IETF Logo Mail Archive

Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18

Cas Cremers <cas.cremers@cs.ox.ac.uk> Mon, 13 February 2017 12:33 UTC

Return-Path: <cas.cremers@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB104129621 for <tls@ietfa.amsl.com>; Mon, 13 Feb 2017 04:33:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cQqBlYl3nYw4 for <tls@ietfa.amsl.com>; Mon, 13 Feb 2017 04:33:16 -0800 (PST)
Received: from mail-lf0-x235.google.com (mail-lf0-x235.google.com [IPv6:2a00:1450:4010:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE3F3129628 for <tls@ietf.org>; Mon, 13 Feb 2017 04:33:15 -0800 (PST)
Received: by mail-lf0-x235.google.com with SMTP id z134so49355648lff.3 for <tls@ietf.org>; Mon, 13 Feb 2017 04:33:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to:cc; bh=B+KwyAzUTcpyqJVAk4fQtEnPo36UFfLzOOS/+rZBPxc=; b=FSWawvmO/6RLXs5QZMHBE8HlzQYqgBfwTBeS6D/YrTQsr7DFBzhmyWpsJUHICEncty nALYH+atLepiXNnod3issSq3b9zZ/Wj3wm11Qen/BAFVVOpF5mCKDQ14u50rx6Cg6u+h ej7rTx+3g5eCbC3XD66UAmBAdSWRELOeMcbFP0/Z4ObEOp+b/wevdvojMM30ecRddsRd cidvPCGWk3LGWJoOnZLvrf7ferMpF4BDun5f21XbvuyUDeko5LH1A0gy1klHkL5KmTY7 Cr3WzHDmQHz2YKsiQ6RxwrQGkF1VFCC3hEKbQT0RJPUUR8ShGdH2EWHbydRkkqplWxM4 /Thg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to:cc; bh=B+KwyAzUTcpyqJVAk4fQtEnPo36UFfLzOOS/+rZBPxc=; b=mA3A2pgbO+t72bLuVPojikTzxIIl3oYIenDPKcMTzdDXmbJdSrQ5PnrnSi/r7TvJdH F8DkJRDQp8uHR0+RPWT+VLRgP0EkMKtGfxyOKNnxUN28Ob11SKbStkTbKQx5WNIZQNeM t8ty1yUtQu//sToUYPxilSQPPn/4KzT+6Mrwhx9phfKrgkCDSD6hbUNXQoGXViHgi1oq jCLLGI7GQqA7sBxFcwxH2LoePCATCKMrOVRm8O6/X4onWs/3qaY310pXe5IHFW5iCrzR kgWSxV/6a8ytIyNUXi3QFuS5R3eQSV0rkMiN7JYqfiDAva2dCvB0wSaUgrawKq4UMX04 xCUw==
X-Gm-Message-State: AMke39mnEtZLuxCLxbMTPElE+mqbW0MxTkIDYsyhxzO87zc5NEd9e9J+aAVaX21A6DfMpHYoNL0iUz94aiQdIg==
X-Received: by 10.25.87.5 with SMTP id l5mr6200171lfb.87.1486989194068; Mon, 13 Feb 2017 04:33:14 -0800 (PST)
MIME-Version: 1.0
Sender: cas.cremers@gmail.com
Received: by 10.46.0.164 with HTTP; Mon, 13 Feb 2017 04:32:53 -0800 (PST)
From: Cas Cremers <cas.cremers@cs.ox.ac.uk>
Date: Mon, 13 Feb 2017 12:32:53 +0000
X-Google-Sender-Auth: FVD7uBrCKksg0sMJcYx09sBXjBs
Message-ID: <CABdrxL6qupAu+Ztxw7BU1e-eoy-kfJKRQq+ZZyoKokXHNZEoZQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="001a11425058b28c6b054868a617"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ETcHlIPPGc1tCCcBRs5EXuL9oZw>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2017 12:33:18 -0000

Thanks everyone, we will try to wrap up the situation and remaining issues.

TL;DR:
The problem that we identified applies to fewer situations in the real
protocol than we thought, because of our previously coarse modelling of the
AEAD. However, the main issue remains: the client never receives an in-band
confirmation that the client authentication has succeeded. From a formal
perspective this means there can be a mismatch between the view of the
client and the server. We suggest this is made explicit in the security
guarantees section.

Furthermore, supposing the client has a way to determine whether
authentication was successful, there still exists the possibility that the
client receives messages whose context is ambiguous. In more detail:

   1. Ordering of messages, which is enforced by the AEAD, means that
   property (A) we discussed is not an issue. The client knows that any
   message sent after the certificate will arrive (be processed) at the
   server after the certificate.
   2. Property (B) is still an open issue for both the initial handshake
   and post-handshake. Application messages sent by the server can easily
   be delayed (by network or adversary) and the client cannot determine
   whether this message was sent before or after the authentication was
   received and therefore under the assumption that the client is an
   authenticated peer or not.
   3. There is a small asymmetry between the initial handshake and
   post-handshake. If the client authenticates in the initial handshake,
   receiving post-handshake messages (such as a NewSessionTicket), must
   come after the client's certificate/finished is processed. This is enforced
   cryptographically since the RMS is computed using the Finished messages. In
   contrast, NST messages can arrive ambiguously before/after a post-handshake
   client authentication.

The main takeaway is that the client never really receives any
acknowledgement of whether the verification provided was successful or
rejected through an in-band mechanism.

The context of the keys does not include the client’s authentication status
(nor the client’s certificate), and is the same in both cases. From a
formal analysis point of view, this results in a mismatch where the client
and server may not agree on the mutual authentication status, which is the
main point we wanted to raise.

Assuming now that the key context will not be changed, we suggest to
explicitly mention in the security guarantees section that the client,
after sending authentication messages, cannot be sure at any point that the
server has received these messages and considers the connection to be
mutually authenticated. If the client wishes to obtain such a guarantee, it
has to be informed by the server’s application.

Best,

Cas Cremers,
Marko Horvat,
Jonathan Hoyland,
Thyla van der Merwe, and
Sam Scott

v2.23.0 | Report a Bug | By Email