Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18
Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 10 February 2017 17:22 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C5D9129A65 for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 09:22:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dFnc4-wgmeJ7 for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 09:22:29 -0800 (PST)
Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) by ietfa.amsl.com (Postfix) with ESMTP id 45B5D129A61 for <tls@ietf.org>; Fri, 10 Feb 2017 09:22:28 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 1215E1EE5F; Fri, 10 Feb 2017 19:22:27 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id Kh7btRsSs81B; Fri, 10 Feb 2017 19:22:26 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 6EBB4C4; Fri, 10 Feb 2017 19:22:26 +0200 (EET)
Date: Fri, 10 Feb 2017 19:22:24 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Cas Cremers <cas.cremers@cs.ox.ac.uk>
Message-ID: <20170210172224.GA22473@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABdrxL53Fd7tY6+qF-p=acvCDa=hvbPov83XSd-Y8-gB3c33Ag@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CABdrxL53Fd7tY6+qF-p=acvCDa=hvbPov83XSd-Y8-gB3c33Ag@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/8Ug18y_iGjeajk-2Y9DK9qq4Ivs>
Cc: tls@ietf.org
Subject: Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 17:22:31 -0000
On Fri, Feb 10, 2017 at 12:43:56PM +0000, Cas Cremers wrote: > Dear all, > > In the process of completing our Tamarin analysis of TLS 1.3 revision 18, > we hit upon some behaviour that may lead to applications making incorrect > assumptions. It is not an immediate attack, but we can imagine scenarios > where it can cause problems. We describe it below, and show that it is > possible to adapt the protocol (leveraging existing mechanisms) to avoid a > mismatch. Ah, Post-HS auth, one of the two things in TLS 1.3 that scare me. :-) > Currently, the post-handshake client authentication does not cause updates > to the transcript, and does not necessarily trigger key updates. As a > result, the post-handshake client authentication offers substantially lower > guarantees *for the client* than the normal mutual authentication. To see > why this is the case, consider the following two properties that hold for > the mutually authenticated handshake: > > (A) After the mutually authenticated handshake, a client who sends some > data can be sure that if the server receives it, the server will be aware > that it comes from an authenticated client. AFAICT, this fails even for TLS 1.3 in-handshake authentication. > (B) After the mutually authenticated handshake, a client who receives some > data can be sure that when the server sent it, the server was aware that it > was sending it to an authenticated client. (Formally: upon receiving data, > the client has agreement with the server on the status (unilateral/mutual) > of the connection.) And this too (failure of (A) already impiles this fails). > However, this is not the case for a post-handshake client authentication. > After performing a post-handshake authentication (in which the client sends > its certificate), and possibly after exchanging further messages with the > server, the client may send some critical data. This data may be stored > insecurely as there will be a mismatch between the client and server’s > respective views of authentication if the post-handshake authentication > messages are not processed by the server and/or dropped by an attacker. In TLS, the messages can't be dropped without tearing the entiere client- server link, but the server may indeed fail to process them. DTLS is another can of worms. > Option 1: Fix > > In our view, the unilateral/mutual authentication status should be part of > the context, and thus correspond to different keys. We are aware that the > server’s request for post-handshake authentication is desired to be > asynchronous (since user input might be needed). The most natural fix to > the problem therefore is to include the client's response authentication > messages (certificate etc.) in the message transcript, and require key > updates. This would require ACK/NAK for the authentication and restricting server to just one pending authentication in order to properly serialize the message order. And ACK/NAK is needed because otherwise this AFAICT won't solve the problem. And if you have the ACK/NAK, that should take care of the problem in cases not involving weak algorithms. > Option 2: Partial fix > > It is also possible to simply update the keys, leaving the transcript as > is. This allows the client to infer whether his authentication message was > received. However it does still allow for re-ordering of some messages. > This has the disadvantage that the client certificate is still not included > in the context, which may be problematic further down the line. I don't see how this helps: The client already knows its authentication block was delivered before any further data it sent. What it doesn't know is if the server acted on it. > Option 3: Don’t fix (“Somebody Else’s Problem shield”) > > If we do not change the protocol, the draft should be updated to explicitly > state that after a post-handshake authentication, the client can make no > assumptions on the authentication status of the connection (mutual or > unilateral). If the client would like to know the perceived status, it > could ask the application layer. We do not advocate this solution, since > the resulting difference between the guarantees of a regular mutually > authenticated handshake and a post-handshake client authentication will > surely lead to problems somewhere, and client applications will wrongly > assume that after they send the post-handshake certificate, the server is > aware that the connection is mutually authenticated. AFICT, This isn't just for post-handshake authentication. And also, the TLS stack has pretty limited view. It can't realistically assumed to know the actual authentication status of the connection. -Ilari
- [TLS] Awkward Handshake: Possible mismatch of cli… Cas Cremers
- Re: [TLS] Awkward Handshake: Possible mismatch of… Ilari Liusvaara
- Re: [TLS] Awkward Handshake: Possible mismatch of… Sam Scott
- Re: [TLS] Awkward Handshake: Possible mismatch of… Andrei Popov
- Re: [TLS] Awkward Handshake: Possible mismatch of… Sam Scott
- Re: [TLS] Awkward Handshake: Possible mismatch of… Eric Rescorla
- Re: [TLS] Awkward Handshake: Possible mismatch of… Victor Vasiliev
- Re: [TLS] Awkward Handshake: Possible mismatch of… Eric Rescorla
- Re: [TLS] Awkward Handshake: Possible mismatch of… Sam Scott
- Re: [TLS] Awkward Handshake: Possible mismatch of… Eric Rescorla
- Re: [TLS] Awkward Handshake: Possible mismatch of… Andrei Popov
- Re: [TLS] Awkward Handshake: Possible mismatch of… Sam Scott
- Re: [TLS] Awkward Handshake: Possible mismatch of… Eric Rescorla
- Re: [TLS] Awkward Handshake: Possible mismatch of… Cas Cremers
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Wong
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Benjamin
- Re: [TLS] Awkward Handshake: Possible mismatch of… Ilari Liusvaara
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Wong
- Re: [TLS] Awkward Handshake: Possible mismatch of… Andrei Popov
- Re: [TLS] Awkward Handshake: Possible mismatch of… Martin Thomson
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Wong
- Re: [TLS] Awkward Handshake: Possible mismatch of… Martin Rex
- Re: [TLS] Awkward Handshake: Possible mismatch of… Cas Cremers
- Re: [TLS] Awkward Handshake: Possible mismatch of… Andrei Popov
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Wong
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Benjamin
- Re: [TLS] Awkward Handshake: Possible mismatch of… Andrei Popov
- Re: [TLS] Awkward Handshake: Possible mismatch of… Martin Rex