Re: [TLS] MITM Attacks on Client Authentication after Resumption

[Dr Stephen Henson <lists@drh-consultancy.co.uk>]

On 03/03/2014 15:20, Karthikeyan Bhargavan wrote:
> We are going to present some new man-in-the-middle attacks on TLS
> applications in Tuesday’s working group meeting. These attacks were
> found as part of our research on trying to prove cryptographic
> security for a TLS implementation [1].  We presenting some of the
> materials here to kick-start some discussion and get early comments on
> our proposed countermeasure. Some people on the list already know of
> these attacks but this is the first public disclosure.
> 
> More details are at https://secure-resumption.com [2]
> 

I'll just repeat an observation I made at the time. I'm assuming this is still
valid.

If the client verifies certificate chains whenever they are presented[1] the
attacker needs a certificate and corresponding private key the client trusts,
typically from a public CA. If not the client will typically reject the
certificate and abort the handshake immediately.

Assuming due diligence by the CA anyone detecting the attack will know the
identity of the attacker or more accurately the identity presented to and
checked by the CA.

If the client checks the hostname against the certificate whenever a
certificate is presented[2] then additionally the attacker needs a certificate
with the same hostname as the attacked server.

Steve.
1. As opposed to letting everything through and verifying chains after the
handshake is complete. Not something I'd consider wise...
2. This isn't always the case. Some applications check the hostname only after
the handshake has completed.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.