[TLS] Finished verify_data collision (Was Re: draft-turner-ssl-must-not)
Marsh Ray <marsh@extendedsubset.com> Wed, 07 July 2010 23:40 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 159EB3A69DB for <tls@core3.amsl.com>; Wed, 7 Jul 2010 16:40:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.356
X-Spam-Level:
X-Spam-Status: No, score=-0.356 tagged_above=-999 required=5 tests=[AWL=0.384, BAYES_20=-0.74]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LMcVlzfkDZzv for <tls@core3.amsl.com>; Wed, 7 Jul 2010 16:40:46 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 73B4C3A68D3 for <tls@ietf.org>; Wed, 7 Jul 2010 16:40:46 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OWeET-0007Ff-M7; Wed, 07 Jul 2010 23:40:49 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id BC4F36334; Wed, 7 Jul 2010 23:40:45 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX18f4omZjGIwkM+J4gNbM8Y8gAyCJ09plFQ=
Message-ID: <4C35107D.6040505@extendedsubset.com>
Date: Wed, 07 Jul 2010 18:40:45 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.10) Gecko/20100527 Thunderbird/3.0.5
MIME-Version: 1.0
To: Simon Josefsson <simon@josefsson.org>
References: <C858DD65.5897%uri@ll.mit.edu> <4C33954B.5070308@extendedsubset.com> <87zky372ew.fsf@mocca.josefsson.org>
In-Reply-To: <87zky372ew.fsf@mocca.josefsson.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: [TLS] Finished verify_data collision (Was Re: draft-turner-ssl-must-not)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jul 2010 23:40:49 -0000
On 07/07/2010 10:11 AM, Simon Josefsson wrote: > > TLS has integrity-only ciphersuites that does not provide > confidentiality, making the TLS Finished message visible to attackers. Yeah I was ignoring that because I was under the impression that it was deprecated in TLS 1.2. May be misremembering though. > But I don't follow the logic here and want to challenge you with a > question: what attack is enabled if an attacker can find a collision? > It may help to consider what attacks are enabled if the TLS Finished > messages is truncated to, say, 10 bits instead. The attack is if a MitM can convince a client and server that they should exchange the same client or server Finished hash, yet the handshake has been manipulated by the attacker. Possible consequences: * Version downgrade * Ciphersuite downgrade attack * Re-establishing unsafe renegotiation with a compatible-mode client and a strict server. * Client credentials stealing/forwarding attack. The bar is pretty high for this kind of attack: * It likely needs to be an on-line attack (i.e., attacker has to be able to calculate the collision within the timeout window of the handshake. One could imagine some systems having no enforced timeout however. * Mitm needs to obtain the client's premaster secret as part of the attack (the key material is needed to generate the hash). Note this is trivial with some real clients in common use that don't validate the server cert until they receive the Finished message. * Mitm probably needs to be able to manipulate ~48 bits of data in each direction, after any unpredictable values in that direction. For example, MitM may inject or manipulate a Certificate Request message in the server-to-client direction, this occurs after the unpredictable data in the hello and key exchange messages. But an actual cert verify message sent in response would mess it up again. * Probably only a single 96 bit finished message is collide-able. Colliding the combined 192 bits may never be practical. Nevertheless, an HTTPS server executes a buffered transaction with client cert renegotiation on receipt of the single finished message. A client will begin transmitting confidential data when he receives the server's single Finished message and Mitm may not need the server to accept one generated by the client. I gave this a bunch of thought a while back but couldn't come up with anything that could affect a plausible use case of TLS. But the reasons why it wouldn't work varied greatly with the negotiated auth mechanism, it was not because of any obvious design principle of TLS which resists a mitm from engineering a Finished message collision. With only minor changes, such an attack would be possible. For example, if a TLS implementation were to ignore unrecognized handshake messages yet included them in the hash. Consider the case of fixed-parameter DH client-server certificates. I don't recall any unpredictable data being sent by either side after the random data in the hellos. Mtim could manipulate the server hello as seen by the client, inject arbitrary handshake data into an extraneous cert presented or cert request received by the client. He might inject data into the client key exchange or certificate verify as seen by the server, and so on. Mitm could even convince the server to do one type of key exchange (e.g., DHE) and the client some other. Of course, if there is insufficient entropy in the Client Hello random, Server Hello random, or the premaster secret then a whole new set of possibilities opens up. For example, with a predictable server hello random, mitm might be able to modify data as early as the client hello in order to engineer a collision in one of the finished messages. It might also allow this attack to be partially precomputed offline. (This is one reason why I objected so strongly to the idea that a secure TLS endpoint could be implemented without a sufficient source of entropy.) Like I said, there may not be an effective attack here. The use of the secret key material in the Finished calculation rules out a lot of mischief. But since the "collision insensitivity" of TLS seems to be highly dependent on parameters which can be controlled by the attacker, we must be extremely careful when extending the handshake, changing Finished calculations, or relaxing constraints. - Marsh
- [TLS] draft-turner-ssl-must-not Nikos Mavrogiannopoulos
- Re: [TLS] draft-turner-ssl-must-not Sean Turner
- Re: [TLS] draft-turner-ssl-must-not Nikos Mavrogiannopoulos
- Re: [TLS] draft-turner-ssl-must-not Juho Vähä-Herttua
- Re: [TLS] draft-turner-ssl-must-not Ivan Ristic
- Re: [TLS] draft-turner-ssl-must-not Martin Rex
- Re: [TLS] draft-turner-ssl-must-not Sean Turner
- Re: [TLS] draft-turner-ssl-must-not Yngve Nysaeter Pettersen
- Re: [TLS] draft-turner-ssl-must-not Martin Rex
- Re: [TLS] draft-turner-ssl-must-not Peter Gutmann
- Re: [TLS] draft-turner-ssl-must-not Peter Gutmann
- Re: [TLS] draft-turner-ssl-must-not Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] draft-turner-ssl-must-not Nikos Mavrogiannopoulos
- Re: [TLS] draft-turner-ssl-must-not Juho Vähä-Herttua
- Re: [TLS] draft-turner-ssl-must-not Nikos Mavrogiannopoulos
- Re: [TLS] draft-turner-ssl-must-not Yngve Nysaeter Pettersen
- Re: [TLS] draft-turner-ssl-must-not Yngve Nysaeter Pettersen
- Re: [TLS] draft-turner-ssl-must-not Yngve Nysaeter Pettersen
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Juho Vähä-Herttua
- Re: [TLS] draft-turner-ssl-must-not Nasko Oskov
- Re: [TLS] draft-turner-ssl-must-not Peter Gutmann
- Re: [TLS] draft-turner-ssl-must-not Nelson B Bolyard
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Ben Laurie
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Bodo Moeller
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Bodo Moeller
- Re: [TLS] draft-turner-ssl-must-not Martin Rex
- Re: [TLS] draft-turner-ssl-must-not Martin Rex
- Re: [TLS] draft-turner-ssl-must-not Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] draft-turner-ssl-must-not Martin Rex
- Re: [TLS] draft-turner-ssl-must-not Peter Gutmann
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Peter Gutmann
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Peter Gutmann
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Yoav Nir
- Re: [TLS] draft-turner-ssl-must-not Martin Rex
- Re: [TLS] draft-turner-ssl-must-not Nikos Mavrogiannopoulos
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Simon Josefsson
- [TLS] Finished verify_data collision (Was Re: dra… Marsh Ray
- Re: [TLS] Finished verify_data collision (Was Re:… Nikos Mavrogiannopoulos
- Re: [TLS] Finished verify_data collision (Was Re:… Marsh Ray