Re: [TLS] Analysis of Interop scenarios TLS extension RI w/MCSV

Martin Rex <mrex@sap.com> Thu, 10 December 2009 00:18 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7C7103A68C1 for <tls@core3.amsl.com>; Wed, 9 Dec 2009 16:18:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.193
X-Spam-Level:
X-Spam-Status: No, score=-6.193 tagged_above=-999 required=5 tests=[AWL=0.056, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id grv32i6bjntx for <tls@core3.amsl.com>; Wed, 9 Dec 2009 16:18:51 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 5FE573A684F for <tls@ietf.org>; Wed, 9 Dec 2009 16:18:51 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nBA0Ia1F010514 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 10 Dec 2009 01:18:36 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200912100018.nBA0IZN8018573@fs4113.wdf.sap.corp>
To: marsh@extendedsubset.com
Date: Thu, 10 Dec 2009 01:18:34 +0100
In-Reply-To: <4B201B0E.2080600@extendedsubset.com> from "Marsh Ray" at Dec 9, 9 03:47:58 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Analysis of Interop scenarios TLS extension RI w/MCSV
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2009 00:18:52 -0000

Marsh Ray wrote:
> 
> > The purpose of the MCSV is:
> > 
> > - provide interop with installed base of old, extensions-intolerant 
> > servers (original&correct SSLv3 and "defective" TLSv1.0)
> >
> > - provide protection from downgrade attacks (extension-less 
> > ClientHello or SSLv2 ClientHello)
> > 
> > - provide protection in backwards interop scenarios (renegotiation 
> > requested by old servers).
> 
> It will never be safe to conduct renegotiation with a remote party in
> the absence of negotiated RI.

As I wrote a while ago, the name "TLS_RENEGO_PROTECTION_REQUEST"
was chosen _not_ as a requst for secure renegotiation (which it is NOT),
but as a request for _protection_ from the vulnerability through
old TLS renegotiation.

There are two different issues that the fix needs to provide:

  - secure renegotiation between updated clients and servers
    directly talking to each other

  - protection from MitM attacks in all 3 attack scenarios

  - protection from MitM attacks for communication between
    updated clients and updated servers even when both allow
    old renegotiation for backwards interop.

The secure renegotiation is provided by "authenticating" the
verify data from the previous finished messages.  TLS extension RI
performs the authentication with memcmp() on data exchanged
through a TLS extension in the renegotiation handshake.

The protection is provided through negotiating/signaling with the
peer that one is updated.

TLS extension RI does both with the same piece of data in the
handshake message (TLS extension RI), and it seems that some people
fail to understand the difference between the two things.



Previously, I wrote that draft-mrex-tls-secure-renegotiation-03.txt
is a "nanny spec", because it does _not_only_ describes how to perform
secure renegotiation, but it _also_ describes how to implement
backwards interop securely.  This discussion here sugggests that
this difference is unclear to at least some people, and therefore
should be better explained in the draft-ietf-tls-renegotiation-02
as well!



-Martin