Re: [TLS] History of extensions

Nicolas Williams <Nicolas.Williams@sun.com> Thu, 12 November 2009 18:37 UTC

Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B69E53A6AF3 for <tls@core3.amsl.com>; Thu, 12 Nov 2009 10:37:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.027
X-Spam-Level:
X-Spam-Status: No, score=-6.027 tagged_above=-999 required=5 tests=[AWL=0.019, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yv4QzyXYVbih for <tls@core3.amsl.com>; Thu, 12 Nov 2009 10:37:20 -0800 (PST)
Received: from brmea-mail-4.sun.com (brmea-mail-4.Sun.COM [192.18.98.36]) by core3.amsl.com (Postfix) with ESMTP id A76CF3A6AF2 for <tls@ietf.org>; Thu, 12 Nov 2009 10:37:20 -0800 (PST)
Received: from dm-central-02.central.sun.com ([129.147.62.5]) by brmea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id nACIbnEX003617 for <tls@ietf.org>; Thu, 12 Nov 2009 18:37:49 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id nACIbnk5003483 for <tls@ietf.org>; Thu, 12 Nov 2009 11:37:49 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id nACIIj6r018401; Thu, 12 Nov 2009 12:18:45 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id nACIIjt4018400; Thu, 12 Nov 2009 12:18:45 -0600 (CST)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Thu, 12 Nov 2009 12:18:45 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Marsh Ray <marsh@extendedsubset.com>
Message-ID: <20091112181844.GE1105@Sun.COM>
References: <200911120512.nAC5CiIu019763@fs4113.wdf.sap.corp> <4AFBBE35.4010306@extendedsubset.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4AFBBE35.4010306@extendedsubset.com>
User-Agent: Mutt/1.5.7i
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] History of extensions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2009 18:37:21 -0000

On Thu, Nov 12, 2009 at 01:50:13AM -0600, Marsh Ray wrote:
> Martin Rex wrote:
> > That is wrong.  The SSLv3 spec has the exact same provisions for
> > TLS extensions as the TLSv1.0 and TLSv1.1 specs.
> >
> > TLS extensions became a standard part of the protocol in TLSv1.2 only.
> >
> > Compare the specs and you will see.
> 
> Very enlightening, it's even more complicated than you said. No wonder
> these things don't interoperate quite so well.
> 
> Here's what I find:

Indeed.

And I should add that the re-negotiation channel binding can be achieved
_without_ ServerHello extensions!  If that means improved odds for
interop, then you should consider it.

How?  Here's two options:

Option 1: All-or-nothing binding (no support negotiation)

 - The client sends a ClientHello extension saying it _will_ add the
   outer connection's client Finished message to the inner connection's
   Finished message PRF inputs, but the extension does not include that
   data;

 - The server either knows the extension or doesn't:

    - If the server knows the extension, it will modify its Finished
      message computations in the same way as the client, and if both
      have the same outer connection's client Finished message at hand,
      then the handshake will succeed, else it will fail (i.e., the
      inner connection's Finished messages will not check out);

    - If the server does NOT know the extension then it will proceed as
      usual and so... will fail to verify the client's Finished message,
      and the client will fail to verify server's Finished message.

Option 2: Secure negotiation (client can securely detect if the server
	  supports binding, and can choose to forego channel binding if
	  the server doesn't)

 - The client sends a ClientHello extension that includes the outer
   connection's client Finished message;

 - The client will add the outer connection's server Finished message to
   the inner connection's _server_ Finished message PRF inputs (but not
   to the inner connection's _client_ Finished message PRF inputs);

 - The server either knows the extension or doesn't:

    - If the server knows the extension, it will modify its Finished
      message computations in the same way as the client, and if both
      have the same outer connection's server Finished message at hand,
      then the handshake will succeed, else it will fail (i.e., the
      inner connection's Finished messages will not check out);

    - If the server does NOT know the extension then it will proceed as
      usual and so... will fail to verify the client's Finished message,
      and the client will fail to verify server's Finished message.

Note that in either case the ClientHello extension is "non-critical" (in
one sense), there's no ServerHello extension, but the client reliably
finds out if the server understood the extension.  There's no reflection
attack.  The server cannot be implemented incorrectly (that is, it can't
parrot something the client sent).

In option (2) the client gets to reliably discover whether the server
supports the extension, but in a way such that the only way that an MITM
can fool the client is if the negotiated cipher suite does not
authenticate the server (if a server cert is used, then the MITM is
out unless the MITM has the private keys to that cert).  But even if
such a cipher suite had been negotiated, the MITM cannot leverage the
client's user cert authentication to authenticate to the server.

In neither option can the MITM get away with stripping the extension
from the client's Hello, nor can the MITM cause the outer connection's
channel bindings data to match on the client and server side.

The nice thing here is that option (2) could be implemented even by
SSLv3 clients and servers (supposing anyone would bother to patch
those).

Nico
--