IETF Logo Mail Archive

Re: [TLS] To extend or not to extend

Eric Rescorla <ekr@networkresonance.com> Sun, 15 November 2009 11:37 UTC

Return-Path: <ekr@networkresonance.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E15B03A6904 for <tls@core3.amsl.com>; Sun, 15 Nov 2009 03:37:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.112
X-Spam-Level:
X-Spam-Status: No, score=-0.112 tagged_above=-999 required=5 tests=[AWL=0.041, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_COM=0.553, RCVD_IN_PBL=0.905, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 82NASGelL66J for <tls@core3.amsl.com>; Sun, 15 Nov 2009 03:37:12 -0800 (PST)
Received: from genesis-hsia.quadriga-www.com (2.26.235.80.sta.estpak.ee [80.235.26.2]) by core3.amsl.com (Postfix) with ESMTP id B8C8F3A67C1 for <tls@ietf.org>; Sun, 15 Nov 2009 03:37:11 -0800 (PST)
Received: from [192.168.12.187] (helo=kilo.networkresonance.com) by genesis-hsia.quadriga-www.com with esmtp (Exim 3.34 #1) id 1N9dQM-0002bO-00 for tls@ietf.org; Sun, 15 Nov 2009 13:37:42 +0200
Received: from kilo.local (localhost [127.0.0.1]) by kilo.networkresonance.com (Postfix) with ESMTP id 4E04D69F7B2; Sun, 15 Nov 2009 13:38:57 +0200 (EET)
Date: Sun, 15 Nov 2009 13:38:57 +0200
From: Eric Rescorla <ekr@networkresonance.com>
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
In-Reply-To: <AC1CFD94F59A264488DC2BEC3E890DE5091A760A@xmb-sjc-225.amer.cisco.com>
References: <AC1CFD94F59A264488DC2BEC3E890DE5091A760A@xmb-sjc-225.amer.cisco.com>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20091115113857.4E04D69F7B2@kilo.networkresonance.com>
Cc: tls@ietf.org
Subject: Re: [TLS] To extend or not to extend
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Nov 2009 11:37:13 -0000

At Sun, 15 Nov 2009 03:13:01 -0800,
Joseph Salowey (jsalowey) wrote:
> 
> We need to close on this issue.  To summarize the RI proposal (the draft
> submitted last week) has the following properties in various situations
> 
> 
> A. The RI proposal works fine if both client and server are patched.  
> 
> B. The RI proposal works fine if the client is not patched and the
> server is (the server ends up disabling re-negotiation).  
> 
> C. The RI proposal works fine if the client is patched and the server is
> not, if the server is implemented correctly. 
> 
> D. The RI proposal works fine if the client is patched and the server
> does not implement the SSL 3.0 and the TLS 1.x specs correctly (barf if
> they see an extension) and the client desires to implement an secure
> policy and disallows connections to non patched servers
> 
> E. The RI proposal has an issue if the client is patched and the server
> does not implement the SSL 3.0 and the TLS 1.x specs correctly and the
> client as a lenient policy which allows connection to insecure servers.
> In this case the client would have to implement some fallback logic
> (reconnect without extensions) to deal with broken servers.  This logic
> is well-known, but it leaves a roll-back attack open.  This can be
> plugged by using the proposed ciphersuite signal only in the case where
> extensions cause a handshake or connection failure.  The fallback
> cipher-suite signaling for RI to prevent rollback extends TLS in an
> unexpected way, but this is limited only to the case where we have to
> deal with broken implementations.  

So, thinking further on my earlier message, I think the following 
elaboration will work a bit better:

- Strict clients (those which wish to insist on RI) generate RI on
  initial handshake. As I said earlier, I don't think this is
  useful, but it works.

- Lenient clients do not generate RI on initial handshake but do
  generate it on rehandshake with TLS 1.0+ only. 
  + Moderately lenient clients can fail if the server does not
    do RI.
  + Really lenient clients can ignore the server's failure to
    do RI.


This has the following advantages:
For all non-renegotiated settings you get exactly the same interop
properties you ordinarily would. I.e., it just works. With
renegotiation, you get an extremely high interop probability even if
the server has not upgraded because compliant TLS implementations are
required to at worst ignore extensions (RFC 2246; S 7.4.1.2), and
you've already weeded out SSLv3-only implementations in the initial
handshake.

Now, there is still arguably a downgrade attack because the attacker
can simulate a completely broken SSLv3 stack and force you down to
SSLv3 in the initial handshake (they can't do it in later handshakes
because those are protected). Note, however, that since we're not 
exercising the extension logic in that handshake (though of course
the client may be exercising it for some other reason, say if it's
doing SNI), the server the attacker is simulating has to be really broken
because it's not handling version number negotiation correctly. However,
we can still use a cipher suite indicator if we think it's absolutely
necessary to allow fallback to SSLv3 here.

-Ekr

v2.23.0 | Report a Bug | By Email