IETF Logo Mail Archive

Re: [TLS] matching identity, by default

James Manger <james@manger.com.au> Fri, 04 December 2009 10:37 UTC

Return-Path: <james@manger.com.au>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DACBD3A69DE for <tls@core3.amsl.com>; Fri, 4 Dec 2009 02:37:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.795
X-Spam-Level:
X-Spam-Status: No, score=-1.795 tagged_above=-999 required=5 tests=[AWL=0.803, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 55-GxC2yEeNQ for <tls@core3.amsl.com>; Fri, 4 Dec 2009 02:37:32 -0800 (PST)
Received: from nskntmtas03p.mx.bigpond.com (nskntmtas03p.mx.bigpond.com [61.9.168.143]) by core3.amsl.com (Postfix) with ESMTP id 624D83A67B5 for <tls@ietf.org>; Fri, 4 Dec 2009 02:37:31 -0800 (PST)
Received: from nskntotgx01p.mx.bigpond.com ([58.175.155.56]) by nskntmtas03p.mx.bigpond.com with ESMTP id <20091204103722.UKNW1310.nskntmtas03p.mx.bigpond.com@nskntotgx01p.mx.bigpond.com>; Fri, 4 Dec 2009 10:37:22 +0000
Received: from [192.168.0.2] (really [58.175.155.56]) by nskntotgx01p.mx.bigpond.com with ESMTP id <20091204103721.CRCM17290.nskntotgx01p.mx.bigpond.com@[192.168.0.2]>; Fri, 4 Dec 2009 10:37:21 +0000
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: multipart/alternative; boundary="Apple-Mail-1-295483188"
From: James Manger <james@manger.com.au>
In-Reply-To: <4B188413.2070303@extendedsubset.com>
Date: Fri, 04 Dec 2009 21:37:20 +1100
Message-Id: <58AAE640-FAE0-493A-A2EF-FCA0EE4E3816@manger.com.au>
References: <200912040154.nB41sIt2029221@fs4113.wdf.sap.corp> <4B188413.2070303@extendedsubset.com>
To: Marsh Ray <marsh@extendedsubset.com>
X-Mailer: Apple Mail (2.1077)
X-RPD-ScanID: Class unknown; VirusThreatLevel unknown, RefID str=0001.0A150203.4B18E662.0032,ss=1,fgs=0
Cc: "tls@ietf.org Working Group" <tls@ietf.org>
Subject: Re: [TLS] matching identity, by default
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2009 10:37:33 -0000

Marsh,

> In other words, an endpoint could
> renegotiate an anonymous connection ten times to provide ten different
> certificates, and the other party can securely treat all data sent over
> that connection as having been authenticated to all ten certificates!


This point about all data being authenticated by all certs is a good point to emphasis.
Unfortunately, it does not mean typical applications wont get confused (ie have vulnerabilities) when they hadn't explicitly anticipated that 10 certs could be renegotiated.

> I have a driver's license issued by Kansas and a passport issued by the
> US Dept of State, yet I do not assume two different identities.
> Sometimes, I am even requested to provide both!

Consider turning up to a Whitehouse check point, showing your credentials to a guard, and "renegotiating" whenever you like by showing another credential. A controller talking to the guard on the phone asks:
[controller] What is the name on the credential?
[guard] Marsh Ray
[controller] Type of credential?
[guard] passport
now you show the guard your driver license
[controller] Issuer of credential?
[guard] Kansas

The controller thinks he has authenticated Marsh Ray with a passport issued by Kansas.
If you happen to have a library card under a fake name and you showed that first, the controller might think he has authenticated Bugs Bunny with a Passport from the US Dept of State. Ouch! That might allow the wrong person into a Whitehouse party ;-)

In this analogy, the guard is a TLS library, the controller is an application, your cards are certificates, and the protocol of showing your cards is TLS (with the fix!).

Is the error the controller's fault or the guards fault? The application's or the TLS library's (or the protocol's for not providing sufficient guidance)?


This suggests another way for a TLS library to ensure it doesn't confuse an application that doesn't explicitly stated it is prepared for renegotiations.
A library could tell the application only about one peer identity it authenticates (probably the first it authenticates).
For instance, Java's HttpsURLConnection.getServerCertificates() method could return the same set of certificates for the life of the object (the life of the TLS connection), and simply not tell the application about any different certificates from renegotiations. The TLS library could still renegotiate and switch to new sessions, but the application would be blissfully unaware -- and still secure.

Somehow this behaviour doesn't feel quite right, but I think it would be ok. It might be easier to implement than comparing identities across negotiations, and it would cope with those (somewhat unbelievable) niche cases of renegotiating with a re-issued certificate etc.

-- 
James Manger

v2.23.0 | Report a Bug | By Email