Re: [TLS] TLS renegotiation issue

Eric Rescorla <ekr@rtfm.com> Thu, 05 November 2009 20:55 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 950903A68EC for <tls@core3.amsl.com>; Thu, 5 Nov 2009 12:55:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3O9qNTgkEUwn for <tls@core3.amsl.com>; Thu, 5 Nov 2009 12:55:18 -0800 (PST)
Received: from mail-yx0-f192.google.com (mail-yx0-f192.google.com [209.85.210.192]) by core3.amsl.com (Postfix) with ESMTP id 7C9813A682E for <tls@ietf.org>; Thu, 5 Nov 2009 12:55:18 -0800 (PST)
Received: by yxe30 with SMTP id 30so412733yxe.29 for <tls@ietf.org>; Thu, 05 Nov 2009 12:55:38 -0800 (PST)
MIME-Version: 1.0
Received: by 10.90.41.17 with SMTP id o17mr6214373ago.35.1257454538356; Thu, 05 Nov 2009 12:55:38 -0800 (PST)
In-Reply-To: <20091105202130.GH1105@Sun.COM>
References: <73843DF9-EFCB-4B8D-913E-FE2235E5BDD3@rtfm.com> <d3aa5d00911051016p7a0cc508q2090b86de30a50d5@mail.gmail.com> <20091105184615.GG1105@Sun.COM> <d3aa5d00911051109r3d5dae33jef42e9dd2db1b0b@mail.gmail.com> <20091105202130.GH1105@Sun.COM>
Date: Thu, 5 Nov 2009 12:55:38 -0800
Message-ID: <d3aa5d00911051255p1974d4c9j29fcd68259fe63cc@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: Nicolas Williams <Nicolas.Williams@sun.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS renegotiation issue
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2009 20:55:19 -0000

On Thu, Nov 5, 2009 at 12:21 PM, Nicolas Williams
<Nicolas.Williams@sun.com> wrote:
> On Thu, Nov 05, 2009 at 11:09:51AM -0800, Eric Rescorla wrote:
>> On Thu, Nov 5, 2009 at 10:46 AM, Nicolas Williams
>> <Nicolas.Williams@sun.com> wrote:
>> > On Thu, Nov 05, 2009 at 10:16:11AM -0800, Eric Rescorla wrote:
>> >> I now have a draft extension up at:
>> >>
>> >> https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt
>> >> https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.xml
>> >
>> > Initial comments based on a brief skim:
>> >
>> >  - Please add a normative reference to RFC5056.
>>
>> There's no need for a normative reference here. This mechanism is
>> self-contained.
>> I'd be happy to add an informative reference.
>
> That's also true about draft-altman-tls-channel-bindings then, but you
> have a normative reference to it.  I'm happy with an informative
> reference.

That's an editing error. I'll add informative to both.




>> >  - There is a way for clients to protect themselves even when servers
>> >   don't implement this extension:
>> >
>> >   a) clients MUST NOT ever send any application-level messages without
>> >      TLS protection if they are willing to negotiate a TLS connection
>> >      after sending any application-level messages,
>> >
>> >   _and_,
>> >
>> >   b) if a server requests re-negotiation then the client MUST ensure
>> >      that the outer and inner TLS connection handshakes used a server
>> >      certificate, and, specifically, the _same_ server certificate,
>> >      otherwise the client MUST abort without ever completing the
>> >      second/inner handshake.
>>
>> This isn't enough. If you look at the diagram you can see that the
>> client never experiences a renegotiation.
>
> That's one diagram.  There's other cases, but even in the case you
> described, if the client never experiences a re-negotiation then it will
> not have authenticated itself, or, if it has authenticated itself then
> it will/should also have authenticated the server to the client, in
> which case the MITM can't be.  As a result the MITM gets nothing.  (My
> rules cover the case where a client would send a request unprotected,
> then negotiates TLS when the server requires authentication -- my rules
> forbid that.)

You're assuming that certificate-based client auth is the only issue.
But the attacker can do damage just by injecting a prefix to an
ordinary cookie-authenticated request.

-Ekr