Re: [TLS] MITM Attacks on Client Authentication after Resumption
Nico Williams <nico@cryptonector.com> Tue, 04 March 2014 05:11 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88D211A0359; Mon, 3 Mar 2014 21:11:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.753
X-Spam-Level: *
X-Spam-Status: No, score=1.753 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, IP_NOT_FRIENDLY=0.334, RDNS_NONE=0.793] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dGs3kgq8wSk9; Mon, 3 Mar 2014 21:11:39 -0800 (PST)
Received: from homiemail-a33.g.dreamhost.com (unknown [69.163.253.163]) by ietfa.amsl.com (Postfix) with ESMTP id 47C771A0353; Mon, 3 Mar 2014 21:11:39 -0800 (PST)
Received: from homiemail-a33.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a33.g.dreamhost.com (Postfix) with ESMTP id CEF1E594058; Mon, 3 Mar 2014 21:11:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=XQF+MXius5daosiIjXC9 P2VviNc=; b=uZb65MuRO0Nfyb3dC9sVS5iq8CqyhWooO4a+4fsEjJTKnwhE+PBv fX8XE9fTGSIp1mCh+gQiajn2A0R8TZThh1jQiJB6ZQiZoHweErzm9FQGTya+uyOi njXaue/ZNhK1o4USEb7O//2wYF2IuVh7bfITYRrx8k/JUBKxqcOFbpo=
Received: from mail-we0-f177.google.com (mail-we0-f177.google.com [74.125.82.177]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a33.g.dreamhost.com (Postfix) with ESMTPSA id 5A04C594055; Mon, 3 Mar 2014 21:11:35 -0800 (PST)
Received: by mail-we0-f177.google.com with SMTP id u57so2473605wes.36 for <multiple recipients>; Mon, 03 Mar 2014 21:11:34 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=fMceg/6I3G79e6TQQMr4zUOAs0/ugwa2m2Ysj6UkeDo=; b=JstpNq1zucLpVqrNXG75dX/DW6//vweVg6CL6ONtBZG3h9A/UoTILpsW4k9kuPqQd4 RKTN+z0gGGis79V9zKtlMy4/r/Gr9cSuUf+a+QbeCHDFN0/QaJdsXgcJahk6hMffATMK Aa0Dcpv+WzW8mF1jvdzR+v7uAqFiQrqxcd2Ki6rBH+S2oE+3Ch13EDUplzZcO3f298Fk 2L6DPJ+tjTC50nJvzvLkigsZXeIc6KLHV6e5DYhZjzJmdkyENiGoXtKNrA6/WLON79SN kj7PobSLytKGCzt2sGeiMkB/tb92+AifN4Esq13TSZK1HfYMck1SCBpix5dYaN+G+v59 /ZAQ==
MIME-Version: 1.0
X-Received: by 10.194.57.239 with SMTP id l15mr24212322wjq.40.1393909894084; Mon, 03 Mar 2014 21:11:34 -0800 (PST)
Received: by 10.217.108.132 with HTTP; Mon, 3 Mar 2014 21:11:34 -0800 (PST)
In-Reply-To: <CAL9PXLyrU1gSwpUywB7X1WS5wj9eEVT6CL9B8zsNtdcDViBLRg@mail.gmail.com>
References: <BB2FE60E-A7CA-4EA7-BFC8-AB794EC6FF00@inria.fr> <CF3A5B04.184EE%kenny.paterson@rhul.ac.uk> <E3602DA5-B23A-444D-BBF7-CFE949953C92@inria.fr> <b38d76f917ce46ca8d673928d35eb76d@BL2PR03MB419.namprd03.prod.outlook.com> <CAL9PXLyrU1gSwpUywB7X1WS5wj9eEVT6CL9B8zsNtdcDViBLRg@mail.gmail.com>
Date: Mon, 03 Mar 2014 23:11:34 -0600
Message-ID: <CAK3OfOiLrCG8J7SdeKg46RM-JWT_iuvAvjKM9EqR2+aBCstuVA@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Adam Langley <agl@google.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/HBfSdxI6XqQxrIY6XpAneu247Ws
Cc: "kitten@ietf.org" <kitten@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] MITM Attacks on Client Authentication after Resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2014 05:11:44 -0000
[Cross-posting to kitten@ietf.org. Please drop one of tls or kitten when responding. For KITTEN readers, see the TLS list archives, there's an MITM vulnerability when using tls-unique in conjunction with session resumption.] On Mon, Mar 3, 2014 at 4:07 PM, Adam Langley <agl@google.com> wrote: > On Mon, Mar 3, 2014 at 4:07 PM, Andrei Popov <Andrei.Popov@microsoft.com> wrote: >> It appears that the attack described is only feasible when two >> implementation defects are present: > > That's not an unreasonable characterisation of the renegotiation-based > attacks, but the problem with tls-unique is more fundamental. The problem for tls-unique is more fundamental indeed, and Andrei's characterization is not applicable. We should talk about how to fix tls-unique. The best fix may be to keep track of the original (non-resumed) connection's tls-unique CB and add that to the resumed connection's tls-unique CB. This requires adding to the session cache on the client side. In the short-term, client and server applications should not permit session resumption prior to channel-bound authentication (if using tls-unique). Except that, of course, how is the application to know if session resumption is involved? Assuming that it can't know or prevent the use of session resumption, I'd say that tls-unique is just simply not to be used. We should publish a new tls-unique that doesn't have this problem. Nico --
- [TLS] MITM Attacks on Client Authentication after… Karthikeyan Bhargavan
- Re: [TLS] MITM Attacks on Client Authentication a… Paterson, Kenny
- Re: [TLS] MITM Attacks on Client Authentication a… Dr Stephen Henson
- Re: [TLS] MITM Attacks on Client Authentication a… Karthikeyan Bhargavan
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Thomson
- Re: [TLS] MITM Attacks on Client Authentication a… Paterson, Kenny
- Re: [TLS] MITM Attacks on Client Authentication a… Adam Langley
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Rex
- Re: [TLS] MITM Attacks on Client Authentication a… Andrei Popov
- Re: [TLS] MITM Attacks on Client Authentication a… Watson Ladd
- Re: [TLS] MITM Attacks on Client Authentication a… Adam Langley
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Rex
- Re: [TLS] MITM Attacks on Client Authentication a… Salz, Rich
- Re: [TLS] MITM Attacks on Client Authentication a… Watson Ladd
- Re: [TLS] MITM Attacks on Client Authentication a… Nico Williams
- Re: [TLS] MITM Attacks on Client Authentication a… Dr Stephen Henson
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Thomson
- Re: [TLS] MITM Attacks on Client Authentication a… Dr Stephen Henson
- Re: [TLS] MITM Attacks on Client Authentication a… Adam Langley
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Rex
- Re: [TLS] MITM Attacks on Client Authentication a… Daniel Kahn Gillmor
- Re: [TLS] MITM Attacks on Client Authentication a… Nico Williams
- Re: [TLS] MITM Attacks on Client Authentication a… Bodo Moeller
- Re: [TLS] MITM Attacks on Client Authentication a… Xuelei Fan
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Rex
- Re: [TLS] MITM Attacks on Client Authentication a… Adam Langley
- Re: [TLS] MITM Attacks on Client Authentication a… Karthik Bhargavan
- Re: [TLS] MITM Attacks on Client Authentication a… Karthik Bhargavan
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Rex
- Re: [TLS] MITM Attacks on Client Authentication a… Xuelei Fan
- Re: [TLS] MITM Attacks on Client Authentication a… Karthik Bhargavan
- Re: [TLS] MITM Attacks on Client Authentication a… Xuelei Fan
- Re: [TLS] MITM Attacks on Client Authentication a… Liz meeks