Re: [TLS] simplistic renego protection
David-Sarah Hopwood <david-sarah@jacaranda.org> Sun, 22 November 2009 21:16 UTC
Return-Path: <djhopwood@googlemail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D98E63A6821 for <tls@core3.amsl.com>; Sun, 22 Nov 2009 13:16:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MUAcRUV-L8Oj for <tls@core3.amsl.com>; Sun, 22 Nov 2009 13:16:16 -0800 (PST)
Received: from mail-ew0-f214.google.com (mail-ew0-f214.google.com [209.85.219.214]) by core3.amsl.com (Postfix) with ESMTP id 6B4343A6951 for <tls@ietf.org>; Sun, 22 Nov 2009 13:16:16 -0800 (PST)
Received: by ewy6 with SMTP id 6so1302119ewy.29 for <tls@ietf.org>; Sun, 22 Nov 2009 13:16:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type; bh=hr8e00t6GaITcgDhDnbbyhh8Ff3pxR/dY5XZkWzFGKE=; b=MbPdu4cjEWVPTwKXSTisisd7bwETrSXATGqqOrEV5NKHmK/2SOyahtrX0j0K8h4z6Q uUSnE5WbMl31IzNH5G+wd1eH3WIettBfCwc06ABBXc7x0a+7HTCaz0eu68GVeVsyx/oH +6ndO8H8PvdXm6tee/9dHYMPsk5fPQRcjKdkc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type; b=AtOPasyZ/z4WGigfPMBpWJAAXbVPHCLeIvpujZAY9teuOL5dQ1bLU8VHnZMr5ORAqf XwMFu8vn9hti0Vr13IQ+ZvipbNLD8cLrkAvaM8oBD3AgaXQ/Qg1o5Di+GJMv9YHPpvtm Dzv0T9IZjJBjwSgZKcuUN1EDKdzxeIuOhMYF8=
Received: by 10.213.2.84 with SMTP id 20mr2758842ebi.90.1258924569756; Sun, 22 Nov 2009 13:16:09 -0800 (PST)
Received: from ?192.168.0.2? (5e023669.bb.sky.com [94.2.54.105]) by mx.google.com with ESMTPS id 5sm885271eyh.40.2009.11.22.13.16.08 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 22 Nov 2009 13:16:08 -0800 (PST)
Sender: David-Sarah Hopwood <djhopwood@googlemail.com>
Message-ID: <4B09AA00.9040205@jacaranda.org>
Date: Sun, 22 Nov 2009 21:15:44 +0000
From: David-Sarah Hopwood <david-sarah@jacaranda.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: tls@ietf.org
References: <C72BFA89.67A2%stefan@aaa-sec.com> <4B06E2D7.2040302@jacaranda.org> <1b587cab0911211147jf3f57b3y8528717b152cd8c2@mail.gmail.com> <4B086752.1030205@jacaranda.org> <1b587cab0911221107u4ac1a854p235d493584d8296c@mail.gmail.com>
In-Reply-To: <1b587cab0911221107u4ac1a854p235d493584d8296c@mail.gmail.com>
X-Enigmail-Version: 0.96.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------enigF3D4C758DA677365BCDEF372"
Subject: Re: [TLS] simplistic renego protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Nov 2009 21:16:17 -0000
Ben Laurie wrote: > On Sat, Nov 21, 2009 at 2:18 PM, David-Sarah Hopwood < > david-sarah@jacaranda.org> wrote: > >> Ben Laurie wrote: >>> On Fri, Nov 20, 2009 at 10:41 AM, David-Sarah Hopwood < >>> david-sarah@jacaranda.org> wrote: >>> >>>> Stefan Santesson wrote: >>>>> On 09-11-20 5:24 AM, "Michael D'Errico" <mike-list@pobox.com> wrote: >>>>> >>>>>> Some servers apparently cannot function without renegotiation. >>>>>> They will need to continue providing service to unpatched >>>>>> clients for some amount of time and thus remain vulnerable. >>>>> I fully agree, >>>>> >>>>> However, just because a server accepts renegotiation with an unpatched >>>>> client, does not necessarily mean that the service provided over TLS is >>>>> vulnerable. >>>>> >>>>> One example is if authentication is performed with proper channel >>>>> binding in a layer above TLS and the service is provided under that >>>>> security context. >>>> >>>> I'm skeptical. How can "proper channel binding" be done correctly in a >>>> layer above TLS, if the TLS library merges renegotiated sessions? >>>> Since the session merging will result in the client and server's state >>>> at the higher layer(s) being out of sync, nothing can be assumed about >>>> the correct functioning of those layers. >>> >>> The depends on those layers. If, for example, clients and servers simply >>> numbered their requests/responses, they would be immune to the attack. >> >> That's not sufficient. They'd also have to make sure that renegotiation >> boundaries coincide with request/response boundaries. That requires that >> the app be notified by the TLS library precisely when a renegotiation >> occurs, and that individual reads and writes cannot extend across a >> renegotiation boundary. This contradicts the assumption that I stated >> explicitly above: "if the TLS library merges renegotiated sessions". >> It's also rather prone to application error even in cases where it would >> theoretically work. > > I don't believe your argument. For example, if each byte were numbered, then > the application would not care one whit about boundaries (other than > reconnections, which it manages anyway). Numbering each byte is not what you suggested above. You haven't given enough detail to tell whether this could work, but if for the sake of argument it could, it would require incompatible changes to the application protocol. Therefore, it's not an argument that justifies the original point by Stefan Santesson above, about servers that accept renegotiations with unpatched clients not necessarily being vulnerable. In practice, such servers will be vulnerable for existing protocols. -- David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
- Re: [TLS] simplistic renego protection Chris Newman
- [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Joseph Salowey (jsalowey)
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Nelson B Bolyard
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection peter.robinson
- Re: [TLS] simplistic renego protection Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] simplistic renego protection Stephen Farrell
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Nasko Oskov
- Re: [TLS] simplistic renego protection Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Yair Elharrar
- Re: [TLS] simplistic renego protection Steve Dispensa
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Robert Dugal
- Re: [TLS] simplistic renego protection Pasi.Eronen
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Simon Josefsson
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Nasko Oskov
- Re: [TLS] simplistic renego protection Nelson B Bolyard
- Re: [TLS] simplistic renego protection Nelson B Bolyard
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Nelson B Bolyard
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- [TLS] Definition of "lenient server" David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Ben Laurie
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Bill Frantz
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Ben Laurie
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Ben Laurie
- Re: [TLS] simplistic renego protection Pasi.Eronen
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Pasi.Eronen
- Re: [TLS] simplistic renego protection Yngve Nysaeter Pettersen
- Re: [TLS] simplistic renego protection Peter Gutmann
- Re: [TLS] simplistic renego protection Kyle Hamilton