IETF Logo Mail Archive

Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18

Eric Rescorla <ekr@rtfm.com> Sat, 11 February 2017 19:20 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0ECB9129457 for <tls@ietfa.amsl.com>; Sat, 11 Feb 2017 11:20:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.588
X-Spam-Level:
X-Spam-Status: No, score=-2.588 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5vmMAZxJhjfR for <tls@ietfa.amsl.com>; Sat, 11 Feb 2017 11:20:43 -0800 (PST)
Received: from mail-yw0-x22a.google.com (mail-yw0-x22a.google.com [IPv6:2607:f8b0:4002:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0E7812941A for <tls@ietf.org>; Sat, 11 Feb 2017 11:20:42 -0800 (PST)
Received: by mail-yw0-x22a.google.com with SMTP id u68so36023316ywg.0 for <tls@ietf.org>; Sat, 11 Feb 2017 11:20:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=2ICBtsRQV6ASjNSzzBFx9NTvdYZKAwYgiWSSCYUulaM=; b=IN9ev8yZxgfsNHcFfYpqUToaoY82BNi6DC8qXAumhi188lz4SJHWuSacToK4fgbbqo RqPzm/pPiXJYkYTq169NJ4Tg8yv2X+EqyfM4NqJ8bSNVePgPTCe2bZznDLjYwDXk35Or xNPOX/QBprom9hvPGMJ5w6ud4exKGFdQp9y9Eq1GnYC+N1OH4EBH29yDvnviQXopxSTt BcegFr/FC1sZEtCzbE3kNWaoUF8aSjjJMug0PjDEaN1xTUd30TVDtK4gQULI2bEJ1fkW koj73rWXD8i5iRJbFQ2An5+p/MFlF1EeCe513s911ykw82TpUdMsns0RL+AajUDFiDa+ tIJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=2ICBtsRQV6ASjNSzzBFx9NTvdYZKAwYgiWSSCYUulaM=; b=avgEbkIOvYM6Dt9dXNPYWL4nuf8wF9NH9ic8wi9Tz54KzfY78kvsOfRg4rBIeW0AwP RiA+ED4JIPglTvdLorafvi/NosPmJFD+ayP7wPt/+E5Vt33O1MiS3xkZi/7zjD/H8Ztq Ox7w4T2hmwYrTGTW96n6yRqP66gOwjFKb5p5CL5W82DadmIp9Z4K9/saSzE/qZEEnV2W +c4mwjZVoRLFhF3kbqd6CRfgLmG6ZRTPRgtv8mA9dPfqN3bltFwWqnGzfkToSKTC/nJP HzELTDBaIIzYCnEWLh+aG4KcTqNQ1iGLi0sk32CUsBB5k2DgjdRBgrWHdX4u7p7Y0KYG NvPw==
X-Gm-Message-State: AMke39nlChhWy5XclP/dcluLlLQJ5ahm7ey93G2Y25fO3ooN/qFmbP+G1Z8LMxfG7SM4n2YYDm7O/DLXFof36Q==
X-Received: by 10.129.162.130 with SMTP id z124mr12003806ywg.276.1486840842003; Sat, 11 Feb 2017 11:20:42 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.204.80 with HTTP; Sat, 11 Feb 2017 11:20:01 -0800 (PST)
In-Reply-To: <304937cb-ca58-d4aa-a731-fd1498848637@gmail.com>
References: <CABdrxL53Fd7tY6+qF-p=acvCDa=hvbPov83XSd-Y8-gB3c33Ag@mail.gmail.com> <20170210172224.GA22473@LK-Perkele-V2.elisa-laajakaista.fi> <dade38c1-e5a3-4058-9291-c94ea14dfe91@gmail.com> <CABcZeBPxid8W-r4uUXewFg+cYtUssqQLOcjJ=2ueuyVqj4qZUA@mail.gmail.com> <a7d4852e-b74c-9a29-5872-e0b1e2bb31a5@gmail.com> <CY1PR0301MB0842B2E974E5E5AF94EF706A8C470@CY1PR0301MB0842.namprd03.prod.outlook.com> <304937cb-ca58-d4aa-a731-fd1498848637@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 11 Feb 2017 11:20:01 -0800
Message-ID: <CABcZeBPoS6pB_2zCP_nrDp9-wHTYjc8347gjfHU6BZpw5xuHHQ@mail.gmail.com>
To: Sam Scott <sam.scott89@gmail.com>
Content-Type: multipart/alternative; boundary="94eb2c12929239d4c60548461c3c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Fj3c0wDt9uOqKw92CfdAZo00U1Q>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Feb 2017 19:20:46 -0000

On Sat, Feb 11, 2017 at 6:52 AM, Sam Scott <sam.scott89@gmail.com> wrote:

> Is it common that 0.5 RTT data will be sent by the server in a fresh
> session? I.e. not after a resumption and therefore without the client
> previously sending early data?
>

Yes, I think it will be, especially in cases where the server says the same
thing to every client (e.g., HTTP settings frames).
Probably a less often in cases where the initial handshake will demand
client auth.


Even so, it does also seem like a slightly troubling scenario, since the
> client has no (in-band) mechanism to determine the authentication was
> successful (or even at what point it arrived). Again, this could be
> rectified by forcing the client/server to update their keys, and even
> better if they include the client's authentication messages.
>
> However, NewSessionTicket messages do not have this problem since the
> server wont send these before processing the client Finished,
>

Specifically: the EMS is derived from the client's entire transcript
through the client's Finished, so you can't compute it until then.


but it could still be an issue in the post-hs scenario.
>

Yes, NST is asynchronous wrt post-handshake auth, just like app data
messages.

-Ekr


> Just want to reiterate: thanks all for helping to clarify this behaviour
> we've encountered. Hopefully it proves a useful insight into the guarantees
> (or lack thereof) provided  by client authentication. Also it is really
> useful in helping us to refine our model :)
>
> Sam
>
>
> On 11/02/17 01:49, Andrei Popov wrote:
>
> What about Eric’s other point:
>
> Ø  I am not sure that the regular TLS handshake guarantees these
>
> Ø  properties either. The reason is that the server is permitted to
>
> Ø  send data prior to receiving the client's second flight (0.5 RTT
>
> Ø  data).
>
>
>
> With the server sending data prior to receiving the client’s second
> flight, it seems that property B is not there when using in-handshake
> client authentication as well?
>
>
>
> Cheers,
>
>
>
> Andrei
>
>
>
> *From:* TLS [mailto:tls-bounces@ietf.org <tls-bounces@ietf.org>] *On
> Behalf Of *Sam Scott
> *Sent:* Friday, February 10, 2017 12:53 PM
> *To:* Eric Rescorla <ekr@rtfm.com> <ekr@rtfm.com>
> *Cc:* tls@ietf.org
> *Subject:* Re: [TLS] Awkward Handshake: Possible mismatch of
> client/server view on client authentication in post-handshake mode in
> Revision 18
>
>
>
> Hi Ekr,
>
> That's a good summary of the situation. Indeed we weren't previously
> considering TLS as able to enforce the ordering of messages which does seem
> to mitigate our scenario for property A. We haven't really had a chance to
> take that into consideration for property B, but at a glance it does still
> seem to be an issue.
>
> As mentioned in my other email, one scenario we encountered this was if
> (using your message numbering as reference) messages 5 or 9 happened to be
> a NewSessionTicket. In this case, the client might be under the impression
> that they have a session ticket for a mutually authenticated channel.
>
> Thanks,
>
> Sam
>
> On 10/02/17 20:39, Eric Rescorla wrote:
>
> Cas, Sam,
>
>
>
> I thought I understood your concern here but maybe I don't.
>
>
>
> Say we have the following sequence of messages
>
>
>
>   1. C->S: ClientHello
>
>   2. S->C: ServerHello...ServerFinished
>
>   3. C->S: ClientFinished
>
>   4. C->S: App message
>
>   5. S->C: App message
>
>   6. S->C: CertificateRequest
>
>   7: C->S: Certificate...Finished
>
>   8: C->S: App message
>
>   9: S->C: App message
>
>
>
> As you indicate, there's some ambiguity from the client's perspective
>
> (property B) about whether messages 5 and 9 were sent by the server
>
> prior to or after receiving message 7, and also message 8. This
>
> ambiguity exists even without an attacker and may or may not be
>
> resolved at the application layer. An attacker can exploit this
>
> ambiguity by holding messages 7 and 8 and (as long as application
>
> semantics permit this).
>
>
>
> Where I get confused is about property A. As I understand your
>
> claim, an attacker can hold message 7 but deliver message 8 and
>
> therefore, even if the client knows that 9 was in response to 8,
>
> he doesn't know that the server received 7. As Ilari says, I don't
>
> believe that this is correct because TLS enforces message ordering.
>
> I agree that the specification doesn't explicitly say this, but
>
> it's implicit in the processing rules via the following:
>
>
>
> 1. The encryption for each TLS record depends on the record sequence
>
>    number (RSN).
>
> 2. Records do not carry their RSN, so when you decrypt a message, you
>
>    must use the last RSN + 1
>
> 3. When you fail to decrypt a message (which is what happens if you have
>
>    the wrong RSN) you are required to tear down the connection
>
>    (https://tlswg.github.io/tls13-spec/#record-payload-protection).
>
>
>
> For this reason, if the attacker removes message 7, then 8 will not
>
> be decryptable, and so ordering is preserved. As Ilari says, this isn't
>
> true in DTLS 1.3 which we'll presumably have to deal with one way
>
> or the other before standardization (my plan would be just to forbid
>
> post-handshake auth). Do you disagree with this? If so, perhaps you
>
> could explain.
>
>
>
> -Ekr
>
>
>
> P.S. I am not sure that the regular TLS handshake guarantees these
>
> properties either. The reason is that the server is permitted to
>
> send data prior to receiving the client's second flight (0.5 RTT
>
> data). See:
>
> https://tlswg.github.io/tls13-spec/#protocol-overview
>
>
>
>
>
>
>
>
>
>
>
> On Fri, Feb 10, 2017 at 11:45 AM, Sam Scott <sam.scott89@gmail.com> wrote:
>
> Hi Ilari,
>
> Thanks for the comments.
>
> Assuming the client sends a valid certificate that the server accepts,
> then the server cannot finish the handshake or begin processing incoming
> application data until authenticating the client. This *almost* gives us
> property (A). In practice, the client is aware that the server has
> successfully authenticated since the protocol continues.
>
> In the case that the server has implemented the reject option (rejecting a
> certificate but still continuing), and indeed rejects the certificate, then
> the server should send an alert message (or NAK of some form) for the
> property to hold in the initial handshake.
>
> However, even if we take the certificate reject + continue scenario into
> account for the initial handshake, then it is clear that this decision can
> only be made by the server in the initial handshake, while in the
> post-handshake client auth, an attacker can decide this (by dropping the
> message).
>
> The reason we don't believe an explicit ACK is needed is because upgrading
> to a new pair of keys explicitly provides this. Specifically, the client
> will send all subsequent data to the server under a new key. The server
> will not be able to decrypt this data until they receive the client
> authentication messages and upgrade the keys.
>
> This can be strengthened if the client's updated write key is computed
> using the authentication messages.
>
> We agree that TLS enforcing ordering of messages provides similar
> guarantees. However, we are analysing the specification as it is presented,
> which does not guarantee this.
>
> Thanks,
>
> Sam
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>
>
>
>
>
>

v2.23.0 | Report a Bug | By Email