IETF Logo Mail Archive

Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18

Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 10 February 2017 17:22 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C5D9129A65 for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 09:22:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dFnc4-wgmeJ7 for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 09:22:29 -0800 (PST)
Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) by ietfa.amsl.com (Postfix) with ESMTP id 45B5D129A61 for <tls@ietf.org>; Fri, 10 Feb 2017 09:22:28 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 1215E1EE5F; Fri, 10 Feb 2017 19:22:27 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id Kh7btRsSs81B; Fri, 10 Feb 2017 19:22:26 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 6EBB4C4; Fri, 10 Feb 2017 19:22:26 +0200 (EET)
Date: Fri, 10 Feb 2017 19:22:24 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Cas Cremers <cas.cremers@cs.ox.ac.uk>
Message-ID: <20170210172224.GA22473@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABdrxL53Fd7tY6+qF-p=acvCDa=hvbPov83XSd-Y8-gB3c33Ag@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CABdrxL53Fd7tY6+qF-p=acvCDa=hvbPov83XSd-Y8-gB3c33Ag@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/8Ug18y_iGjeajk-2Y9DK9qq4Ivs>
Cc: tls@ietf.org
Subject: Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 17:22:31 -0000

On Fri, Feb 10, 2017 at 12:43:56PM +0000, Cas Cremers wrote:
> Dear all,
> 
> In the process of completing our Tamarin analysis of TLS 1.3 revision 18,
> we hit upon some behaviour that may lead to applications making incorrect
> assumptions. It is not an immediate attack, but we can imagine scenarios
> where it can cause problems. We describe it below, and show that it is
> possible to adapt the protocol (leveraging existing mechanisms) to avoid a
> mismatch.

Ah, Post-HS auth, one of the two things in TLS 1.3 that scare me. :-)

> Currently, the post-handshake client authentication does not cause updates
> to the transcript, and does not necessarily trigger key updates. As a
> result, the post-handshake client authentication offers substantially lower
> guarantees *for the client* than the normal mutual authentication. To see
> why this is the case, consider the following two properties that hold for
> the mutually authenticated handshake:
> 
> (A) After the mutually authenticated handshake, a client who sends some
> data can be sure that if the server receives it, the server will be aware
> that it comes from an authenticated client.

AFAICT, this fails even for TLS 1.3 in-handshake authentication.

> (B) After the mutually authenticated handshake, a client who receives some
> data can be sure that when the server sent it, the server was aware that it
> was sending it to an authenticated client. (Formally: upon receiving data,
> the client has agreement with the server on the status (unilateral/mutual)
> of the connection.)

And this too (failure of (A) already impiles this fails).

> However, this is not the case for a post-handshake client authentication.
> After performing a post-handshake authentication (in which the client sends
> its certificate), and possibly after exchanging further messages with the
> server, the client may send some critical data. This data may be stored
> insecurely as there will be a mismatch between the client and server’s
> respective views of authentication if the post-handshake authentication
> messages are not processed by the server and/or dropped by an attacker.

In TLS, the messages can't be dropped without tearing the entiere client-
server link, but the server may indeed fail to process them.

DTLS is another can of worms.
 
> Option 1: Fix
> 
> In our view, the unilateral/mutual authentication status should be part of
> the context, and thus correspond to different keys. We are aware that the
> server’s request for post-handshake authentication is desired to be
> asynchronous (since user input might be needed). The most natural fix to
> the problem therefore is to include the client's response authentication
> messages (certificate etc.) in the message transcript, and require key
> updates.

This would require ACK/NAK for the authentication and restricting server
to just one pending authentication in order to properly serialize the
message order.

And ACK/NAK is needed because otherwise this AFAICT won't solve the
problem. And if you have the ACK/NAK, that should take care of the
problem in cases not involving weak algorithms.

> Option 2: Partial fix
> 
> It is also possible to simply update the keys, leaving the transcript as
> is. This allows the client to infer whether his authentication message was
> received. However it does still allow for re-ordering of some messages.
> This has the disadvantage that the client certificate is still not included
> in the context, which may be problematic further down the line.

I don't see how this helps: The client already knows its authentication
block was delivered before any further data it sent. What it doesn't know
is if the server acted on it.
 
> Option 3: Don’t fix (“Somebody Else’s Problem shield”)
> 
> If we do not change the protocol, the draft should be updated to explicitly
> state that after a post-handshake authentication, the client can make no
> assumptions on the authentication status of the connection (mutual or
> unilateral). If the client would like to know the perceived status, it
> could ask the application layer. We do not advocate this solution, since
> the resulting difference between the guarantees of a regular mutually
> authenticated handshake and a post-handshake client authentication will
> surely lead to problems somewhere, and client applications will wrongly
> assume that after they send the post-handshake certificate, the server is
> aware that the connection is mutually authenticated.

AFICT, This isn't just for post-handshake authentication. And also, the
TLS stack has pretty limited view. It can't realistically assumed to
know the actual authentication status of the connection.


-Ilari

v2.23.0 | Report a Bug | By Email