IETF Logo Mail Archive

Re: [TLS] simplistic renego protection

Michael D'Errico <mike-list@pobox.com> Wed, 18 November 2009 16:19 UTC

Return-Path: <mike-list@pobox.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3D1643A6961 for <tls@core3.amsl.com>; Wed, 18 Nov 2009 08:19:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.363
X-Spam-Level:
X-Spam-Status: No, score=-1.363 tagged_above=-999 required=5 tests=[AWL=-1.064, BAYES_00=-2.599, MANGLED_TOOL=2.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F3uO47ejoDuh for <tls@core3.amsl.com>; Wed, 18 Nov 2009 08:19:30 -0800 (PST)
Received: from sasl.smtp.pobox.com (a-pb-sasl-sd.pobox.com [64.74.157.62]) by core3.amsl.com (Postfix) with ESMTP id 185C63A692B for <tls@ietf.org>; Wed, 18 Nov 2009 08:19:30 -0800 (PST)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id 5AE069F50A for <tls@ietf.org>; Wed, 18 Nov 2009 11:19:28 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=ET0goXptrvrn cRzGCV5xfNmZ7I8=; b=oTaVn2pSh7M1NnhQIIv1uMLBmqnn2rJClh+2JuORFAhO pmoteMnvq93KhgjkUmI1qydIE9e+0ZE2dAw/8PBHLDb0A5PIpQr/SH1bm+tJAPVA Pd+OxbfWYzAlxh8VUjIe3N89bfUlC17n3ED/vyGbCHWD6cPHmLhVbC3q8n8Kyl8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=A69gE4 T74n/pw9YiCEBP3J3NOtCVjLizoFifitwyWS2HvbscQ6zjp00pycfFqWF4LIdBE+ ibuc16h42xEy18vADu7YmfAO93OdTboPu3AV2BSrJsspyh4hV+nnRBsV1zjD1LT2 SXuZ51zzJ2yil9FGo+RSyJqtWKHk5SVrLYaZo=
Received: from a-pb-sasl-sd.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id 5782D9F509 for <tls@ietf.org>; Wed, 18 Nov 2009 11:19:28 -0500 (EST)
Received: from administrators-macbook-pro.local (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTPSA id DCA689F508 for <tls@ietf.org>; Wed, 18 Nov 2009 11:19:27 -0500 (EST)
Message-ID: <4B041ED9.7080401@pobox.com>
Date: Wed, 18 Nov 2009 08:20:41 -0800
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: tls@ietf.org
References: <200911161725.nAGHPWaA014181@fs4113.wdf.sap.corp> <089F31C221374096B0FE619F@446E7922C82D299DB29D899F> <4B022EBB.5030108@pobox.com> <808FD6E27AD4884E94820BC333B2DB774F30FE106F@NOK-EUMSG-01.mgdnok.nokia.com>
In-Reply-To: <808FD6E27AD4884E94820BC333B2DB774F30FE106F@NOK-EUMSG-01.mgdnok.nokia.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: 2528DBC8-D45E-11DE-922E-EF34BBB5EC2E-38729857!a-pb-sasl-sd.pobox.com
Subject: Re: [TLS] simplistic renego protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2009 16:19:31 -0000

Pasi.Eronen@nokia.com wrote:
> It seems many of the drawbacks of tls-renegotiation-00 you mention 
> are in fact addressed (to some degree) in version -01? (mainly
> by including the "magic cipher suite") Compared to -01, what do
> you think the main differences are?

If you include a magic cipher suite, then you don't need to send
*anything* else from client to server.  This is what the alternative
does that I implemented yesterday.  The contents of the extension do
not need to be transmitted over the wire since both peers know what
it should contain.  As long as that information gets added to the
Finished message calculation (true in both proposals), the security
hole is patched.

Plus I believe the magic cipher suite in RI-01 is only for fallback
behavior.  The very fact that fallback behavior needs to be even
considered in RI is a showstopper in my opinion.  The alternative
does not require any of that.

Mike


> Best regards,
> Pasi
> (not wearing any hats)
> 
>> -----Original Message-----
>> From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of
>> ext Michael D'Errico
>> Sent: 17 November, 2009 07:04
>> To: tls@ietf.org
>> Subject: Re: [TLS] simplistic renego protection
>>
>>> If you want your alternative proposal to be considered, submit an
>>> Internet draft and get some running code and feedback from
>>> implementations showing your proposal would deploy protection to more
>>> users than draft-rescorla-tls-renegotiation-00.  Then you may sway
>>> people to your viewpoint.
>> Here is how draft-rescorla-tls-renegotiation-00 fails to protect the
>> most people:
>>
>>    - there are so many interoperability problems with TLS extensions
>>      that even the author of the draft suggests that a "lenient"[*]
>>      client not send the extension on its initial connection
>>
>>    - there will be a transition period where some servers absolutely
>>      need to continue allowing unpatched clients to perform the current
>>      vulnerable renegotiation.
>>
>>    - a lenient client's handshake without the RI extension looks just
>>      like an unpatched client that these unfortunate servers need to
>>      continue supporting
>>
>>    - a man-in-the-middle can take advantage of these three points to
>>      victimize a patched client talking to a patched server!
>>
>> Just today many of us have converged on an alternate solution that does
>> not have this serious problem.  Instead of using extensions with all
>> the myriad problems, the only bits-on-the-wire change is to include a
>> single special cipher suite that signals to the server that the client
>> wishes to use a new calculation of the Finished messages that includes
>> the verify_data from the previous handshake.  I suggested that an alert
>> message could be used for the server to acknowledge back to the client.
>>
>> This uses only features that are present in SSLv3, so it is much more
>> likely to be implemented quickly and correctly, and it does not require
>> implementations to add any code for extension processing if they don't
>> already support extensions.  It also protects the lenient client and
>> unfortunate servers above since there is no reason not to include the
>> magic cipher suite in ALL handshakes.
>>
>> Here is a pointer to a summary of the proposal:
>>
>>    http://www.ietf.org/mail-archive/web/tls/current/msg04393.html
>>
>> I am not a spec. writer, so someone else should write it up.  If it is
>> adopted I will implement it in my test server in short order for anyone
>> to test against.
>>
>> Mike
>>
>>
>> [*] a lenient client is one that would connect to any server regardless
>> of whether it is patched or not.  Since there is a not-insignificant
>> chance that a server will barf on the use of extensions, and the
>> lenient
>> client wouldn't abort the handshake even if the extension is not
>> returned by the server, it is less painful to just do what's always
>> been done.
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email