Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18
Cas Cremers <cas.cremers@cs.ox.ac.uk> Mon, 13 February 2017 12:33 UTC
Return-Path: <cas.cremers@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB104129621 for <tls@ietfa.amsl.com>; Mon, 13 Feb 2017 04:33:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cQqBlYl3nYw4 for <tls@ietfa.amsl.com>; Mon, 13 Feb 2017 04:33:16 -0800 (PST)
Received: from mail-lf0-x235.google.com (mail-lf0-x235.google.com [IPv6:2a00:1450:4010:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE3F3129628 for <tls@ietf.org>; Mon, 13 Feb 2017 04:33:15 -0800 (PST)
Received: by mail-lf0-x235.google.com with SMTP id z134so49355648lff.3 for <tls@ietf.org>; Mon, 13 Feb 2017 04:33:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to:cc; bh=B+KwyAzUTcpyqJVAk4fQtEnPo36UFfLzOOS/+rZBPxc=; b=FSWawvmO/6RLXs5QZMHBE8HlzQYqgBfwTBeS6D/YrTQsr7DFBzhmyWpsJUHICEncty nALYH+atLepiXNnod3issSq3b9zZ/Wj3wm11Qen/BAFVVOpF5mCKDQ14u50rx6Cg6u+h ej7rTx+3g5eCbC3XD66UAmBAdSWRELOeMcbFP0/Z4ObEOp+b/wevdvojMM30ecRddsRd cidvPCGWk3LGWJoOnZLvrf7ferMpF4BDun5f21XbvuyUDeko5LH1A0gy1klHkL5KmTY7 Cr3WzHDmQHz2YKsiQ6RxwrQGkF1VFCC3hEKbQT0RJPUUR8ShGdH2EWHbydRkkqplWxM4 /Thg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to:cc; bh=B+KwyAzUTcpyqJVAk4fQtEnPo36UFfLzOOS/+rZBPxc=; b=mA3A2pgbO+t72bLuVPojikTzxIIl3oYIenDPKcMTzdDXmbJdSrQ5PnrnSi/r7TvJdH F8DkJRDQp8uHR0+RPWT+VLRgP0EkMKtGfxyOKNnxUN28Ob11SKbStkTbKQx5WNIZQNeM t8ty1yUtQu//sToUYPxilSQPPn/4KzT+6Mrwhx9phfKrgkCDSD6hbUNXQoGXViHgi1oq jCLLGI7GQqA7sBxFcwxH2LoePCATCKMrOVRm8O6/X4onWs/3qaY310pXe5IHFW5iCrzR kgWSxV/6a8ytIyNUXi3QFuS5R3eQSV0rkMiN7JYqfiDAva2dCvB0wSaUgrawKq4UMX04 xCUw==
X-Gm-Message-State: AMke39mnEtZLuxCLxbMTPElE+mqbW0MxTkIDYsyhxzO87zc5NEd9e9J+aAVaX21A6DfMpHYoNL0iUz94aiQdIg==
X-Received: by 10.25.87.5 with SMTP id l5mr6200171lfb.87.1486989194068; Mon, 13 Feb 2017 04:33:14 -0800 (PST)
MIME-Version: 1.0
Sender: cas.cremers@gmail.com
Received: by 10.46.0.164 with HTTP; Mon, 13 Feb 2017 04:32:53 -0800 (PST)
From: Cas Cremers <cas.cremers@cs.ox.ac.uk>
Date: Mon, 13 Feb 2017 12:32:53 +0000
X-Google-Sender-Auth: FVD7uBrCKksg0sMJcYx09sBXjBs
Message-ID: <CABdrxL6qupAu+Ztxw7BU1e-eoy-kfJKRQq+ZZyoKokXHNZEoZQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="001a11425058b28c6b054868a617"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ETcHlIPPGc1tCCcBRs5EXuL9oZw>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2017 12:33:18 -0000
Thanks everyone, we will try to wrap up the situation and remaining issues. TL;DR: The problem that we identified applies to fewer situations in the real protocol than we thought, because of our previously coarse modelling of the AEAD. However, the main issue remains: the client never receives an in-band confirmation that the client authentication has succeeded. From a formal perspective this means there can be a mismatch between the view of the client and the server. We suggest this is made explicit in the security guarantees section. Furthermore, supposing the client has a way to determine whether authentication was successful, there still exists the possibility that the client receives messages whose context is ambiguous. In more detail: 1. Ordering of messages, which is enforced by the AEAD, means that property (A) we discussed is not an issue. The client knows that any message sent after the certificate will arrive (be processed) at the server after the certificate. 2. Property (B) is still an open issue for both the initial handshake and post-handshake. Application messages sent by the server can easily be delayed (by network or adversary) and the client cannot determine whether this message was sent before or after the authentication was received and therefore under the assumption that the client is an authenticated peer or not. 3. There is a small asymmetry between the initial handshake and post-handshake. If the client authenticates in the initial handshake, receiving post-handshake messages (such as a NewSessionTicket), must come after the client's certificate/finished is processed. This is enforced cryptographically since the RMS is computed using the Finished messages. In contrast, NST messages can arrive ambiguously before/after a post-handshake client authentication. The main takeaway is that the client never really receives any acknowledgement of whether the verification provided was successful or rejected through an in-band mechanism. The context of the keys does not include the client’s authentication status (nor the client’s certificate), and is the same in both cases. From a formal analysis point of view, this results in a mismatch where the client and server may not agree on the mutual authentication status, which is the main point we wanted to raise. Assuming now that the key context will not be changed, we suggest to explicitly mention in the security guarantees section that the client, after sending authentication messages, cannot be sure at any point that the server has received these messages and considers the connection to be mutually authenticated. If the client wishes to obtain such a guarantee, it has to be informed by the server’s application. Best, Cas Cremers, Marko Horvat, Jonathan Hoyland, Thyla van der Merwe, and Sam Scott
- [TLS] Awkward Handshake: Possible mismatch of cli… Cas Cremers
- Re: [TLS] Awkward Handshake: Possible mismatch of… Ilari Liusvaara
- Re: [TLS] Awkward Handshake: Possible mismatch of… Sam Scott
- Re: [TLS] Awkward Handshake: Possible mismatch of… Andrei Popov
- Re: [TLS] Awkward Handshake: Possible mismatch of… Sam Scott
- Re: [TLS] Awkward Handshake: Possible mismatch of… Eric Rescorla
- Re: [TLS] Awkward Handshake: Possible mismatch of… Victor Vasiliev
- Re: [TLS] Awkward Handshake: Possible mismatch of… Eric Rescorla
- Re: [TLS] Awkward Handshake: Possible mismatch of… Sam Scott
- Re: [TLS] Awkward Handshake: Possible mismatch of… Eric Rescorla
- Re: [TLS] Awkward Handshake: Possible mismatch of… Andrei Popov
- Re: [TLS] Awkward Handshake: Possible mismatch of… Sam Scott
- Re: [TLS] Awkward Handshake: Possible mismatch of… Eric Rescorla
- Re: [TLS] Awkward Handshake: Possible mismatch of… Cas Cremers
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Wong
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Benjamin
- Re: [TLS] Awkward Handshake: Possible mismatch of… Ilari Liusvaara
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Wong
- Re: [TLS] Awkward Handshake: Possible mismatch of… Andrei Popov
- Re: [TLS] Awkward Handshake: Possible mismatch of… Martin Thomson
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Wong
- Re: [TLS] Awkward Handshake: Possible mismatch of… Martin Rex
- Re: [TLS] Awkward Handshake: Possible mismatch of… Cas Cremers
- Re: [TLS] Awkward Handshake: Possible mismatch of… Andrei Popov
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Wong
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Benjamin
- Re: [TLS] Awkward Handshake: Possible mismatch of… Andrei Popov
- Re: [TLS] Awkward Handshake: Possible mismatch of… Martin Rex