Re: [TLS] Analysis of Interop scenarios TLS extension RI w/MCSV

Michael Gray <mickgray@au1.ibm.com> Thu, 10 December 2009 02:18 UTC

Return-Path: <mickgray@au1.ibm.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 968A43A69FA for <tls@core3.amsl.com>; Wed, 9 Dec 2009 18:18:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.592
X-Spam-Level:
X-Spam-Status: No, score=-6.592 tagged_above=-999 required=5 tests=[AWL=0.007, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RPbFUJvGsq7f for <tls@core3.amsl.com>; Wed, 9 Dec 2009 18:18:41 -0800 (PST)
Received: from e23smtp06.au.ibm.com (e23smtp06.au.ibm.com [202.81.31.148]) by core3.amsl.com (Postfix) with ESMTP id B84933A68EA for <tls@ietf.org>; Wed, 9 Dec 2009 18:18:40 -0800 (PST)
Received: from d23relay05.au.ibm.com (d23relay05.au.ibm.com [202.81.31.247]) by e23smtp06.au.ibm.com (8.14.3/8.13.1) with ESMTP id nBA2IKY6015034 for <tls@ietf.org>; Thu, 10 Dec 2009 13:18:20 +1100
Received: from d23av01.au.ibm.com (d23av01.au.ibm.com [9.190.234.96]) by d23relay05.au.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id nBA2EbQd1630218 for <tls@ietf.org>; Thu, 10 Dec 2009 13:14:38 +1100
Received: from d23av01.au.ibm.com (loopback [127.0.0.1]) by d23av01.au.ibm.com (8.14.3/8.13.1/NCO v10.0 AVout) with ESMTP id nBA2IR1n004126 for <tls@ietf.org>; Thu, 10 Dec 2009 13:18:27 +1100
Received: from d23ml003.au.ibm.com (d23ml003.au.ibm.com [9.190.250.22]) by d23av01.au.ibm.com (8.14.3/8.13.1/NCO v10.0 AVin) with ESMTP id nBA2IRo1004120 for <tls@ietf.org>; Thu, 10 Dec 2009 13:18:27 +1100
In-Reply-To: <200912092020.nB9KKu39003981@fs4113.wdf.sap.corp>
To: mrex@sap.com
X-Mailer: Lotus Notes Release 7.0 HF277 June 21, 2006
Message-ID: <OF077778A0.30F948CF-ON4A257687.007F44D3-4A257688.000C7CE6@au1.ibm.com>
From: Michael Gray <mickgray@au1.ibm.com>
Date: Thu, 10 Dec 2009 12:16:24 +1000
X-MIMETrack: Serialize by Router on d23ml003/23/M/IBM(Release 7.0.2FP3HF80 | July 14, 2008) at 10/12/2009 13:25:26
MIME-Version: 1.0
Content-type: text/plain; charset="US-ASCII"
Cc: tls@ietf.org
Subject: Re: [TLS] Analysis of Interop scenarios TLS extension RI w/MCSV
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2009 02:18:42 -0000

mrex@sap.com wrote:

> Here is my analysis of the requirements and implementation efforts
> for TLS extension RI with magic cipher suites value (MCSV), based on my
> recent experiences from implementing
draft-mrex-tls-secure-renegotiation-03
> in OpenSSL-0.9.8l and looking at the early implementation of
draft-rescorla
> in the OpenSSL-0.9.8-snapshot.
>
> The purpose of the MCSV is:
>
>   - provide interop with installed base of old, extensions-intolerant
>     servers (original&correct SSLv3 and "defective" TLSv1.0)
>
>   - provide protection from downgrade attacks
>     (extension-less ClientHello or SSLv2 ClientHello)
>
>   - provide protection in backwards interop scenarios
>     (renegotiation requested by old servers).
>
>
> in order to reliably provide this,
>
>   - MCSV is defined to represent an empty TLS extension RI
>
>   - MSCV MUST be included in *ALL* initial ClientHello handshakes
>     messages _plus_ all renegotiation ClientHellos in backwards
>     interop scenarios (independent of full handshake or session resume).
>
>   - empty TLS extension RI MUST NOT be sent, ever!

This looks good to me, the only thing I would change is I think MUST NOT
would be better as SHOULD NOT as the later requires that the implementer
examine the conditions and implications etc to make the best decision.  We
know that many current browsers always send extensions and for that use
case there is no need to change due to this specification.  However we also
know that there is a large installed base of SSL consuming applications
that are not browser related that have never had any requirement process
extensions and therefore do not support extensions or are extension
intolerant.


>   - TLS extension RI with Client.Finished.verify_data in ClientHello
>      - MUST NOT be sent on renegotiation handshakes in backward
>        interop scenarios with old servers which could otherwise break
>      - MUST be sent in all other renegotiations
>
>
> If the spec would require that an empty TLS extension RI in a
> ClientHello MUST be completely ignored, then _everyone_ can save 5-10
LoC.
>
> There is a significant difference between extensions-tolerant and
> extensions-support.  Extensions tolerant means, that a server
> will not choke on a ClientHello handshake message, but instead
> simply ignore all data following compression methods compliant
> to the provision in the updated-but-never-published SSLv3,
> TLSv1.0 and TLSv1.1 specs.
>
> In order to implement secure renegotiation with TLS extension RI
> a "generic" TLS extensions parser (~150 LoC) is necessary to
> find the TLS extension RI among other extensions, process it
> and create and process the TLS extension RI reply.

We used 177 LoC for a generic parser and another 106 LoC for the RI
specific logic.  However our experience is that additional effort to back
port into unfamiliar old code is far more costly in time than one would
expect based on LoC count even when considering we have current code that
supports extensions.

Additionally a large problem is testing this in code bases that do not
support extensions.  Manual testing can be done, but that is prone to
error, is costly, and time consuming each time we release code, which means
we will need to spend a lot more time developing automated testing.



> Support
> for other TLS extensions and API-level access to TLS extensions
> is completely out-of-scope for the following.

Agree

>
>
> Adding MCSV to ClientHello on the client and parsing MCSV from
> the ClientHello on the server will typically be <10 LoC each.

Agree


>
> Creating an processing an empty TLS extension RI on the ServerHello
> is also typically <10 LoC each for extension-less implementations.
>
>
> Types of TLS peers in the current installed base:
>
> 1.)  old TLS client, no extensions, no renegotiation
>
> 2.)  old TLS client, no extensions,    renegotiation
>
> 3.)  old TLS client,    extensions, no renegotiation
>
> 4.)  old TLS client,    extensions,    renegotiation
>
>
> 5.)  old TLS server, extensions-intolerant, no renegotiation
>
> 6.)  old TLS server, extensions-intolerant,    renegotiation
>
> 7.)  old TLS server, no extensions,         no renegotiation
>
> 8.)  old TLS server, no extensions,            renegotiation
>
> 9.)  old TLS server, extensions,            no renegotiation
>
> 10.) old TLS server, extensions,               renegotiation
>
>
> The server patches that are currently applied in the field are
> (6)  -> (5)
> (8)  -> (7)
> (10) -> (9)
>
>
> Additional types of TLS peers when TLS extension RI is implemented:
>
> 11.) updated TLS client, RI-minimal,    no renegotiation
>
> 12.) updated TLS client, RI-only,          renegotiation
>
> 13.) updated TLS client,    extensions, no renegotiation
>
> 14.) updated TLS client,    extensions,    renegotiation
>
>
> 15.) updated TLS server, RI-minimal,    no renegotiation
>
> 16.) updated TLS server, RI-only,          renegotiation
>
> 17.) updated TLS server,    extensions, no renegotiation
>
> 18.) updated TLS server,    extensions,    renegotiation
>
>
>
> Effect of requiring MCSV on implementation effort
> -- for non-renegotiating servers:
>
> If we require MSCV on _every_ ClientHello
> then the update (5),(6),(7),(8) -> (15) amounts to ~20 LoC
>      the update        (9),(10) -> (17) amounts to ~40 LoC
>
> If we do not require MCSV on _every_ ClientHello
> then the update (5),(6),(7),(8) -> (15) amounts to ~80 LoC
>      the update        (9),(10) -> (17) amounts to ~60 LoC
>
>
> Effect of requiring MCSV on implementation effort
> -- for non-renegotiating clients:
>
> If we require MCSV on _every_ ClientHello,
> then the update (1),(2) -> (11) amounts to ~20 LoC
>                 (3)     -> (13) amounts to ~40 LoC
>
> If we do not require MCSV on _every_ ClientHello,
> then the update (1),(2) -> (11) amounts to ~80 LoC
>                 (3)     -> (13) amounts to ~60 LoC
>

These are very good numbers and closely match an internal analysis I have
made.


It is likely there will be Servers in critical production environments that
can not be patched (e.g. vendor no longer in business) and they will have
to be fully replaced, as time, planning and evaluation allows (as I noted
here :  http://www.imc.org/ietf-tls/mail-archive/msg11082.html)


I think the fact that Clients may concurrently interact with Servers of
types 5 to 10, means that the MCSV ONLY proposal is the best solution for a
low risk deployment.


>
>
> guestimates about secure rengotiation efforts:
>
> Servers: these are independent of whether MCSV is required
> (10)     -> (18)  maybe ~180 LoC
> (6),(8)  -> (16)  maybe ~200 LoC
> (6),(8)  -> (18)  maybe ~250 LoC
>
> Clients: these are independend of whether MCSV is required.
> (4)  -> (14)  maybe ~180 LoC
> (2)  -> (12)  maybe ~200 LoC
> (2)  -> (14)  maybe ~250 LoC
>


My guess is that at least five times the effort will be required to add
testing of this into existing auto test harnesses for code levels that do
not support extensions.  Interestingly this vulnerability fix is the only
reason these old code levels now need to support extensions.

Given this large test impact I find the
draft-mrex-tls-secure-renegotiation-03 alternate solution (which does not
require full extension implementation) to be preferable.

- Mick

> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls