Re: [TLS] question on draft-ietf-tls-session-hash-03
Tony Hansen <tony@att.com> Tue, 24 February 2015 18:58 UTC
Return-Path: <tony@att.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D6121A8866 for <tls@ietfa.amsl.com>; Tue, 24 Feb 2015 10:58:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Level:
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4UQQEVwRaRBC for <tls@ietfa.amsl.com>; Tue, 24 Feb 2015 10:58:41 -0800 (PST)
Received: from nbfkord-smmo07.seg.att.com (nbfkord-smmo07.seg.att.com [209.65.160.93]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39BE71A8861 for <tls@ietf.org>; Tue, 24 Feb 2015 10:58:38 -0800 (PST)
Received: from unknown [144.160.229.23] (EHLO alpi154.enaf.aldc.att.com) by nbfkord-smmo07.seg.att.com(mxl_mta-7.2.4-5) over TLS secured channel with ESMTP id dd9cce45.0.5015760.00-2322.14084130.nbfkord-smmo07.seg.att.com (envelope-from <tony@att.com>); Tue, 24 Feb 2015 18:58:38 +0000 (UTC)
X-MXL-Hash: 54ecc9de6d48536a-388ad09a49735a11ee7676de21a27456484e568d
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id t1OIwbLM031221 for <tls@ietf.org>; Tue, 24 Feb 2015 13:58:37 -0500
Received: from alpi131.aldc.att.com (alpi131.aldc.att.com [130.8.218.69]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id t1OIwSY7031125 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <tls@ietf.org>; Tue, 24 Feb 2015 13:58:31 -0500
Received: from alpi153.aldc.att.com (alpi153.aldc.att.com [130.8.42.31]) by alpi131.aldc.att.com (RSA Interceptor) for <tls@ietf.org>; Tue, 24 Feb 2015 18:58:19 GMT
Received: from aldc.att.com (localhost [127.0.0.1]) by alpi153.aldc.att.com (8.14.5/8.14.5) with ESMTP id t1OIwJDK011856 for <tls@ietf.org>; Tue, 24 Feb 2015 13:58:19 -0500
Received: from dns.maillennium.att.com (maillennium.att.com [135.25.114.99]) by alpi153.aldc.att.com (8.14.5/8.14.5) with ESMTP id t1OIwF8j011681 for <tls@ietf.org>; Tue, 24 Feb 2015 13:58:15 -0500
Received: from tonys-macbook-pro.local (unknown[135.110.241.46](untrusted sender)) by maillennium.att.com (mailgw1) with ESMTP id <20150224185813gw1000ceete>; Tue, 24 Feb 2015 18:58:14 +0000
X-Originating-IP: [135.110.241.46]
Message-ID: <54ECC9C5.4010500@att.com>
Date: Tue, 24 Feb 2015 13:58:13 -0500
From: Tony Hansen <tony@att.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Karthikeyan Bhargavan <karthikeyan.bhargavan@inria.fr>
References: <54EC8900.5000904@att.com> <54EC94C7.6010806@att.com> <26E1D2E1-E57A-4D8E-B432-058541EB2E32@inria.fr>
In-Reply-To: <26E1D2E1-E57A-4D8E-B432-058541EB2E32@inria.fr>
Content-Type: multipart/alternative; boundary="------------010902090506070008040307"
X-RSA-Inspected: yes
X-RSA-Classifications: public
X-AnalysisOut: [v=2.0 cv=KNft+i5o c=1 sm=1 a=VXHOiMMwGAwA+y4G3/O+aw==:17 a]
X-AnalysisOut: [=mJp9S24oyUUA:10 a=6ASjcdcU7ckA:10 a=BLceEmwcHowA:10 a=zQP]
X-AnalysisOut: [7CpKOAAAA:8 a=0HtSIViG9nkA:10 a=48vgC7mUAAAA:8 a=eqsbH_jyG]
X-AnalysisOut: [TMAaWDpKB4A:9 a=pILNOxqGKmIA:10 a=9gzT7w0QE_rBAufPf8wA:9 a]
X-AnalysisOut: [=_W_S_7VecoQA:10]
X-Spam: [F=0.2000000000; CM=0.500; S=0.200(2014051901)]
X-MAIL-FROM: <tony@att.com>
X-SOURCE-IP: [144.160.229.23]
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/FrncV4PH57p4D57gIcjyjCZcHBs>
Cc: tls@ietf.org
Subject: Re: [TLS] question on draft-ietf-tls-session-hash-03
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Feb 2015 18:58:46 -0000
Thank you for the clarifications Karthik. Here is one suggestion for changing the text: Change: Suppose a client, C, connects to a malicious server, A. A then connects to a server, S, and completes both handshakes. to: Suppose a client, C, connects to an application server, A. C does now know that A is also malicious and that A connects in the background to another server, S. A connects to S and completes both handshakes. Or possibly take some of your text you just posted and add that in. On 2/24/15 1:16 PM, Karthikeyan Bhargavan wrote: > Yes, C wants to connect to A. A independently connects to S. > So in the outer TLS connection, there is no attack. (A is like an > application-level proxy.) > > Then during renegotiation after resumption, C authenticates with a > client certificate to A > and A succeeds in forwarding C’s certificate to S, hence impersonating > C at S. > > There are other variations of the attack on various TLS channel bindings, > but the above version (initial + resumption + renegotiation) is called > the triple handshake attack. > > Perhaps we could be a bit clearer about this in the spec? I am > currently revising it to incorporate other comments on the list. > > Best, > -Karthik > > On 24 Feb 2015, at 16:12, Tony Hansen <tony@att.com > <mailto:tony@att.com>> wrote: > >> Thank you for the quick response. In my interpretation, I took things >> as "C really wants to connect to S, but got A instead". I didn't get >> your interpretation when I read it and re-read it. But I can see now >> how what you wrote would also be a valid interpretation. >> >> I guess we'll await a response from the authors. >> >> Tony Hansen >> >> Benjamin Beurdouche <benjamin.beurdouche at inria.fr >> <mailto:benjamin.beurdouche@DOMAIN.HIDDEN>> wrote: >>> Hi Tony, >>> >>> To me it seems the sentence is correct as C really wants to connect >>> to A thinking it is an honest server and doesn't know S is involved. >>> Then S doesn't know the involvement of A as A connected >>> unauthentified and forwards info from C. >>> But authors should confirm that in case I am mistaken... >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org <mailto:TLS@ietf.org> >> https://www.ietf.org/mailman/listinfo/tls >
- Re: [TLS] question on draft-ietf-tls-session-hash… Benjamin Beurdouche
- [TLS] question on draft-ietf-tls-session-hash-03 Tony Hansen
- Re: [TLS] question on draft-ietf-tls-session-hash… Tony Hansen
- Re: [TLS] question on draft-ietf-tls-session-hash… Karthikeyan Bhargavan
- Re: [TLS] question on draft-ietf-tls-session-hash… Tony Hansen