IETF Logo Mail Archive

Re: [TLS] TLSrenego - current summary of semantics and possibilities

Michael D'Errico <mike-list@pobox.com> Wed, 11 November 2009 00:33 UTC

Return-Path: <mike-list@pobox.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6973F3A6828 for <tls@core3.amsl.com>; Tue, 10 Nov 2009 16:33:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.281
X-Spam-Level:
X-Spam-Status: No, score=-2.281 tagged_above=-999 required=5 tests=[AWL=-0.282, BAYES_00=-2.599, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z6O2xyODunum for <tls@core3.amsl.com>; Tue, 10 Nov 2009 16:33:45 -0800 (PST)
Received: from sasl.smtp.pobox.com (a-pb-sasl-quonix.pobox.com [208.72.237.25]) by core3.amsl.com (Postfix) with ESMTP id 4E8F63A691A for <tls@ietf.org>; Tue, 10 Nov 2009 16:33:45 -0800 (PST)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 6D6307BBB3 for <tls@ietf.org>; Tue, 10 Nov 2009 19:34:12 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=HPSlsc7bFNrG zM3XWRVy6hmYgxM=; b=xLLkt/rIdpplvDKSwfYHl40fxlCm+SCYVG/lp4ePbYHt XHsDCjHuOMZaDUcnIWysUmiqlKVylWn59gPoWMBqGXwdAOBgNFdqQfqZv1ReEW7b 2NQDlBU69QgM7HhkIqRRjgMGEF9/+CQCLRPVDZhwNeVhJMJK8LhTrwX4/l43FRw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=ftoNcz hpSaPhnsO2F+hU53USzg1jyqOlfujuRj7akg3d4ONva4Hz6WjsiBmu5N9bDCGV0a q76MLE1AmIEeW4Ia9lUGQ8NScod4wHefzyzt7VZWwFvmNiTL9/EAiCK55XxPp54B dS7jm9M91VNyHu2z/H0vIXtAiOJxlPNY9Wz7o=
Received: from a-pb-sasl-quonix. (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 68F437BBB2 for <tls@ietf.org>; Tue, 10 Nov 2009 19:34:12 -0500 (EST)
Received: from administrators-macbook-pro.local (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTPSA id BC9807BBAF for <tls@ietf.org>; Tue, 10 Nov 2009 19:34:11 -0500 (EST)
Message-ID: <4AFA06CC.2080703@pobox.com>
Date: Tue, 10 Nov 2009 16:35:24 -0800
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: tls@ietf.org
References: <200911102225.nAAMPElc000249@fs4113.wdf.sap.corp>
In-Reply-To: <200911102225.nAAMPElc000249@fs4113.wdf.sap.corp>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: EEF2ADC2-CE59-11DE-B713-7B3EEE7EF46B-38729857!a-pb-sasl-quonix.pobox.com
Subject: Re: [TLS] TLSrenego - current summary of semantics and possibilities
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2009 00:33:46 -0000

> What you're asking for is to discontinue talking to the entire installed
> base of SSL&TLS implementations.  i.e. clients should only talk to
> updated servers (which means they must be updated clients).

I'm not asking for that.  People seem confused about who sees the
renegotiation.  The client *does not* see a renegotiation in the MITM
attack.  It simply connects once giving its credentials, and the attack
is complete.

> What about a transistion period?
> (A world-wide "SSL/TLS flag day" is probably unlikely) 

Yes, very unlikely.

>> Simply finishing the *initial* handshake completes the attack!  (The
>> server saw it as a renegotiation, not the client.)
> 
> But you do realize that it is an attack on the server?

I just learned of the "confused deputy" attack and it appears that this
is an example of that, with the server acting as the confused deputy.

The server is attacked, but the client is also a victim because they
need to spend the time and energy convincing their credit card company
they didn't order something.

> And do you further realize, that it is a problem of the server
> that request or at least allow renegotiation -- those that reject
> renegotiation are _not_ vulnerable.

Agreed.

> Considering how careless some security folks invent means to coerce
> someones software to talk to someone else (e.g. certificate URL TLS extension,
> AIA in X.509 certs), I don't feel it is fair to hold the TLS clients
> responsible for the problem.

They are not responsible, but they need to be given a defense mechanism.
If they choose not to use the mechanism (i.e. by not sending the extension
on initial connect), they are not going to be protected by that mechanism.

> What you're asking for means that the Browsers should discontinue
> their re-connect fallback with a SSLv3 ClientHello, because the
> MITM could be able to coerce the browsers to do it.

He can indeed.  This is a really bad flaw.  I'm saying that it's risky to
fall back, but I'm sure that won't stop everyone from doing it.

>> To protect against this, the only thing that a client can do is include
>> the empty renegotiation info extension.  If the server returns it and
>> the handshake completes, there is no MITM.  In fact if you were to then
>> renegotiate, you wouldn't need the extension (!) because you are already
>> certain that the handshake was with the server and not the MITM.
> 
> HUH?  The Renegotiation_Info is required for cryptographic binding
> during the renegotiation handshake.  Without it, there is zero protection.

 From just the client's perspective, all it needs is for its initial
handshake to have sent and received an empty renegotiation info extension.
Once that handshake completes, it knows that there is no MITM.  From then
on, it doesn't need secure renegotiation; it can only be talking to the
same server.

 From the server's perspective, though, it does need the cryptographic
binding since it can't tell if a renegotiation is real or proxied.

>> There are a few possible results of sending the extension:
>>
>>      a) the server responds with the extension
>>      b) the server responds without including the extension
>>      c) the server "crashes" because of the extension
> 
> You have forgotten
>        d) the server sends a fatal handshake alert
>        e) the server closes the network connection

(e) is the same as (c), and (d) can be forged too.

>>> Overloading ("abusing") the semantics of other regular elements
>>> of an SSL/TLS handshake that have a lesser likelihood to upset
>>> legacy servers.
>>>
>>>    - Assign one (or two) specific ciphersuite IDs that the client
>>>      can include in the ciphersuites list which signal the clients
>>>      notion of the connection state (initial vs. renegotiation)
>>>      to the server.
>>>
>>>    - Assign one (or two) compression algorithm IDs that the client
>>>      can include in the supported compression algorithms list which
>>>      signal the clients notion of the connection state (initial vs.
>>>      renegotiation) to the server.
>> I would not like to see this kind of solution.  If code has to change,
>> Do The Right Thing.
> 
> The IETF should provide solutions to the _real_ world.
> Limiting our solutions to an ideal world of academic purity will
> hurt the entire community of end users around the world.

If it's not possible to Do The Right Thing, then I am onboard with
doing whatever it takes.  Hijacking a ciphersuite number wouldn't
be the end of the world.

Mike

v2.23.0 | Report a Bug | By Email