Re: [TLS] Analysis of Interop scenarios TLS extension RI w/MCSV
Michael Gray <mickgray@au1.ibm.com> Thu, 10 December 2009 02:18 UTC
Return-Path: <mickgray@au1.ibm.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 968A43A69FA for <tls@core3.amsl.com>; Wed, 9 Dec 2009 18:18:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.592
X-Spam-Level:
X-Spam-Status: No, score=-6.592 tagged_above=-999 required=5 tests=[AWL=0.007, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RPbFUJvGsq7f for <tls@core3.amsl.com>; Wed, 9 Dec 2009 18:18:41 -0800 (PST)
Received: from e23smtp06.au.ibm.com (e23smtp06.au.ibm.com [202.81.31.148]) by core3.amsl.com (Postfix) with ESMTP id B84933A68EA for <tls@ietf.org>; Wed, 9 Dec 2009 18:18:40 -0800 (PST)
Received: from d23relay05.au.ibm.com (d23relay05.au.ibm.com [202.81.31.247]) by e23smtp06.au.ibm.com (8.14.3/8.13.1) with ESMTP id nBA2IKY6015034 for <tls@ietf.org>; Thu, 10 Dec 2009 13:18:20 +1100
Received: from d23av01.au.ibm.com (d23av01.au.ibm.com [9.190.234.96]) by d23relay05.au.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id nBA2EbQd1630218 for <tls@ietf.org>; Thu, 10 Dec 2009 13:14:38 +1100
Received: from d23av01.au.ibm.com (loopback [127.0.0.1]) by d23av01.au.ibm.com (8.14.3/8.13.1/NCO v10.0 AVout) with ESMTP id nBA2IR1n004126 for <tls@ietf.org>; Thu, 10 Dec 2009 13:18:27 +1100
Received: from d23ml003.au.ibm.com (d23ml003.au.ibm.com [9.190.250.22]) by d23av01.au.ibm.com (8.14.3/8.13.1/NCO v10.0 AVin) with ESMTP id nBA2IRo1004120 for <tls@ietf.org>; Thu, 10 Dec 2009 13:18:27 +1100
In-Reply-To: <200912092020.nB9KKu39003981@fs4113.wdf.sap.corp>
To: mrex@sap.com
X-Mailer: Lotus Notes Release 7.0 HF277 June 21, 2006
Message-ID: <OF077778A0.30F948CF-ON4A257687.007F44D3-4A257688.000C7CE6@au1.ibm.com>
From: Michael Gray <mickgray@au1.ibm.com>
Date: Thu, 10 Dec 2009 12:16:24 +1000
X-MIMETrack: Serialize by Router on d23ml003/23/M/IBM(Release 7.0.2FP3HF80 | July 14, 2008) at 10/12/2009 13:25:26
MIME-Version: 1.0
Content-type: text/plain; charset="US-ASCII"
Cc: tls@ietf.org
Subject: Re: [TLS] Analysis of Interop scenarios TLS extension RI w/MCSV
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2009 02:18:42 -0000
mrex@sap.com wrote: > Here is my analysis of the requirements and implementation efforts > for TLS extension RI with magic cipher suites value (MCSV), based on my > recent experiences from implementing draft-mrex-tls-secure-renegotiation-03 > in OpenSSL-0.9.8l and looking at the early implementation of draft-rescorla > in the OpenSSL-0.9.8-snapshot. > > The purpose of the MCSV is: > > - provide interop with installed base of old, extensions-intolerant > servers (original&correct SSLv3 and "defective" TLSv1.0) > > - provide protection from downgrade attacks > (extension-less ClientHello or SSLv2 ClientHello) > > - provide protection in backwards interop scenarios > (renegotiation requested by old servers). > > > in order to reliably provide this, > > - MCSV is defined to represent an empty TLS extension RI > > - MSCV MUST be included in *ALL* initial ClientHello handshakes > messages _plus_ all renegotiation ClientHellos in backwards > interop scenarios (independent of full handshake or session resume). > > - empty TLS extension RI MUST NOT be sent, ever! This looks good to me, the only thing I would change is I think MUST NOT would be better as SHOULD NOT as the later requires that the implementer examine the conditions and implications etc to make the best decision. We know that many current browsers always send extensions and for that use case there is no need to change due to this specification. However we also know that there is a large installed base of SSL consuming applications that are not browser related that have never had any requirement process extensions and therefore do not support extensions or are extension intolerant. > - TLS extension RI with Client.Finished.verify_data in ClientHello > - MUST NOT be sent on renegotiation handshakes in backward > interop scenarios with old servers which could otherwise break > - MUST be sent in all other renegotiations > > > If the spec would require that an empty TLS extension RI in a > ClientHello MUST be completely ignored, then _everyone_ can save 5-10 LoC. > > There is a significant difference between extensions-tolerant and > extensions-support. Extensions tolerant means, that a server > will not choke on a ClientHello handshake message, but instead > simply ignore all data following compression methods compliant > to the provision in the updated-but-never-published SSLv3, > TLSv1.0 and TLSv1.1 specs. > > In order to implement secure renegotiation with TLS extension RI > a "generic" TLS extensions parser (~150 LoC) is necessary to > find the TLS extension RI among other extensions, process it > and create and process the TLS extension RI reply. We used 177 LoC for a generic parser and another 106 LoC for the RI specific logic. However our experience is that additional effort to back port into unfamiliar old code is far more costly in time than one would expect based on LoC count even when considering we have current code that supports extensions. Additionally a large problem is testing this in code bases that do not support extensions. Manual testing can be done, but that is prone to error, is costly, and time consuming each time we release code, which means we will need to spend a lot more time developing automated testing. > Support > for other TLS extensions and API-level access to TLS extensions > is completely out-of-scope for the following. Agree > > > Adding MCSV to ClientHello on the client and parsing MCSV from > the ClientHello on the server will typically be <10 LoC each. Agree > > Creating an processing an empty TLS extension RI on the ServerHello > is also typically <10 LoC each for extension-less implementations. > > > Types of TLS peers in the current installed base: > > 1.) old TLS client, no extensions, no renegotiation > > 2.) old TLS client, no extensions, renegotiation > > 3.) old TLS client, extensions, no renegotiation > > 4.) old TLS client, extensions, renegotiation > > > 5.) old TLS server, extensions-intolerant, no renegotiation > > 6.) old TLS server, extensions-intolerant, renegotiation > > 7.) old TLS server, no extensions, no renegotiation > > 8.) old TLS server, no extensions, renegotiation > > 9.) old TLS server, extensions, no renegotiation > > 10.) old TLS server, extensions, renegotiation > > > The server patches that are currently applied in the field are > (6) -> (5) > (8) -> (7) > (10) -> (9) > > > Additional types of TLS peers when TLS extension RI is implemented: > > 11.) updated TLS client, RI-minimal, no renegotiation > > 12.) updated TLS client, RI-only, renegotiation > > 13.) updated TLS client, extensions, no renegotiation > > 14.) updated TLS client, extensions, renegotiation > > > 15.) updated TLS server, RI-minimal, no renegotiation > > 16.) updated TLS server, RI-only, renegotiation > > 17.) updated TLS server, extensions, no renegotiation > > 18.) updated TLS server, extensions, renegotiation > > > > Effect of requiring MCSV on implementation effort > -- for non-renegotiating servers: > > If we require MSCV on _every_ ClientHello > then the update (5),(6),(7),(8) -> (15) amounts to ~20 LoC > the update (9),(10) -> (17) amounts to ~40 LoC > > If we do not require MCSV on _every_ ClientHello > then the update (5),(6),(7),(8) -> (15) amounts to ~80 LoC > the update (9),(10) -> (17) amounts to ~60 LoC > > > Effect of requiring MCSV on implementation effort > -- for non-renegotiating clients: > > If we require MCSV on _every_ ClientHello, > then the update (1),(2) -> (11) amounts to ~20 LoC > (3) -> (13) amounts to ~40 LoC > > If we do not require MCSV on _every_ ClientHello, > then the update (1),(2) -> (11) amounts to ~80 LoC > (3) -> (13) amounts to ~60 LoC > These are very good numbers and closely match an internal analysis I have made. It is likely there will be Servers in critical production environments that can not be patched (e.g. vendor no longer in business) and they will have to be fully replaced, as time, planning and evaluation allows (as I noted here : http://www.imc.org/ietf-tls/mail-archive/msg11082.html) I think the fact that Clients may concurrently interact with Servers of types 5 to 10, means that the MCSV ONLY proposal is the best solution for a low risk deployment. > > > guestimates about secure rengotiation efforts: > > Servers: these are independent of whether MCSV is required > (10) -> (18) maybe ~180 LoC > (6),(8) -> (16) maybe ~200 LoC > (6),(8) -> (18) maybe ~250 LoC > > Clients: these are independend of whether MCSV is required. > (4) -> (14) maybe ~180 LoC > (2) -> (12) maybe ~200 LoC > (2) -> (14) maybe ~250 LoC > My guess is that at least five times the effort will be required to add testing of this into existing auto test harnesses for code levels that do not support extensions. Interestingly this vulnerability fix is the only reason these old code levels now need to support extensions. Given this large test impact I find the draft-mrex-tls-secure-renegotiation-03 alternate solution (which does not require full extension implementation) to be preferable. - Mick > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] Analysis of Interop scenarios TLS extension… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… Marsh Ray
- Re: [TLS] Analysis of Interop scenarios TLS exten… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… Michael Gray
- Re: [TLS] Analysis of Interop scenarios TLS exten… Marsh Ray
- Re: [TLS] Analysis of Interop scenarios TLS exten… Dieter Bratko
- Re: [TLS] Analysis of Interop scenarios TLS exten… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… Marsh Ray
- Re: [TLS] Analysis of Interop scenarios TLS exten… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… Nelson B Bolyard
- Re: [TLS] Analysis of Interop scenarios TLS exten… Nelson B Bolyard
- Re: [TLS] Analysis of Interop scenarios TLS exten… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… Nelson B Bolyard
- Re: [TLS] Analysis of Interop scenarios TLS exten… David-Sarah Hopwood
- Re: [TLS] Analysis of Interop scenarios TLS exten… Michael Gray
- Re: [TLS] Analysis of Interop scenarios TLS exten… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… Marsh Ray
- Re: [TLS] Analysis of Interop scenarios TLS exten… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… David-Sarah Hopwood
- Re: [TLS] Analysis of Interop scenarios TLS exten… tom.petch
- Re: [TLS] Analysis of Interop scenarios TLS exten… Nelson B Bolyard
- Re: [TLS] Analysis of Interop scenarios TLS exten… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… Nelson B Bolyard
- Re: [TLS] Analysis of Interop scenarios TLS exten… Steve Checkoway
- [TLS] Black hole was Re: Analysis of Interop scen… tom.petch
- Re: [TLS] Analysis of Interop scenarios TLS exten… Michael Gray
- Re: [TLS] Analysis of Interop scenarios TLS exten… David-Sarah Hopwood
- Re: [TLS] Analysis of Interop scenarios TLS exten… Michael Gray
- Re: [TLS] Analysis of Interop scenarios TLS exten… Pasi.Eronen
- Re: [TLS] Black hole was Re: Analysis of Interop … Martin Rex
- Re: [TLS] Black hole was Re: Analysis of Interop … Pasi.Eronen
- Re: [TLS] Black hole was Re: Analysis of Interop … Martin Rex
- Re: [TLS] Black hole was Re: Analysis of Interop … Bill Frantz
- Re: [TLS] Analysis of Interop scenarios TLS exten… Martin Rex
- Re: [TLS] Analysis of Interop scenarios TLS exten… Marsh Ray