Re: [TLS] draft-ietf-tls-renegotation: next
Kyle Hamilton <aerowolf@gmail.com> Thu, 17 December 2009 22:55 UTC
Return-Path: <aerowolf@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 43C473A69EE for <tls@core3.amsl.com>; Thu, 17 Dec 2009 14:55:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.57
X-Spam-Level:
X-Spam-Status: No, score=-2.57 tagged_above=-999 required=5 tests=[AWL=0.029, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KQecsG7-plvg for <tls@core3.amsl.com>; Thu, 17 Dec 2009 14:55:40 -0800 (PST)
Received: from mail-pw0-f50.google.com (mail-pw0-f50.google.com [209.85.160.50]) by core3.amsl.com (Postfix) with ESMTP id 07F753A69F5 for <tls@ietf.org>; Thu, 17 Dec 2009 14:55:40 -0800 (PST)
Received: by pwi20 with SMTP id 20so1705949pwi.29 for <tls@ietf.org>; Thu, 17 Dec 2009 14:55:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=E62g4VKLjiKpfviSyFk0htP2KYeQ1/krpNqWxVY3kZ8=; b=ml//ZHQU8mbzrvwg2YGBKU8YeHPo8WvXRWbz5LrE4KKkzXdmuCcrq1b6fC3ZAucz8W Mz1LK3oTT3Ip6Kj2fJz3HiRpdNw/HjdCMu7gkyOLZAhVZkWY6rdwRkOh/+Wcn2qyGHpp 7x6r2pN9HLonGCVwaWs0pY4jANrcEP5PmipEU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Xddz3/XCvAHUNZ2m7aYMwzJGDud+RSPasaVLhQL1b4UBtuHCpAhHH/j/J+wFp2drwQ ofnotvVeoDZdSrH3Xf7GCbRLx98YwfCvmQhnn79bS0M8Dw0bb8NxTiZmsjeGmew2n2vd SyCfCfG9woE4I9KC6l5Y3u5BHKZRqrx8dZXzE=
MIME-Version: 1.0
Received: by 10.142.8.35 with SMTP id 35mr2105517wfh.30.1261090522758; Thu, 17 Dec 2009 14:55:22 -0800 (PST)
In-Reply-To: <808FD6E27AD4884E94820BC333B2DB774F31F777D1@NOK-EUMSG-01.mgdnok.nokia.com>
References: <200912162001.nBGK1K4I028293@stingray.missi.ncsc.mil> <200912162059.nBGKx7Sv017923@fs4113.wdf.sap.corp> <808FD6E27AD4884E94820BC333B2DB774F31F777D1@NOK-EUMSG-01.mgdnok.nokia.com>
Date: Thu, 17 Dec 2009 14:55:22 -0800
Message-ID: <6b9359640912171455j4c949defu25b5ad79348197da@mail.gmail.com>
From: Kyle Hamilton <aerowolf@gmail.com>
To: Pasi.Eronen@nokia.com
Content-Type: text/plain; charset="UTF-8"
Cc: tls@ietf.org
Subject: Re: [TLS] draft-ietf-tls-renegotation: next
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2009 22:55:41 -0000
I support making the MCSV mandatory in the ClientHello. The benefit is obvious: the server *knows*, without a doubt, that the client knows how to do secure renegotiation, even if the client doesn't send the extension. This means that servers can relax their "absolutely no renegotiation" stance, in regards to that particular client, in the same way that they could if they received the extension. As far as I can tell, there is no mechanism (other than extensions) for the server to signal the client that it knows how to do the secure renegotiation. As has been discussed, this would be a static set of 6 bytes appended to the ServerHello. I rather disagree with making the RI extension anything other than empty, because each peer *must* (in order to implement it securely) remember the last hashes for that session and compare them to see if they match, else the MITM could just add bogus information that isn't checked and the handshake proceeds anyway -- which violates the authenticity guarantee. If we're going to force the implementors to save the hashes anyway, why should we take the risk of putting them out on the wire? (To avoid a "chosen plaintext" attack... against a key and negotiation that's about to change?) If the values calculated don't match up with what's received from the other end, the ChangeCipherSpec will work but the Finished message won't be able to be decoded, which will cause the connection to be aborted. (However, I do recognize that putting the prior hashes into an RI extension will cause them to be part of the final hash for Finished anyway, without requiring any changes in how the cryptographic system is set up. I'm unhappy with this idea, though, because there are still MANY extension-agnostic clients and servers out there. Clients won't send extensions if they don't have to, and servers won't show that they know about extensions unless the client shows exactly the extension they expect.) If those hashes are saved by each peer (as would be required under this proposal), then it follows that since they're placed under separate cover by the Finished message, they're an appropriate input for the Renegotiation-Finished hash calculation. Again, there's no reason to put them on the wire. What we're looking for isn't really a "session-based" design -- we're simply looking for a way to authenticate future handshakes as following naturally from prior handshakes. The session parameters are frozen by the time ChangeCipherSpec hits; the Finished message is and always has been the time to determine whether the peer understands the cipher spec parameters. Also, it is illegal for any TLS implementation to negotiate NULL-NULL-NULL, and it is illegal for any TLS implementation to transmit application data after the initial handshake has been initiated and before the Finished messages have been generated by both sides. This would suggest that another mitigation for this attack would be to include a zero-length application-data packet in all renegotiations; if one side thinks it's an initial negotiation, and it receives an application data packet under the state that it thinks is NULL-NULL-NULL, it is required that it close the connection with a fatal handshake_failure alert. (The only problem with this potential mitigation is that if the client is connected to the MITM, and the MITM is connected to the server, the MITM could simply strip out the zero-length application-data chunk, since TLS relies on underlying mechanisms to verify that it has a two-way error-detected/corrected clear channel -- TCP/IP, SPX/IPX, a clean serial line, or an MNP5 modem. TLS doesn't try to detect lost chunks from the server.) So, in addition to mandating the MCSV, I also support an empty RI extension as a means of notifying the server that the client knows how to do it. For interoperability and ease of implementation, it's an easy MUST to send both, if the client understands how to send extensions. I'm less happy about forcing the client to understand extensions enough to verify the data being put into the RI extension on subsequent handshakes, but even in that case the ServerHello wouldn't have the correct 6 bytes at the end (for the initial handshake that the client sees) and thus would cause the client to abort with a handshake_failure. (Since the cryptographic properties of the protocol aren't being discussed, it's only a matter of identifying what oversight in the TLS protocol allowed this attack to work, which is simply that a means was found to trick both sides of a connection into believing that the connection was continuous without cryptographic verification.) At least one good thing that the original protocol designers did was to ensure that both peers must renegotiate their own cipher parameters in the event that either side initiates a renegotiation. Since it's mandatory that servers include the bytes after the end of the ClientHello as part of the hash of handshake messages, regardless of whether it can identify them or not (this was the language previous to TLS-EXT), the client can send anything it wants. The server side is a bit more complex: it can't signal anything to the client unless it uses an extension. For the client, it's very easy to compare 6 bytes in memory to verify that the extension exists and is the proper one. It's only if the Finished message happens and it doesn't have the correctly-seeded hash that it's detected as being bogus. (Notably, the TLS specification requires that after the initial negotiation, applications need to be able to interleave data into the connection -- except in the case of ChangeCipherSpec and Finished, where Finished must always be sent immediately after the ChangeCipherSpec is sent. A way to break compatibility with older clients would be to send a zero-length, HMAC'd application data chunk between the ChangeCipherSpec and Finished messages, using the cipher suite that was put into the current connection state by the ChangeCipherSpec, not count it as a handshake message, and only after that send the Finished message precisely as it is calculated elsewhere. I would prefer that it not be broken, but it could be a means by which TLS 1.3+ ensures that the handshakes under its own cover are acceptable.) Once a handshake determined to be bogus, the spec is clear: abort the connection with a handshake_failure alert. I support making what I see is the minimum number of changes in the specification necessary to ensure security, in such a way as to minimize the amount of work to implementation developers. If there is a way that is simpler, I would like to see it. (I'm wondering if it's time to start making breaking changes, and call the result TLS v2.0.) -Kyle H On Thu, Dec 17, 2009 at 3:30 AM, <Pasi.Eronen@nokia.com> wrote: > Martin Rex worte: > >> I do not fully agree with the AD's determination of rough consensus. >> >> For the MCSV signaling, the real rough consensus is different from >> what Pasi wrote: >> >> http://www.ietf.org/mail-archive/web/tls/current/msg05306.html >> >> A mandatory Client->Server signaling through cipher suite may >> have less fanatic followers by the count of numbers, but technical >> advantages and _no_ technical objections have been raised against it. > > Several people have very clearly and strongly objected to making the > MSCV mandatory-to-include in ClientHello. You seem to be suggesting > that their opinions don't somehow matter because they are, in *your* > opinion, not "technical". > >> The current either cipher suite or empty TLS extension RI signaling >> may have more "pro", but has significant objections against it >> because of the ambiguity, increased complexity, a 4x code size >> burden for old non-rengotiating servers and additional testing >> complexity. > > If the specification text is ambiguous, we obviously need to fix that. > > About the code/testing complexity/effort: I would say most people > believe that no matter what details get selected, this is not a > significant amount of work (so small differences in lines of code or > test cases should not signify much in making the decision). > >> So as far as rough consensus is concerned, it is definitely with the >> approach I described. > > I disagree. > > Best regards, > Pasi > (wearing Security Area Director hat) > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] draft-ietf-tls-renegotation: next steps Pasi.Eronen
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next steps Paul Hoffman
- Re: [TLS] draft-ietf-tls-renegotation: next steps Michael D'Errico
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next steps Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next steps Eric Rescorla
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Kemp, David P.
- Re: [TLS] draft-ietf-tls-renegotation: next steps Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Marsh Ray
- [TLS] Generic process issues (Re: Re: draft-ietf-… Nicolas Williams
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Marsh Ray
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next steps David-Sarah Hopwood
- Re: [TLS] draft-ietf-tls-renegotation: next steps David-Sarah Hopwood
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next Pasi.Eronen
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next Kyle Hamilton
- Re: [TLS] draft-ietf-tls-renegotation: next Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Michael D'Errico
- Re: [TLS] draft-ietf-tls-renegotation: next David-Sarah Hopwood