IETF Logo Mail Archive

Re: [TLS] simplistic renego protection

Martin Rex <mrex@sap.com> Mon, 23 November 2009 20:07 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5DCF63A692B for <tls@core3.amsl.com>; Mon, 23 Nov 2009 12:07:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.132
X-Spam-Level:
X-Spam-Status: No, score=-6.132 tagged_above=-999 required=5 tests=[AWL=0.117, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tnDizJhyyDGT for <tls@core3.amsl.com>; Mon, 23 Nov 2009 12:07:10 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id 033723A68C3 for <tls@ietf.org>; Mon, 23 Nov 2009 12:07:09 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id nANK74Ll003878 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 23 Nov 2009 21:07:04 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911232007.nANK736K022320@fs4113.wdf.sap.corp>
To: Pasi.Eronen@nokia.com
Date: Mon, 23 Nov 2009 21:07:03 +0100
In-Reply-To: <808FD6E27AD4884E94820BC333B2DB774F310BB2AB@NOK-EUMSG-01.mgdnok.nokia.com> from "Pasi.Eronen@nokia.com" at Nov 23, 9 12:19:03 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal08
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] simplistic renego protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2009 20:07:11 -0000

Pasi.Eronen@nokia.com wrote:
> 
> Martin Rex wrote:
> 
> > Does anyone remeber that the TLS WG gave the advice to people asking
> > for identity protection to perform an initial client-anonymous TLS
> > handshake directly followed by a renegotiation with client-cert
> > authentication?
> > 
> > (a related discussion what about gss-api authentication
> >  around 20-dec-2006, Subject: [TLS] Comments on TLS identity
> > protection)
> 
> Yes... and as Eric noted, as long as the 2nd handshake "directly
> follows" (=no application data is exchanged using the first session),
> this seems to be secure already....


But you do realize that there is an attack scenario where the server
sees only an initial authentication, and the client sees a renegotiation?

The MitM could use it to perform some kind of "bouncing-attack",
where it feeds the client with a crafted request (like a form)
and then links the client with the real server.

So it is necessary for both sides to check, a check on the server
alone is not sufficient.  And if we're changing code, we could
just as well deploy the fix for the weakness (provided TLS WG
can agree on one solution).


-Martin

v2.23.0 | Report a Bug | By Email