Re: [TLS] Comments on TLS identity protection

badra@isima.fr writes:
>> Comments on: draft-hajjeh-tls-identity-protection-00
>>
>> BACKGROUND
>> The TLS handshake occurs in the clear. Thus, any observer can
>> determine the credentials used by the client or server to authenticate
>> themselves. This document describes an "identity protection" mode for
>> TLS designed to hide the client's certificate.
>>
>>
>> GENERAL COMMENTS
>> I don't understand what the motivation for this mode is. I appreciate
>> that it was an advertised feature of IPsec, but TLS doesn't
>> need to replicate every feature of IPsec. In particular, since
>> certificate-based client authentication is actually fairly
>> rare, it's not clear that *privacy* of that client authentication
>> is really a big consideration.
>
> In EAP-TLS, an implementation of TLS for Wireless LAN and later for WiMAX,
> the client is authenticated based on the certificate's use. This is the
> initial motivation of this work.

Yes, but I don't think this really explains why the certificate
needs to be kept secret or why the double handshake technique isn't
good enough.

>> In order for the identity protection to be protected against
>> MITM attack, the server cert needs to be verified prior to
>> sending the Certificate message. Because the question of whether
>> this is the correct certificate is outside of TLS, in many TLS
>> stacks the handshake completes prior to checking the server
>> hostname. That won't work here.
>
>
> Could you clarify that please? I didn't get the point regarding the server
> cert which is sent in cleartext.

The attacker performs a MITM attack with a valid certificate.
The TLS implementation completes the handshake and then prompts
the application to verify the certificate's identity against
the intended identity. This fails, but by this time the client
has already provided his certificate.

-Ekr

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls