Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18
Eric Rescorla <ekr@rtfm.com> Fri, 10 February 2017 20:56 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 722E9129BEE for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 12:56:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jVRW589OQMbO for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 12:56:40 -0800 (PST)
Received: from mail-yw0-x22e.google.com (mail-yw0-x22e.google.com [IPv6:2607:f8b0:4002:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DF711294A3 for <tls@ietf.org>; Fri, 10 Feb 2017 12:56:40 -0800 (PST)
Received: by mail-yw0-x22e.google.com with SMTP id w75so28224304ywg.1 for <tls@ietf.org>; Fri, 10 Feb 2017 12:56:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=oYzbv7KoYvJ75zUzhx6pTVYEPivpjpMM2SFVH3czNKo=; b=k7TLF63p5xeQM5qXXxcsy9Dzl+JkCfjHjs9wDZTo4EXj/X+tLWNc+imobzw6KLnUGR +dEGrY4J+KeeigFoIw389PZqPhXBkqZG58A5tkaZMZunQHRbPYACZqMtYxauQSdWhR6y KCbetwZwwHP1oZh876aB1dto7ELu7T7dK73LrBuEkryucKQO1zyZ3sIbXOcws45qyweW i7jMrc0nuW6IMgxIUcXd1Ude3olv8n/Lh0kGJaGjf/oUsNtZZf4v+f5lfAf6b6d07Zu3 r1k2Yg85OV/HPPWqYQqZSX0zHjvBMk7CaqXTJxImYlYAye0NAcPOfS8BfCCaTlIV61Zy vlTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=oYzbv7KoYvJ75zUzhx6pTVYEPivpjpMM2SFVH3czNKo=; b=DWjftTR+xO0FMhY1IiObrPmGjNVjRHH7Hc8gkLTDzGQon/hppGlhFGm24ZPllVWb4b Kcc/5xtaHumrruQWGlSvuHKOM/U+G9Oqd8joZXwWaqnMnvzVnYxxbWlzOwhDOUR7gxBJ ij+TZm+c+B8jRBbvZ/7wIB3kko4VinAwB+xTk6R+lzI+oJi8/uxGot1h95bQbPOUM4q4 SbhJ8K/3n61fDRuy3Tf5w0jL1cxpEvv2Abm2DWgr+WmqiDH9TTGGMCQfWZgSnAkuuNLx /skZiqUKgLiyyF7aymT/e8OLfSza49tDaGanY93l4/hYLr8KOBxWmcbcWOJgX5joPinc fmig==
X-Gm-Message-State: AMke39kS4315NHUXZ+66F3s58Z7iSBSk3Qlgew2H0UesQsAMvH2qinAdD5sOOb6hH1LK8JwuDZsZuMiiNbVUIw==
X-Received: by 10.129.108.131 with SMTP id h125mr7928952ywc.71.1486760199257; Fri, 10 Feb 2017 12:56:39 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.204.80 with HTTP; Fri, 10 Feb 2017 12:55:58 -0800 (PST)
In-Reply-To: <a7d4852e-b74c-9a29-5872-e0b1e2bb31a5@gmail.com>
References: <CABdrxL53Fd7tY6+qF-p=acvCDa=hvbPov83XSd-Y8-gB3c33Ag@mail.gmail.com> <20170210172224.GA22473@LK-Perkele-V2.elisa-laajakaista.fi> <dade38c1-e5a3-4058-9291-c94ea14dfe91@gmail.com> <CABcZeBPxid8W-r4uUXewFg+cYtUssqQLOcjJ=2ueuyVqj4qZUA@mail.gmail.com> <a7d4852e-b74c-9a29-5872-e0b1e2bb31a5@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 10 Feb 2017 12:55:58 -0800
Message-ID: <CABcZeBPNFbheX_6SBd7wuFXohXJzqXNVUJRaNdZ=oiuu4ThYrw@mail.gmail.com>
To: Sam Scott <sam.scott89@gmail.com>
Content-Type: multipart/alternative; boundary="001a114dcf788b5e1d05483355d0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/HRxiRRiyoffuVeBeg5GfRhBu2vo>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 20:56:42 -0000
On Fri, Feb 10, 2017 at 12:52 PM, Sam Scott <sam.scott89@gmail.com> wrote: > Hi Ekr, > > That's a good summary of the situation. Indeed we weren't previously > considering TLS as able to enforce the ordering of messages which does seem > to mitigate our scenario for property A. We haven't really had a chance to > take that into consideration for property B, but at a glance it does still > seem to be an issue. > I agree. It doesn't mitigate B at all unless there are application semantics that do so (which is the same as it doesn't mitigate it, I guess). > As mentioned in my other email, one scenario we encountered this was if > (using your message numbering as reference) messages 5 or 9 happened to be > a NewSessionTicket. In this case, the client might be under the impression > that they have a session ticket for a mutually authenticated channel. > Yes, I agree with this. -Ekr > Thanks, > > Sam > On 10/02/17 20:39, Eric Rescorla wrote: > > Cas, Sam, > > I thought I understood your concern here but maybe I don't. > > Say we have the following sequence of messages > > 1. C->S: ClientHello > 2. S->C: ServerHello...ServerFinished > 3. C->S: ClientFinished > 4. C->S: App message > 5. S->C: App message > 6. S->C: CertificateRequest > 7: C->S: Certificate...Finished > 8: C->S: App message > 9: S->C: App message > > As you indicate, there's some ambiguity from the client's perspective > (property B) about whether messages 5 and 9 were sent by the server > prior to or after receiving message 7, and also message 8. This > ambiguity exists even without an attacker and may or may not be > resolved at the application layer. An attacker can exploit this > ambiguity by holding messages 7 and 8 and (as long as application > semantics permit this). > > Where I get confused is about property A. As I understand your > claim, an attacker can hold message 7 but deliver message 8 and > therefore, even if the client knows that 9 was in response to 8, > he doesn't know that the server received 7. As Ilari says, I don't > believe that this is correct because TLS enforces message ordering. > I agree that the specification doesn't explicitly say this, but > it's implicit in the processing rules via the following: > > 1. The encryption for each TLS record depends on the record sequence > number (RSN). > 2. Records do not carry their RSN, so when you decrypt a message, you > must use the last RSN + 1 > 3. When you fail to decrypt a message (which is what happens if you have > the wrong RSN) you are required to tear down the connection > (https://tlswg.github.io/tls13-spec/#record-payload-protection). > > For this reason, if the attacker removes message 7, then 8 will not > be decryptable, and so ordering is preserved. As Ilari says, this isn't > true in DTLS 1.3 which we'll presumably have to deal with one way > or the other before standardization (my plan would be just to forbid > post-handshake auth). Do you disagree with this? If so, perhaps you > could explain. > > -Ekr > > P.S. I am not sure that the regular TLS handshake guarantees these > properties either. The reason is that the server is permitted to > send data prior to receiving the client's second flight (0.5 RTT > data). See: > https://tlswg.github.io/tls13-spec/#protocol-overview > > > > > > On Fri, Feb 10, 2017 at 11:45 AM, Sam Scott <sam.scott89@gmail.com> wrote: > >> Hi Ilari, >> >> Thanks for the comments. >> >> Assuming the client sends a valid certificate that the server accepts, >> then the server cannot finish the handshake or begin processing incoming >> application data until authenticating the client. This *almost* gives us >> property (A). In practice, the client is aware that the server has >> successfully authenticated since the protocol continues. >> >> In the case that the server has implemented the reject option (rejecting >> a certificate but still continuing), and indeed rejects the certificate, >> then the server should send an alert message (or NAK of some form) for the >> property to hold in the initial handshake. >> >> However, even if we take the certificate reject + continue scenario into >> account for the initial handshake, then it is clear that this decision can >> only be made by the server in the initial handshake, while in the >> post-handshake client auth, an attacker can decide this (by dropping the >> message). >> >> The reason we don't believe an explicit ACK is needed is because >> upgrading to a new pair of keys explicitly provides this. Specifically, the >> client will send all subsequent data to the server under a new key. The >> server will not be able to decrypt this data until they receive the client >> authentication messages and upgrade the keys. >> >> This can be strengthened if the client's updated write key is computed >> using the authentication messages. >> >> We agree that TLS enforcing ordering of messages provides similar >> guarantees. However, we are analysing the specification as it is presented, >> which does not guarantee this. >> >> Thanks, >> >> Sam >> >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > > >
- [TLS] Awkward Handshake: Possible mismatch of cli… Cas Cremers
- Re: [TLS] Awkward Handshake: Possible mismatch of… Ilari Liusvaara
- Re: [TLS] Awkward Handshake: Possible mismatch of… Sam Scott
- Re: [TLS] Awkward Handshake: Possible mismatch of… Andrei Popov
- Re: [TLS] Awkward Handshake: Possible mismatch of… Sam Scott
- Re: [TLS] Awkward Handshake: Possible mismatch of… Eric Rescorla
- Re: [TLS] Awkward Handshake: Possible mismatch of… Victor Vasiliev
- Re: [TLS] Awkward Handshake: Possible mismatch of… Eric Rescorla
- Re: [TLS] Awkward Handshake: Possible mismatch of… Sam Scott
- Re: [TLS] Awkward Handshake: Possible mismatch of… Eric Rescorla
- Re: [TLS] Awkward Handshake: Possible mismatch of… Andrei Popov
- Re: [TLS] Awkward Handshake: Possible mismatch of… Sam Scott
- Re: [TLS] Awkward Handshake: Possible mismatch of… Eric Rescorla
- Re: [TLS] Awkward Handshake: Possible mismatch of… Cas Cremers
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Wong
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Benjamin
- Re: [TLS] Awkward Handshake: Possible mismatch of… Ilari Liusvaara
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Wong
- Re: [TLS] Awkward Handshake: Possible mismatch of… Andrei Popov
- Re: [TLS] Awkward Handshake: Possible mismatch of… Martin Thomson
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Wong
- Re: [TLS] Awkward Handshake: Possible mismatch of… Martin Rex
- Re: [TLS] Awkward Handshake: Possible mismatch of… Cas Cremers
- Re: [TLS] Awkward Handshake: Possible mismatch of… Andrei Popov
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Wong
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Benjamin
- Re: [TLS] Awkward Handshake: Possible mismatch of… Andrei Popov
- Re: [TLS] Awkward Handshake: Possible mismatch of… Martin Rex