Re: [TLS] MITM Attacks on Client Authentication after Resumption

Nico Williams <nico@cryptonector.com> Tue, 04 March 2014 05:11 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88D211A0359; Mon, 3 Mar 2014 21:11:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.753
X-Spam-Level: *
X-Spam-Status: No, score=1.753 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, IP_NOT_FRIENDLY=0.334, RDNS_NONE=0.793] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dGs3kgq8wSk9; Mon, 3 Mar 2014 21:11:39 -0800 (PST)
Received: from homiemail-a33.g.dreamhost.com (unknown [69.163.253.163]) by ietfa.amsl.com (Postfix) with ESMTP id 47C771A0353; Mon, 3 Mar 2014 21:11:39 -0800 (PST)
Received: from homiemail-a33.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a33.g.dreamhost.com (Postfix) with ESMTP id CEF1E594058; Mon, 3 Mar 2014 21:11:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=XQF+MXius5daosiIjXC9 P2VviNc=; b=uZb65MuRO0Nfyb3dC9sVS5iq8CqyhWooO4a+4fsEjJTKnwhE+PBv fX8XE9fTGSIp1mCh+gQiajn2A0R8TZThh1jQiJB6ZQiZoHweErzm9FQGTya+uyOi njXaue/ZNhK1o4USEb7O//2wYF2IuVh7bfITYRrx8k/JUBKxqcOFbpo=
Received: from mail-we0-f177.google.com (mail-we0-f177.google.com [74.125.82.177]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a33.g.dreamhost.com (Postfix) with ESMTPSA id 5A04C594055; Mon, 3 Mar 2014 21:11:35 -0800 (PST)
Received: by mail-we0-f177.google.com with SMTP id u57so2473605wes.36 for <multiple recipients>; Mon, 03 Mar 2014 21:11:34 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=fMceg/6I3G79e6TQQMr4zUOAs0/ugwa2m2Ysj6UkeDo=; b=JstpNq1zucLpVqrNXG75dX/DW6//vweVg6CL6ONtBZG3h9A/UoTILpsW4k9kuPqQd4 RKTN+z0gGGis79V9zKtlMy4/r/Gr9cSuUf+a+QbeCHDFN0/QaJdsXgcJahk6hMffATMK Aa0Dcpv+WzW8mF1jvdzR+v7uAqFiQrqxcd2Ki6rBH+S2oE+3Ch13EDUplzZcO3f298Fk 2L6DPJ+tjTC50nJvzvLkigsZXeIc6KLHV6e5DYhZjzJmdkyENiGoXtKNrA6/WLON79SN kj7PobSLytKGCzt2sGeiMkB/tb92+AifN4Esq13TSZK1HfYMck1SCBpix5dYaN+G+v59 /ZAQ==
MIME-Version: 1.0
X-Received: by 10.194.57.239 with SMTP id l15mr24212322wjq.40.1393909894084; Mon, 03 Mar 2014 21:11:34 -0800 (PST)
Received: by 10.217.108.132 with HTTP; Mon, 3 Mar 2014 21:11:34 -0800 (PST)
In-Reply-To: <CAL9PXLyrU1gSwpUywB7X1WS5wj9eEVT6CL9B8zsNtdcDViBLRg@mail.gmail.com>
References: <BB2FE60E-A7CA-4EA7-BFC8-AB794EC6FF00@inria.fr> <CF3A5B04.184EE%kenny.paterson@rhul.ac.uk> <E3602DA5-B23A-444D-BBF7-CFE949953C92@inria.fr> <b38d76f917ce46ca8d673928d35eb76d@BL2PR03MB419.namprd03.prod.outlook.com> <CAL9PXLyrU1gSwpUywB7X1WS5wj9eEVT6CL9B8zsNtdcDViBLRg@mail.gmail.com>
Date: Mon, 3 Mar 2014 23:11:34 -0600
Message-ID: <CAK3OfOiLrCG8J7SdeKg46RM-JWT_iuvAvjKM9EqR2+aBCstuVA@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Adam Langley <agl@google.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/HBfSdxI6XqQxrIY6XpAneu247Ws
Cc: "kitten@ietf.org" <kitten@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] MITM Attacks on Client Authentication after Resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2014 05:11:44 -0000

[Cross-posting to kitten@ietf.org.  Please drop one of tls or kitten
when responding.  For KITTEN readers, see the TLS list archives,
there's an MITM vulnerability when using tls-unique in conjunction
with session resumption.]

On Mon, Mar 3, 2014 at 4:07 PM, Adam Langley <agl@google.com> wrote:
> On Mon, Mar 3, 2014 at 4:07 PM, Andrei Popov <Andrei.Popov@microsoft.com> wrote:
>> It appears that the attack described is only feasible when two
>> implementation defects are present:
>
> That's not an unreasonable characterisation of the renegotiation-based
> attacks, but the problem with tls-unique is more fundamental.

The problem for tls-unique is more fundamental indeed, and Andrei's
characterization is not applicable.

We should talk about how to fix tls-unique.  The best fix may be to
keep track of the original (non-resumed) connection's tls-unique CB
and add that to the resumed connection's tls-unique CB.  This requires
adding to the session cache on the client side.

In the short-term, client and server applications should not permit
session resumption prior to channel-bound authentication (if using
tls-unique).  Except that, of course, how is the application to know
if session resumption is involved?  Assuming that it can't know or
prevent the use of session resumption, I'd say that tls-unique is just
simply not to be used.  We should publish a new tls-unique that
doesn't have this problem.

Nico
--