Re: [TLS] Handshake not under protection
Martin Rex <mrex@sap.com> Mon, 21 December 2009 22:23 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 18C4428C148 for <tls@core3.amsl.com>; Mon, 21 Dec 2009 14:23:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.194
X-Spam-Level:
X-Spam-Status: No, score=-6.194 tagged_above=-999 required=5 tests=[AWL=0.055, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kYkrnc6X22RU for <tls@core3.amsl.com>; Mon, 21 Dec 2009 14:23:13 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 52A5F3A686C for <tls@ietf.org>; Mon, 21 Dec 2009 14:23:12 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nBLMMsSq017506 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 21 Dec 2009 23:22:54 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200912212222.nBLMMs7D011751@fs4113.wdf.sap.corp>
To: mike-list@pobox.com
Date: Mon, 21 Dec 2009 23:22:54 +0100
In-Reply-To: <4B2FDB93.4090105@pobox.com> from "Michael D'Errico" at Dec 21, 9 12:33:23 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal08
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Handshake not under protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Dec 2009 22:23:14 -0000
Michael D'Errico wrote:
>
> Martin Rex wrote:
> >
> > Marsh Ray wrote:
> > >
> > > The client cert is requested in the renegotiating handshake, not the
> > > initial one. An anon-anon-DH session provides no "protection" for the
> > > client cert passed in renegotiation.
> >
> > OK. You are correct.
> >
> > That provision in 7.4.4. is about the _current_ handshake only
> > and refers to the fact that a server has sent a "Certificate"
> > message prior to CertificateRequest. Since at the point of
> > the handshake, the Server is _not_ authenticated. There could have
> > been a certificate path validation of the server certificate,
> > but there is no proof yet, that the alleged server knows the
> > necessary private key to the presented certificate, so this
> > restriction in 7.4.4. does not provide security.
>
> If a DHE cipher suite is used, then the server can be authenticated
> using only Certificate and ServerKeyExchange. With RSA cipher suites,
> you are correct that a client doesn't authenticate the server until
> Finished verifies.
I'm not sure I can follow why you think it is protected.
RFC-5246, 7.4.3. Server Key Exchange Message
struct {
select (KeyExchangeAlgorithm) {
case dh_anon:
ServerDHParams params;
case dhe_dss:
case dhe_rsa:
ServerDHParams params;
digitally-signed struct {
opaque client_random[32];
opaque server_random[32];
ServerDHParams params;
} signed_params;
case rsa:
case dh_dss:
case dh_rsa:
struct {} ;
/* message is omitted for rsa, dh_dss, and dh_rsa */
/* may be extended, e.g., for ECDH -- see [TLSECC] */
};
} ServerKeyExchange;
There is signed_params in the Server Key Exchange Message, but
it does _not_ seem to protect from MitM (when the attackers objective
is to elicit a Certificate message with the client's identity
from the attacked client).
If an attacker has a rogue server that wants to determine the client's
identity, then this attacker could open a connection to the particular
server to which it knows the client will reveal his identity,
resend the ClientHello just received and obtain a ServerHello and
ServerKeyExchange that match and then replay this information to
the client (i.e. the server_random used by the real server and
the signed_params sent by the real server.
-Martin
- Re: [TLS] Handshake not under protection Michael D'Errico
- Re: [TLS] TLS Digest, Vol 65, Issue 88 Ravi Ganesan
- Re: [TLS] TLS Digest, Vol 65, Issue 88 Martin Rex
- Re: [TLS] Handshake not under protection Marsh Ray
- Re: [TLS] Handshake not under protection Martin Rex
- Re: [TLS] Handshake not under protection Marsh Ray
- Re: [TLS] Handshake not under protection Martin Rex
- Re: [TLS] Handshake not under protection Geoffrey Keating
- Re: [TLS] Handshake not under protection Martin Rex
- Re: [TLS] Handshake not under protection Marsh Ray
- Re: [TLS] Handshake not under protection Martin Rex
- Re: [TLS] Handshake not under protection Marsh Ray
- Re: [TLS] Handshake not under protection Michael D'Errico
- Re: [TLS] Handshake not under protection Martin Rex