Re: [TLS] Rizzo claims implementation attach, should be interesting

Marsh Ray <marsh@extendedsubset.com> Tue, 20 September 2011 02:28 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B963721F8AE1 for <tls@ietfa.amsl.com>; Mon, 19 Sep 2011 19:28:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.578
X-Spam-Level:
X-Spam-Status: No, score=-2.578 tagged_above=-999 required=5 tests=[AWL=0.021, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lGGbyIDufYva for <tls@ietfa.amsl.com>; Mon, 19 Sep 2011 19:28:56 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-04-ewr.mailhop.org [204.13.248.74]) by ietfa.amsl.com (Postfix) with ESMTP id C8D7E21F8ADC for <tls@ietf.org>; Mon, 19 Sep 2011 19:28:56 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.72) (envelope-from <marsh@extendedsubset.com>) id 1R5q7F-0007Hf-0d; Tue, 20 Sep 2011 02:31:21 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 7816D606C; Tue, 20 Sep 2011 02:31:18 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX18iKor3Ez4FZEQqq4ENuFSZPmQdsg5iMVw=
Message-ID: <4E77FAF6.90707@extendedsubset.com>
Date: Mon, 19 Sep 2011 21:31:18 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.21) Gecko/20110831 Thunderbird/3.1.13
MIME-Version: 1.0
To: mrex@sap.com
References: <201109200053.p8K0r5Pv012913@fs4113.wdf.sap.corp>
In-Reply-To: <201109200053.p8K0r5Pv012913@fs4113.wdf.sap.corp>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Steingruebl Andy <asteingruebl@paypal-inc.com>, tls@ietf.org
Subject: Re: [TLS] Rizzo claims implementation attach, should be interesting
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Sep 2011 02:28:57 -0000

On 09/19/2011 07:53 PM, Martin Rex wrote:
>
> It seem to be a huge hype an exxageration of the problem.
> There is *no* problem in SSLv3 or TLSv1.0.  This particular attack
> is a very clear "Man-in-the-Browser" attack enabled solely by the
> entirely braindead (lack-of) security in common Web Browsers.
>
> Since the attack happens entirely at the browser, it should IMHO
> the browser's duty to fix this.

Last I checked, the TLS RFC stated explicitly that the protocol defended 
explicitly against man-in-the-middle attacks. It did not say it defended 
against "blockwise-adaptive chosen-plaintext" attacks.

But why split hairs over it? It breaks a basic security properties of 
the system even if the application designer has done everything 
according to the recommendations in the spec. Since when did "trusted 
script only" in the application become a requirement for transport layer 
security?

> Potential server-side mitigation of the problem:
>
>    - disable HTTP request pipelining (aka Connect: keep-alive)

Expensive.

>    - avoid CBC-based cipher suites (at least when SSLv3 or TLSv1.0
>      is negotiated), and use RC4-128 instead.

Does TLS's use of RC4 still take the first bytes after initialization 
with the key? Or does it discard the proper amount?

I believe there was a mitigation put in place by OpenSSL: sending an 
empty (just padding) message before each app data message. The document 
at eprint.iacr.org/2006/136 suggests that this could be a server-side 
only change. I don't see how that would work since the session cookie 
recovery attack is clearly happening on the client->server channel.

I read somewhere that this mitigation was off by default in OpenSSL 
because it some software (an old MSIE IIRC).

Does anyone believe there would be support for a TLS 1.0 Hello extension 
that could compatibly negotiate the use of empty messages in each 
direction as a mitigation for this attack?

I've not been told the details of Duong and Rizzo's attack and haven't 
seen "the BEAST" in action yet, so I'm not sure if that would be 
sufficient to fix CBC in TLS 1.0. I am slightly annoyed at these guys 
for dribbling out the information one hint at a time like this.

- Marsh