initially proposing to OpenSSL and Nginx several months ago was to enforce that the SNI may not change when a session is resumed. However, this restriction is not compatible with SPDY, and almost all servers continue to accept resumption with a different SNI currently. Best, Antoine Delignat-Lavaud
- [TLS] Inter-protocol attacks Watson Ladd
- Re: [TLS] Inter-protocol attacks Bodo Moeller
- Re: [TLS] Inter-protocol attacks Ilari Liusvaara
- Re: [TLS] Inter-protocol attacks Antoine Delignat-Lavaud
- Re: [TLS] Inter-protocol attacks Martin Thomson
- Re: [TLS] Inter-protocol attacks Antoine Delignat-Lavaud
- Re: [TLS] Inter-protocol attacks Martin Rex
- Re: [TLS] Inter-protocol attacks Ilari Liusvaara
- Re: [TLS] Inter-protocol attacks Martin Rex
- Re: [TLS] Inter-protocol attacks Antoine Delignat-Lavaud
- Re: [TLS] Inter-protocol attacks Karthikeyan Bhargavan
- Re: [TLS] Inter-protocol attacks Martin Thomson