Re: [TLS] Handshake not under protection
Geoffrey Keating <geoffk@geoffk.org> Mon, 21 December 2009 22:12 UTC
Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1AF993A6ACE for <tls@core3.amsl.com>; Mon, 21 Dec 2009 14:12:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Lmoe5QFYs5m for <tls@core3.amsl.com>; Mon, 21 Dec 2009 14:12:03 -0800 (PST)
Received: from dragaera.releasedominatrix.com (dragaera.releasedominatrix.com [216.129.118.138]) by core3.amsl.com (Postfix) with ESMTP id 1D60828C0D0 for <tls@ietf.org>; Mon, 21 Dec 2009 14:12:03 -0800 (PST)
Received: by dragaera.releasedominatrix.com (Postfix, from userid 501) id AFB1333D125; Mon, 21 Dec 2009 22:11:33 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: Michael D'Errico <mike-list@pobox.com>
References: <200912211949.nBLJn4H8002441@fs4113.wdf.sap.corp> <4B2FDB93.4090105@pobox.com>
From: Geoffrey Keating <geoffk@geoffk.org>
Date: Mon, 21 Dec 2009 14:11:33 -0800
In-Reply-To: <4B2FDB93.4090105@pobox.com>
Message-ID: <m2bphsht9m.fsf@localhost.localdomain>
Lines: 54
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Mailman-Approved-At: Mon, 21 Dec 2009 14:22:50 -0800
Cc: tls@ietf.org
Subject: Re: [TLS] Handshake not under protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Dec 2009 22:13:13 -0000
Michael D'Errico <mike-list@pobox.com> writes: > Martin Rex wrote: > > Marsh Ray wrote: > >> Martin Rex wrote: > >>> Marsh Ray wrote: > >>> > >>>> At the TLS level, it's possible for the current session to be > >>>> anon-anon-DH, which provides no protection. > >>> And which rfc-5246 requires to _not_ request a client certificate: > >>> > >>> 7.4.4. Certificate Request > >>> > >>> When this message will be sent: > >>> > >>> A non-anonymous server can optionally request a certificate from > >>> the client, if appropriate for the selected cipher suite. > >> The client cert is requested in the renegotiating handshake, not the > >> initial one. An anon-anon-DH session provides no "protection" for the > >> client cert passed in renegotiation. > >> > >> But it probably makes some people feel more secure to not see the > >> details (usernames, emails, phone numbers, street addresses) flying by > >> on the wire. > > OK. You are correct. > > That provision in 7.4.4. is about the _current_ handshake only > > and refers to the fact that a server has sent a "Certificate" > > message prior to CertificateRequest. Since at the point of > > the handshake, the Server is _not_ authenticated. There could have > > been a certificate path validation of the server certificate, > > but there is no proof yet, that the alleged server knows the > > necessary private key to the presented certificate, so this > > restriction in 7.4.4. does not provide security. > > If a DHE cipher suite is used, then the server can be authenticated > using only Certificate and ServerKeyExchange. With RSA cipher suites, > you are correct that a client doesn't authenticate the server until > Finished verifies. I think that still doesn't prove that there is no man in the middle. The MITM could forward the ClientHello to the real server, which will return a signed ServerKeyExchange with the correct client_random and server_random. The MITM won't be able to use the associated DH parameters but they aren't necessary until later in the exchange. Even sending the client certificate by renegotiating under an anonymous connection provides protection against any attacker who can see traffic but cannot (or does not want to) perform an active attack. I don't think it's generally useful to do start off anonymous, though, because the server is going to have to provide a certificate later anyway. Another approach, of course, is to not put unnecessary personal information in the client certificate in the first place.
- Re: [TLS] Handshake not under protection Michael D'Errico
- Re: [TLS] TLS Digest, Vol 65, Issue 88 Ravi Ganesan
- Re: [TLS] TLS Digest, Vol 65, Issue 88 Martin Rex
- Re: [TLS] Handshake not under protection Marsh Ray
- Re: [TLS] Handshake not under protection Martin Rex
- Re: [TLS] Handshake not under protection Marsh Ray
- Re: [TLS] Handshake not under protection Martin Rex
- Re: [TLS] Handshake not under protection Geoffrey Keating
- Re: [TLS] Handshake not under protection Martin Rex
- Re: [TLS] Handshake not under protection Marsh Ray
- Re: [TLS] Handshake not under protection Martin Rex
- Re: [TLS] Handshake not under protection Marsh Ray
- Re: [TLS] Handshake not under protection Michael D'Errico
- Re: [TLS] Handshake not under protection Martin Rex