Re: [TLS] question on draft-ietf-tls-session-hash-03

Tony Hansen <tony@att.com> Tue, 24 February 2015 18:58 UTC

Return-Path: <tony@att.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D6121A8866 for <tls@ietfa.amsl.com>; Tue, 24 Feb 2015 10:58:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Level:
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4UQQEVwRaRBC for <tls@ietfa.amsl.com>; Tue, 24 Feb 2015 10:58:41 -0800 (PST)
Received: from nbfkord-smmo07.seg.att.com (nbfkord-smmo07.seg.att.com [209.65.160.93]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39BE71A8861 for <tls@ietf.org>; Tue, 24 Feb 2015 10:58:38 -0800 (PST)
Received: from unknown [144.160.229.23] (EHLO alpi154.enaf.aldc.att.com) by nbfkord-smmo07.seg.att.com(mxl_mta-7.2.4-5) over TLS secured channel with ESMTP id dd9cce45.0.5015760.00-2322.14084130.nbfkord-smmo07.seg.att.com (envelope-from <tony@att.com>); Tue, 24 Feb 2015 18:58:38 +0000 (UTC)
X-MXL-Hash: 54ecc9de6d48536a-388ad09a49735a11ee7676de21a27456484e568d
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id t1OIwbLM031221 for <tls@ietf.org>; Tue, 24 Feb 2015 13:58:37 -0500
Received: from alpi131.aldc.att.com (alpi131.aldc.att.com [130.8.218.69]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id t1OIwSY7031125 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <tls@ietf.org>; Tue, 24 Feb 2015 13:58:31 -0500
Received: from alpi153.aldc.att.com (alpi153.aldc.att.com [130.8.42.31]) by alpi131.aldc.att.com (RSA Interceptor) for <tls@ietf.org>; Tue, 24 Feb 2015 18:58:19 GMT
Received: from aldc.att.com (localhost [127.0.0.1]) by alpi153.aldc.att.com (8.14.5/8.14.5) with ESMTP id t1OIwJDK011856 for <tls@ietf.org>; Tue, 24 Feb 2015 13:58:19 -0500
Received: from dns.maillennium.att.com (maillennium.att.com [135.25.114.99]) by alpi153.aldc.att.com (8.14.5/8.14.5) with ESMTP id t1OIwF8j011681 for <tls@ietf.org>; Tue, 24 Feb 2015 13:58:15 -0500
Received: from tonys-macbook-pro.local (unknown[135.110.241.46](untrusted sender)) by maillennium.att.com (mailgw1) with ESMTP id <20150224185813gw1000ceete>; Tue, 24 Feb 2015 18:58:14 +0000
X-Originating-IP: [135.110.241.46]
Message-ID: <54ECC9C5.4010500@att.com>
Date: Tue, 24 Feb 2015 13:58:13 -0500
From: Tony Hansen <tony@att.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Karthikeyan Bhargavan <karthikeyan.bhargavan@inria.fr>
References: <54EC8900.5000904@att.com> <54EC94C7.6010806@att.com> <26E1D2E1-E57A-4D8E-B432-058541EB2E32@inria.fr>
In-Reply-To: <26E1D2E1-E57A-4D8E-B432-058541EB2E32@inria.fr>
Content-Type: multipart/alternative; boundary="------------010902090506070008040307"
X-RSA-Inspected: yes
X-RSA-Classifications: public
X-AnalysisOut: [v=2.0 cv=KNft+i5o c=1 sm=1 a=VXHOiMMwGAwA+y4G3/O+aw==:17 a]
X-AnalysisOut: [=mJp9S24oyUUA:10 a=6ASjcdcU7ckA:10 a=BLceEmwcHowA:10 a=zQP]
X-AnalysisOut: [7CpKOAAAA:8 a=0HtSIViG9nkA:10 a=48vgC7mUAAAA:8 a=eqsbH_jyG]
X-AnalysisOut: [TMAaWDpKB4A:9 a=pILNOxqGKmIA:10 a=9gzT7w0QE_rBAufPf8wA:9 a]
X-AnalysisOut: [=_W_S_7VecoQA:10]
X-Spam: [F=0.2000000000; CM=0.500; S=0.200(2014051901)]
X-MAIL-FROM: <tony@att.com>
X-SOURCE-IP: [144.160.229.23]
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/FrncV4PH57p4D57gIcjyjCZcHBs>
Cc: tls@ietf.org
Subject: Re: [TLS] question on draft-ietf-tls-session-hash-03
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Feb 2015 18:58:46 -0000

Thank you for the clarifications Karthik.

Here is one suggestion for changing the text:

Change:
     Suppose a client, C, connects to a malicious server, A. A then 
connects to a
     server, S, and completes both handshakes.
to:
     Suppose a client, C, connects to an application server, A. C does 
now know
     that A is also malicious and that A connects in the background to 
another
     server, S. A connects to S and completes both handshakes.

Or possibly take some of your text you just posted and add that in.


On 2/24/15 1:16 PM, Karthikeyan Bhargavan wrote:
> Yes, C wants to connect to A. A independently connects to S.
> So in the outer TLS connection, there is no attack. (A is like an 
> application-level proxy.)
>
> Then during renegotiation after resumption, C authenticates with a 
> client certificate to A
> and A succeeds in forwarding C’s certificate to S, hence impersonating 
> C at S.
>
> There are other variations of the attack on various TLS channel bindings,
> but the above version (initial + resumption + renegotiation) is called 
> the triple handshake attack.
>
> Perhaps we could be a bit clearer about this in the spec? I am 
> currently revising it to incorporate other comments on the list.
>
> Best,
> -Karthik
>
> On 24 Feb 2015, at 16:12, Tony Hansen <tony@att.com 
> <mailto:tony@att.com>> wrote:
>
>> Thank you for the quick response. In my interpretation, I took things 
>> as "C really wants to connect to S, but got A instead". I didn't get 
>> your interpretation when I read it and re-read it. But I can see now 
>> how what you wrote would also be a valid interpretation.
>>
>> I guess we'll await a response from the authors.
>>
>>     Tony Hansen
>>
>> Benjamin Beurdouche <benjamin.beurdouche at inria.fr 
>> <mailto:benjamin.beurdouche@DOMAIN.HIDDEN>> wrote:
>>> Hi Tony,
>>>
>>> To me it seems the sentence is correct as C really wants to connect 
>>> to A thinking it is an honest server and doesn't know S is involved. 
>>> Then S doesn't know the involvement of A as A connected 
>>> unauthentified and forwards info from C.
>>> But authors should confirm that in case I am mistaken...
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org <mailto:TLS@ietf.org>
>> https://www.ietf.org/mailman/listinfo/tls
>