IETF Logo Mail Archive

Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18

Eric Rescorla <ekr@rtfm.com> Fri, 10 February 2017 20:39 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86C1F129BB0 for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 12:39:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rLDu1FS8ffUL for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 12:39:45 -0800 (PST)
Received: from mail-yb0-x231.google.com (mail-yb0-x231.google.com [IPv6:2607:f8b0:4002:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02245129BC3 for <tls@ietf.org>; Fri, 10 Feb 2017 12:39:45 -0800 (PST)
Received: by mail-yb0-x231.google.com with SMTP id w194so15006048ybe.0 for <tls@ietf.org>; Fri, 10 Feb 2017 12:39:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=9rCSQbmXTVYjoEiylrCEYzOM3yn7eySJaysH+m3LkHI=; b=cBKrQdUrFJ1iUqp/8LZnjJRXkiHEsm3Qfq6XIU9yUT+rzIiYoSkxPg9cBryOJ9WOVo KWWUtttDF3NPNvRVAZBOXgqa4Nw/lHeHcchV4lpTfCAyG8yrfe4excOIRHRwOaFXyvC9 DPul9JcE/DSEOzjK3UrKklbX0EZXj2RgD6cDvJRRFEB3AhpbLEDRIAN/tyseBtIIE/6H x9AKVQR21ubUGJGUmzO+mQm+Vt1tvOstqFkzubaVzAMUXh0EdfpWjk7i9Mjjt+a+BuX9 LY+L2lXbN9pWlrZDy7fo5PGLd8i+iKF+IgKiClx9J5MgGucC9ZctTElgG+l4+gcspCV6 kaRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=9rCSQbmXTVYjoEiylrCEYzOM3yn7eySJaysH+m3LkHI=; b=uOyLCmtz0aYmcfbfkS4eUB+xlqqqKWhZ6O8DpvbbsnpRrlbMDLFiBbGv01eQPvJvJe SRnfLu7OLbwALrR6I/lRwAUkrFiMbVVQTYoH478kgGt9qMMrVGdda2l2YJE12B+xuCDt y+nSlapPvWjVvrBCQWutgdGMm+0u0mgOlRly8WGEFuNWo9U9oEO+DIAhm4awtloq0m84 0rPQXTK1JfzpyN9LCgk7ido3BJC6Xk3oYr/1SOyqz0wFCgut0QOACgnRnF31kUxXaS4Y 6FzssuRZ5KmlTgklORQS23FyQ0RI6CzYDAVMuia7gsDtkpM/WFXzQKT9MBwOYgEf9z01 z3ug==
X-Gm-Message-State: AMke39kZmbLxXipyopFyvs49Le6IPmlluowVGsTFi+wqVzN06m8KVFZ5VdexPvsXCERXIFCer+hKu67W8trNpw==
X-Received: by 10.37.69.70 with SMTP id s67mr7629103yba.65.1486759184035; Fri, 10 Feb 2017 12:39:44 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.204.80 with HTTP; Fri, 10 Feb 2017 12:39:03 -0800 (PST)
In-Reply-To: <dade38c1-e5a3-4058-9291-c94ea14dfe91@gmail.com>
References: <CABdrxL53Fd7tY6+qF-p=acvCDa=hvbPov83XSd-Y8-gB3c33Ag@mail.gmail.com> <20170210172224.GA22473@LK-Perkele-V2.elisa-laajakaista.fi> <dade38c1-e5a3-4058-9291-c94ea14dfe91@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 10 Feb 2017 12:39:03 -0800
Message-ID: <CABcZeBPxid8W-r4uUXewFg+cYtUssqQLOcjJ=2ueuyVqj4qZUA@mail.gmail.com>
To: Sam Scott <sam.scott89@gmail.com>
Content-Type: multipart/alternative; boundary="001a1135326e0832830548331993"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/DX5ie8F9il70cEEpNdzRjT2O4-E>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 20:39:46 -0000

Cas, Sam,

I thought I understood your concern here but maybe I don't.

Say we have the following sequence of messages

  1. C->S: ClientHello
  2. S->C: ServerHello...ServerFinished
  3. C->S: ClientFinished
  4. C->S: App message
  5. S->C: App message
  6. S->C: CertificateRequest
  7: C->S: Certificate...Finished
  8: C->S: App message
  9: S->C: App message

As you indicate, there's some ambiguity from the client's perspective
(property B) about whether messages 5 and 9 were sent by the server
prior to or after receiving message 7, and also message 8. This
ambiguity exists even without an attacker and may or may not be
resolved at the application layer. An attacker can exploit this
ambiguity by holding messages 7 and 8 and (as long as application
semantics permit this).

Where I get confused is about property A. As I understand your
claim, an attacker can hold message 7 but deliver message 8 and
therefore, even if the client knows that 9 was in response to 8,
he doesn't know that the server received 7. As Ilari says, I don't
believe that this is correct because TLS enforces message ordering.
I agree that the specification doesn't explicitly say this, but
it's implicit in the processing rules via the following:

1. The encryption for each TLS record depends on the record sequence
   number (RSN).
2. Records do not carry their RSN, so when you decrypt a message, you
   must use the last RSN + 1
3. When you fail to decrypt a message (which is what happens if you have
   the wrong RSN) you are required to tear down the connection
   (https://tlswg.github.io/tls13-spec/#record-payload-protection).

For this reason, if the attacker removes message 7, then 8 will not
be decryptable, and so ordering is preserved. As Ilari says, this isn't
true in DTLS 1.3 which we'll presumably have to deal with one way
or the other before standardization (my plan would be just to forbid
post-handshake auth). Do you disagree with this? If so, perhaps you
could explain.

-Ekr

P.S. I am not sure that the regular TLS handshake guarantees these
properties either. The reason is that the server is permitted to
send data prior to receiving the client's second flight (0.5 RTT
data). See:
https://tlswg.github.io/tls13-spec/#protocol-overview





On Fri, Feb 10, 2017 at 11:45 AM, Sam Scott <sam.scott89@gmail.com> wrote:

> Hi Ilari,
>
> Thanks for the comments.
>
> Assuming the client sends a valid certificate that the server accepts,
> then the server cannot finish the handshake or begin processing incoming
> application data until authenticating the client. This *almost* gives us
> property (A). In practice, the client is aware that the server has
> successfully authenticated since the protocol continues.
>
> In the case that the server has implemented the reject option (rejecting a
> certificate but still continuing), and indeed rejects the certificate, then
> the server should send an alert message (or NAK of some form) for the
> property to hold in the initial handshake.
>
> However, even if we take the certificate reject + continue scenario into
> account for the initial handshake, then it is clear that this decision can
> only be made by the server in the initial handshake, while in the
> post-handshake client auth, an attacker can decide this (by dropping the
> message).
>
> The reason we don't believe an explicit ACK is needed is because upgrading
> to a new pair of keys explicitly provides this. Specifically, the client
> will send all subsequent data to the server under a new key. The server
> will not be able to decrypt this data until they receive the client
> authentication messages and upgrade the keys.
>
> This can be strengthened if the client's updated write key is computed
> using the authentication messages.
>
> We agree that TLS enforcing ordering of messages provides similar
> guarantees. However, we are analysing the specification as it is presented,
> which does not guarantee this.
>
> Thanks,
>
> Sam
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email