Re: [TLS] TLS identity protection using Signaling Cipher Suite Value
Badra <mbadra@gmail.com> Wed, 30 November 2011 23:01 UTC
Return-Path: <mbadra@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D99621F8BEB for <tls@ietfa.amsl.com>; Wed, 30 Nov 2011 15:01:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.998
X-Spam-Level:
X-Spam-Status: No, score=-2.998 tagged_above=-999 required=5 tests=[AWL=0.600, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vPOpeq6vkedT for <tls@ietfa.amsl.com>; Wed, 30 Nov 2011 15:01:43 -0800 (PST)
Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 4EB1321F8ACC for <tls@ietf.org>; Wed, 30 Nov 2011 15:01:43 -0800 (PST)
Received: by vcbfy13 with SMTP id fy13so1075693vcb.31 for <tls@ietf.org>; Wed, 30 Nov 2011 15:01:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=tXsh254V5L4eEEaDEcsoxiSidjD7fPXzu8kUnOZBCoU=; b=xacV0OQLPLiBfYeVZzNvpZTt9MJQbjfrgqxaEcIlWOH5lleE1FU83r2akHlYL2QN3z GoULgORLnYFCTV4nO49vT4GllJMeFZBlR7z7LIy6mfAjrBFEIDtS8UamLjQQbnbGjSS/ qx+kcp/p1WoZFrbtg118yL33O+qjtOPs2jZsE=
MIME-Version: 1.0
Received: by 10.52.94.227 with SMTP id df3mr4140186vdb.51.1322694102728; Wed, 30 Nov 2011 15:01:42 -0800 (PST)
Received: by 10.220.191.13 with HTTP; Wed, 30 Nov 2011 15:01:42 -0800 (PST)
In-Reply-To: <201111301923.pAUJN6VR022639@fs4113.wdf.sap.corp>
References: <CAOhHAXy=4vTRxO13=xkSQ9i3qcAa=TxRSt15hVBv85juu0xkUw@mail.gmail.com> <201111301923.pAUJN6VR022639@fs4113.wdf.sap.corp>
Date: Thu, 01 Dec 2011 00:01:42 +0100
Message-ID: <CAOhHAXzwDB+9ABL2k5mUEFvXckoFbRCkQfuQyCruqN+MQBRS_g@mail.gmail.com>
From: Badra <mbadra@gmail.com>
To: mrex@sap.com
Content-Type: multipart/alternative; boundary="20cf307d048e23c1cd04b2fbb81e"
Cc: tls@ietf.org
Subject: Re: [TLS] TLS identity protection using Signaling Cipher Suite Value
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2011 23:01:44 -0000
On Wed, Nov 30, 2011 at 8:23 PM, Martin Rex <mrex@sap.com> wrote: > > A signaling cipher suite value is certainly *MUCH* better than > the other proposal for a cartesian product of common ciphersuites. > > Although performing negotiation of this capability through ciphersuite > values instead of a TLS extension would protect against a very simplistic > DoS attack against a TLS handshake between the rightful client and > rightful server using TLS extension (but only in case the client is > capable and willing to perform a reconnect fallback with an > extension-less ClientHello), > this approach can *NOT* protect against an active attacker that > is determined to learn the client's identity and does not > care about causing a failed TLS handshake while doing so. > > As I previously mentioned, the only reliable protection during the > handshake would be an indication from the server that is authenticated > by the server credential an can *not* be stripped from the handshake. > Basically, it would need to be hardwired into the server's credential, > like an additional certificate extension or a new EKU OID. > > As you previously mentioned too, hardwiring an new optional TLS protocol feature into a TLS server certificate, resulting in potentially hard to diagnose handshake failures. Can in this case extend the ServerKeyExchange structure as follow: struct { select (KeyExchangeAlgorithm) { case rsa: struct { } ; case rsa_scsv: // message is NOT omitted when SCSV is received struct { digitally-signed struct { opaque handshake_messages[handshake_messages_length]; } } ; }; } ServerKeyExchange; handshake_messages refers to all handshake messages sent or received, starting at client hello and up to, but not including, this message. If the client doesn't receive such a message from the server, it must stop the TLS handshake It may be costly for the serer to sign this message for each handshake. The server can, for every one day, sign the concatenation of SCSV code and the day's date and send the result during every handshake that may happen during that day. > The Finished MAC protection of the handshake contents can only protect > the application from using the resulting connection, it can not > protect the negotiation and use of protocol features _during_ > the TLS handshake because modifications of the handshake by an > active MitM can only reliably be detected *after* the handshake when > verifying the finished messages. > True, and this is applied to any feature supported by TLS Best regards, Badra
- [TLS] TLS identity protection using Signaling Cip… Badra
- Re: [TLS] TLS identity protection using Signaling… Martin Rex
- Re: [TLS] TLS identity protection using Signaling… Badra
- Re: [TLS] TLS identity protection using Signaling… Martin Rex
- Re: [TLS] TLS identity protection using Signaling… Mohamad Badra