Re: [TLS] Could the renegotiation attack be used for session hijacking?
Marsh Ray <marsh@extendedsubset.com> Mon, 09 November 2009 15:17 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 577813A6B87 for <tls@core3.amsl.com>; Mon, 9 Nov 2009 07:17:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.442
X-Spam-Level:
X-Spam-Status: No, score=-2.442 tagged_above=-999 required=5 tests=[AWL=0.157, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id csL+OQBdFv8r for <tls@core3.amsl.com>; Mon, 9 Nov 2009 07:17:50 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id C01B53A6B81 for <tls@ietf.org>; Mon, 9 Nov 2009 07:17:49 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1N7W0U-000J7d-LJ; Mon, 09 Nov 2009 15:18:14 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id DD8D56678; Mon, 9 Nov 2009 15:18:12 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX19R9cHW1XwLubU5lAsSPDOxmnD8qw/J6xw=
Message-ID: <4AF832B1.30309@extendedsubset.com>
Date: Mon, 09 Nov 2009 09:18:09 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>, "tls@ietf.org list" <tls@ietf.org>
References: <34C84617-2B75-4F6D-9F0B-50A528D445C8@checkpoint.com>
In-Reply-To: <34C84617-2B75-4F6D-9F0B-50A528D445C8@checkpoint.com>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Could the renegotiation attack be used for session hijacking?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2009 15:17:51 -0000
Yoav Nir wrote: > > 1. Client connects without a certificate, but the session is > authenticated by the protocol (like an HTTP form or FTP login). The MITM > just proxies the connection to allow the client to authenticate. TLS is now doing its job providing encryption and MITM cannot read or modify traffic. > 2. After a while, the session requires rekeying, so the server sends a > HelloRequest. This will be observable by MITM because the record layer does not encrypt the payload type identifier. It will be seen as a handshake message from server to client, I believe of predictable size. > 3. The MITM stops passing data to the client, and sends a ClientHello to > the server. The renegotiation handshaking is covered by the encryption state of the previous session. So this attack is defeated. It may be that some TLS servers would accept an unencrypted Client Hello at this point, or even an SSLv2-compatible Client Hello which may be handled by a different code path. But I don't think those would be bugs in the TLS protocol, just implementation bugs. - Marsh