IETF Logo Mail Archive

Re: [TLS] A not-so crazy idea

Michael D'Errico <mike-list@pobox.com> Sun, 15 November 2009 18:39 UTC

Return-Path: <mike-list@pobox.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BFEB43A67B4 for <tls@core3.amsl.com>; Sun, 15 Nov 2009 10:39:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PU-awXeLvw0S for <tls@core3.amsl.com>; Sun, 15 Nov 2009 10:39:38 -0800 (PST)
Received: from sasl.smtp.pobox.com (a-pb-sasl-sd.pobox.com [64.74.157.62]) by core3.amsl.com (Postfix) with ESMTP id AB0663A69F1 for <tls@ietf.org>; Sun, 15 Nov 2009 10:38:49 -0800 (PST)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id 089259E700 for <tls@ietf.org>; Sun, 15 Nov 2009 13:38:48 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=f1E1qRqMJIsv fWjDOEHIbEG0068=; b=Zsk3TLlTeUHAPVgFB3ZxRNMY+h6Ne57LGtPotxbXM81m vKW5q1tIBKpDZauhZksxaCj3G+3iX4ArdZpJfl0Fvhl/r6m2f++GrCl6N4N/e31X fOKDPh7eDcduDHcbdIs+MfXxfLurp2Bh3+QSzsaXYPwQtoOhMcfHq3AsJfWe2Lo=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=pWIKbN odfnhGD+yaWeMJ17wOKhsnAB6pV1bUZUWB9hOGPU6VyPYg3Sl2gLgHIyKBGzgn3y ZACLiHpjHnVoXSszmlLNBo4GAU6PScj5EjoSZih/KEkvzEYXZhLfOmO8K4RZlFFQ 3vpzt0BJkStMFjd03UdIk/uxlgrcnO0zwEG9c=
Received: from a-pb-sasl-sd.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id 04A589E6FF for <tls@ietf.org>; Sun, 15 Nov 2009 13:38:48 -0500 (EST)
Received: from administrators-macbook-pro.local (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTPSA id 735F69E6FE for <tls@ietf.org>; Sun, 15 Nov 2009 13:38:47 -0500 (EST)
Message-ID: <4B004AE7.9000305@pobox.com>
Date: Sun, 15 Nov 2009 10:39:35 -0800
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: tls@ietf.org
References: <200911150230.nAF2USpK019975@fs4113.wdf.sap.corp> <4AFF6EFA.6080508@pobox.com> <4AFF7071.9050102@extendedsubset.com> <4AFF77B1.1000106@jacaranda.org> <4AFF7EC3.8060805@pobox.com> <20091115173157.GR1105@Sun.COM>
In-Reply-To: <20091115173157.GR1105@Sun.COM>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: 1CAA7FB4-D216-11DE-8A99-EF34BBB5EC2E-38729857!a-pb-sasl-sd.pobox.com
Subject: Re: [TLS] A not-so crazy idea
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Nov 2009 18:39:39 -0000

Nicolas Williams wrote:
> On Sat, Nov 14, 2009 at 08:08:35PM -0800, Michael D'Errico wrote:
>> Here's a crazy idea: we could define a completely incompatible change
>> to the way Finished messages are calculated even on initial handshakes.
> 
> Not on initial.  My proposal is to do it only on re-negotiate.

Doing it on initial is necessary to protect clients when the server is
not patched.

Remember that the attack happens on the client's INITIAL handshake!
We need to protect that handshake, and no other proposal does that
reliably.  Simply finishing the initial handshake completes the attack.

Modifying the Finished calculation provides protection, but the best
part is that an upgraded server can reliably detect the following three
cases:

    1) client is unpatched
    2) client is patched
    3) a MITM tampered with the handshake

The server calculates both the old and the new client verify_data to
see which one matches.  If it matches the old (current) calculation, then
the server knows the client is not upgraded (case 1) and it will not allow
any renegotiations -- if this handshake IS a renegotiation, then there is
a MITM possible, so the renegotiation is refused.

If the client's verify data matches the new Finished calculation, then
the handshake is allowed to complete whether it is an initial handshake or
a renegotiation.  (The new verify_data would incorporate channel binding
info akin to the proposed RI extension.)

If neither matches, then there was tampering by a MITM.

Problems with RI:

The RI extension is attackable in many ways by a MITM.  It can be stripped
from the ClientHello or stripped from ServerHello.  If one side or the
other makes decisions based on the presence or absence of the extension,
then the MITM can control your behavior.  The MITM can simulate a server
"crash" by not forwarding the ServerHello, forging a fatal alert, or just
closing the connection.

And as has been pointed out there are numerous problems with requiring an
implementation to add support for extensions, and may not be possible if
the code only does SSLv3.

Changing the Finished calculation is much better since there is no other
change to the handshake, and does not modify anything about the bits on
the wire.  This is much more resistant to tampering by a MITM, and the
server can reliably detect it!

I think this is not such a crazy idea and should be given consideration.

Mike

v2.23.0 | Report a Bug | By Email