Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Marsh Ray <marsh@extendedsubset.com> Mon, 09 November 2009 22:09 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 088DA28C1E9 for <tls@core3.amsl.com>; Mon, 9 Nov 2009 14:09:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.466
X-Spam-Level:
X-Spam-Status: No, score=-2.466 tagged_above=-999 required=5 tests=[AWL=0.133, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gQmyjXDvaASO for <tls@core3.amsl.com>; Mon, 9 Nov 2009 14:09:46 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 2EE293A6968 for <tls@ietf.org>; Mon, 9 Nov 2009 14:09:22 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1N7cQl-0009ah-0d; Mon, 09 Nov 2009 22:09:47 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 6698F6678; Mon, 9 Nov 2009 22:09:45 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1/aAVnT9aAxVU+zgTTILdIFPpvIRwtZyo0=
Message-ID: <4AF89325.3020905@extendedsubset.com>
Date: Mon, 09 Nov 2009 16:09:41 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <CE2A65CAAFE55048BA6682475F9A7DBF5EA6E59A16@ACLMAIL01.corp.audiocodes.com> <4AF81CFF.8010803@extendedsubset.com>, <4AF86EDF.3090004@jacaranda.org> <006FEB08D9C6444AB014105C9AEB133FB36A4EBF03@il-ex01.ad.checkpoint.com>
In-Reply-To: <006FEB08D9C6444AB014105C9AEB133FB36A4EBF03@il-ex01.ad.checkpoint.com>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2009 22:09:47 -0000

Yoav Nir wrote:
> 
> Even that can be further refined. You can freely renegotiate an
> authenticated session, as long as the renegotiation does not involve
> an identity change.

Maybe. What about cases where the sessions are "authenticated" from the
perspective of TLS, but the higher-layer protocols stack on additional
notions of identity?

I seem to recall systems (MS Terminal Services Gateway perhaps?) where a
common client cert is used simply to grant basic access, then some form
of HTTP authentication is used to authenticate which user it is.

TLS does not necessarily know the full extent of "identity" attributed
by higher layers, so you would be allowing any party that can pass the
TLS level auth to MITM the others.

For example, a browser may have several connections to the same set of
servers behind https://ecommerce.example.com/, but you still wouldn't
want to allow a bad guy on one to splice channels between them.

> Obviously, if the first handshake include client authentication, any
> renegotiation that includes the same client cert is fine.

I disagree, I think it subtly violates the assumption of continuity over
the TCP connection.

> If the session is authenticated by the application (as in an HTTPS
> login page) it's also possible to renegotiate with impunity,

Renegotiation (in the absence of draft-rescorla-tls-renegotiate) offers
a point which allows anyone who can pose as one of the parties (perhaps
an anon) to splice in a connection from a third party to the one he is
posing.

This is bad, the HTTPS client-cert renego case.
   A---+---B
   C---+
A-Anonymous Alice
B-Bob
C-Client cert authenticated

These are also bad:

   A---+---B  C---+---B      +---A2 (requires buggy client)
   A---+      C---+      A---+---B

This violates core assumptions even if the same name or "anonymous"
appears at each end of the multiple sessions at play.

- Marsh