Re: [TLS] Handshake not under protection
Martin Rex <mrex@sap.com> Mon, 21 December 2009 23:54 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9BCC13A6A87 for <tls@core3.amsl.com>; Mon, 21 Dec 2009 15:54:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.194
X-Spam-Level:
X-Spam-Status: No, score=-6.194 tagged_above=-999 required=5 tests=[AWL=0.055, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lC1CvClnzzyG for <tls@core3.amsl.com>; Mon, 21 Dec 2009 15:54:55 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 74B4A3A6A6E for <tls@ietf.org>; Mon, 21 Dec 2009 15:54:55 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nBLNsbVU024051 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 22 Dec 2009 00:54:37 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200912212354.nBLNsbWR017235@fs4113.wdf.sap.corp>
To: mike-list@pobox.com
Date: Tue, 22 Dec 2009 00:54:37 +0100
In-Reply-To: <4B3004E9.3020702@pobox.com> from "Michael D'Errico" at Dec 21, 9 03:29:45 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Handshake not under protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Dec 2009 23:54:56 -0000
Michael D'Errico wrote: > > Yes, you are right. A MitM can not sign the ServerKeyExchange himself, > but he can just ask the real server to do it. > > But this thread is about sending a client certificate in a renegotiation > handshake, so there should be no MitM (if the client has validated the > first handshake). > > Perhaps I misunderstood what was being asked. Since I re-vived this thread, I'll try a summary of the latest messages, which were about availability and security of client identity protection through a TLS renegotiation handshake. When servers do not ask for client certificates on the initial handshake, but only during a TLS renegotiation, then this protectes client identities from passive observers / passive attackers only. If a client wants to protect his identity from active attackers (MitM) as well, and only reveal it to selected servers, then this will require (1) an initial TLS handshake where the TLS server provides his Server certificate (2) an app-level determination that the authenticated TLS-Server to which the client identity may be revealed (3) a TLS renegotiation where the server requests and the client sends a client certificate. A DH_anon session will not be sufficient for (1), because it precludes (2). The authentication of the Server in (3) happens much too late (Server.Finished) to be usable for the determination whether the client may a Certificate message on handshake (3). -Martin
- Re: [TLS] Handshake not under protection Michael D'Errico
- Re: [TLS] TLS Digest, Vol 65, Issue 88 Ravi Ganesan
- Re: [TLS] TLS Digest, Vol 65, Issue 88 Martin Rex
- Re: [TLS] Handshake not under protection Marsh Ray
- Re: [TLS] Handshake not under protection Martin Rex
- Re: [TLS] Handshake not under protection Marsh Ray
- Re: [TLS] Handshake not under protection Martin Rex
- Re: [TLS] Handshake not under protection Geoffrey Keating
- Re: [TLS] Handshake not under protection Martin Rex
- Re: [TLS] Handshake not under protection Marsh Ray
- Re: [TLS] Handshake not under protection Martin Rex
- Re: [TLS] Handshake not under protection Marsh Ray
- Re: [TLS] Handshake not under protection Michael D'Errico
- Re: [TLS] Handshake not under protection Martin Rex