IETF Logo Mail Archive

Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18

Eric Rescorla <ekr@rtfm.com> Fri, 10 February 2017 20:56 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 722E9129BEE for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 12:56:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jVRW589OQMbO for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 12:56:40 -0800 (PST)
Received: from mail-yw0-x22e.google.com (mail-yw0-x22e.google.com [IPv6:2607:f8b0:4002:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DF711294A3 for <tls@ietf.org>; Fri, 10 Feb 2017 12:56:40 -0800 (PST)
Received: by mail-yw0-x22e.google.com with SMTP id w75so28224304ywg.1 for <tls@ietf.org>; Fri, 10 Feb 2017 12:56:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=oYzbv7KoYvJ75zUzhx6pTVYEPivpjpMM2SFVH3czNKo=; b=k7TLF63p5xeQM5qXXxcsy9Dzl+JkCfjHjs9wDZTo4EXj/X+tLWNc+imobzw6KLnUGR +dEGrY4J+KeeigFoIw389PZqPhXBkqZG58A5tkaZMZunQHRbPYACZqMtYxauQSdWhR6y KCbetwZwwHP1oZh876aB1dto7ELu7T7dK73LrBuEkryucKQO1zyZ3sIbXOcws45qyweW i7jMrc0nuW6IMgxIUcXd1Ude3olv8n/Lh0kGJaGjf/oUsNtZZf4v+f5lfAf6b6d07Zu3 r1k2Yg85OV/HPPWqYQqZSX0zHjvBMk7CaqXTJxImYlYAye0NAcPOfS8BfCCaTlIV61Zy vlTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=oYzbv7KoYvJ75zUzhx6pTVYEPivpjpMM2SFVH3czNKo=; b=DWjftTR+xO0FMhY1IiObrPmGjNVjRHH7Hc8gkLTDzGQon/hppGlhFGm24ZPllVWb4b Kcc/5xtaHumrruQWGlSvuHKOM/U+G9Oqd8joZXwWaqnMnvzVnYxxbWlzOwhDOUR7gxBJ ij+TZm+c+B8jRBbvZ/7wIB3kko4VinAwB+xTk6R+lzI+oJi8/uxGot1h95bQbPOUM4q4 SbhJ8K/3n61fDRuy3Tf5w0jL1cxpEvv2Abm2DWgr+WmqiDH9TTGGMCQfWZgSnAkuuNLx /skZiqUKgLiyyF7aymT/e8OLfSza49tDaGanY93l4/hYLr8KOBxWmcbcWOJgX5joPinc fmig==
X-Gm-Message-State: AMke39kS4315NHUXZ+66F3s58Z7iSBSk3Qlgew2H0UesQsAMvH2qinAdD5sOOb6hH1LK8JwuDZsZuMiiNbVUIw==
X-Received: by 10.129.108.131 with SMTP id h125mr7928952ywc.71.1486760199257; Fri, 10 Feb 2017 12:56:39 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.204.80 with HTTP; Fri, 10 Feb 2017 12:55:58 -0800 (PST)
In-Reply-To: <a7d4852e-b74c-9a29-5872-e0b1e2bb31a5@gmail.com>
References: <CABdrxL53Fd7tY6+qF-p=acvCDa=hvbPov83XSd-Y8-gB3c33Ag@mail.gmail.com> <20170210172224.GA22473@LK-Perkele-V2.elisa-laajakaista.fi> <dade38c1-e5a3-4058-9291-c94ea14dfe91@gmail.com> <CABcZeBPxid8W-r4uUXewFg+cYtUssqQLOcjJ=2ueuyVqj4qZUA@mail.gmail.com> <a7d4852e-b74c-9a29-5872-e0b1e2bb31a5@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 10 Feb 2017 12:55:58 -0800
Message-ID: <CABcZeBPNFbheX_6SBd7wuFXohXJzqXNVUJRaNdZ=oiuu4ThYrw@mail.gmail.com>
To: Sam Scott <sam.scott89@gmail.com>
Content-Type: multipart/alternative; boundary="001a114dcf788b5e1d05483355d0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/HRxiRRiyoffuVeBeg5GfRhBu2vo>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 20:56:42 -0000

On Fri, Feb 10, 2017 at 12:52 PM, Sam Scott <sam.scott89@gmail.com> wrote:

> Hi Ekr,
>
> That's a good summary of the situation. Indeed we weren't previously
> considering TLS as able to enforce the ordering of messages which does seem
> to mitigate our scenario for property A. We haven't really had a chance to
> take that into consideration for property B, but at a glance it does still
> seem to be an issue.
>

I agree. It doesn't mitigate B at all unless there are application
semantics that do so (which is the same
as it doesn't mitigate it, I guess).


> As mentioned in my other email, one scenario we encountered this was if
> (using your message numbering as reference) messages 5 or 9 happened to be
> a NewSessionTicket. In this case, the client might be under the impression
> that they have a session ticket for a mutually authenticated channel.
>

Yes, I agree with this.

-Ekr


> Thanks,
>
> Sam
> On 10/02/17 20:39, Eric Rescorla wrote:
>
> Cas, Sam,
>
> I thought I understood your concern here but maybe I don't.
>
> Say we have the following sequence of messages
>
>   1. C->S: ClientHello
>   2. S->C: ServerHello...ServerFinished
>   3. C->S: ClientFinished
>   4. C->S: App message
>   5. S->C: App message
>   6. S->C: CertificateRequest
>   7: C->S: Certificate...Finished
>   8: C->S: App message
>   9: S->C: App message
>
> As you indicate, there's some ambiguity from the client's perspective
> (property B) about whether messages 5 and 9 were sent by the server
> prior to or after receiving message 7, and also message 8. This
> ambiguity exists even without an attacker and may or may not be
> resolved at the application layer. An attacker can exploit this
> ambiguity by holding messages 7 and 8 and (as long as application
> semantics permit this).
>
> Where I get confused is about property A. As I understand your
> claim, an attacker can hold message 7 but deliver message 8 and
> therefore, even if the client knows that 9 was in response to 8,
> he doesn't know that the server received 7. As Ilari says, I don't
> believe that this is correct because TLS enforces message ordering.
> I agree that the specification doesn't explicitly say this, but
> it's implicit in the processing rules via the following:
>
> 1. The encryption for each TLS record depends on the record sequence
>    number (RSN).
> 2. Records do not carry their RSN, so when you decrypt a message, you
>    must use the last RSN + 1
> 3. When you fail to decrypt a message (which is what happens if you have
>    the wrong RSN) you are required to tear down the connection
>    (https://tlswg.github.io/tls13-spec/#record-payload-protection).
>
> For this reason, if the attacker removes message 7, then 8 will not
> be decryptable, and so ordering is preserved. As Ilari says, this isn't
> true in DTLS 1.3 which we'll presumably have to deal with one way
> or the other before standardization (my plan would be just to forbid
> post-handshake auth). Do you disagree with this? If so, perhaps you
> could explain.
>
> -Ekr
>
> P.S. I am not sure that the regular TLS handshake guarantees these
> properties either. The reason is that the server is permitted to
> send data prior to receiving the client's second flight (0.5 RTT
> data). See:
> https://tlswg.github.io/tls13-spec/#protocol-overview
>
>
>
>
>
> On Fri, Feb 10, 2017 at 11:45 AM, Sam Scott <sam.scott89@gmail.com> wrote:
>
>> Hi Ilari,
>>
>> Thanks for the comments.
>>
>> Assuming the client sends a valid certificate that the server accepts,
>> then the server cannot finish the handshake or begin processing incoming
>> application data until authenticating the client. This *almost* gives us
>> property (A). In practice, the client is aware that the server has
>> successfully authenticated since the protocol continues.
>>
>> In the case that the server has implemented the reject option (rejecting
>> a certificate but still continuing), and indeed rejects the certificate,
>> then the server should send an alert message (or NAK of some form) for the
>> property to hold in the initial handshake.
>>
>> However, even if we take the certificate reject + continue scenario into
>> account for the initial handshake, then it is clear that this decision can
>> only be made by the server in the initial handshake, while in the
>> post-handshake client auth, an attacker can decide this (by dropping the
>> message).
>>
>> The reason we don't believe an explicit ACK is needed is because
>> upgrading to a new pair of keys explicitly provides this. Specifically, the
>> client will send all subsequent data to the server under a new key. The
>> server will not be able to decrypt this data until they receive the client
>> authentication messages and upgrade the keys.
>>
>> This can be strengthened if the client's updated write key is computed
>> using the authentication messages.
>>
>> We agree that TLS enforcing ordering of messages provides similar
>> guarantees. However, we are analysing the specification as it is presented,
>> which does not guarantee this.
>>
>> Thanks,
>>
>> Sam
>>
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>
>
>

v2.23.0 | Report a Bug | By Email