IETF Logo Mail Archive

Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18

Andrei Popov <Andrei.Popov@microsoft.com> Fri, 10 February 2017 19:54 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABD45129B52 for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 11:54:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.022
X-Spam-Level:
X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6nRFbzsdiY2r for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 11:54:32 -0800 (PST)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0101.outbound.protection.outlook.com [104.47.37.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 972FD129B39 for <tls@ietf.org>; Fri, 10 Feb 2017 11:54:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=o7yrln82KSQITuVECL8uRkuwFq/vXWb7vrN5gfhW7PU=; b=MySpjJvvgJBft1hcL1TD+2L2xcX99vANHL7JB2OxzWd3nNlYV4eljOGiOPze+0pduV5ACTuxyOUubHItzyEljCDmM5ZabEt1lZ8QwXYY9UUVL1IitAML36KQSFOqMsuduN966K09fMUY07j7yftXw6oj8MQ/GKhWdZtO08+amFs=
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com (10.160.163.148) by CY1PR0301MB0843.namprd03.prod.outlook.com (10.160.163.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.888.16; Fri, 10 Feb 2017 19:54:30 +0000
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) by CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) with mapi id 15.01.0888.026; Fri, 10 Feb 2017 19:54:30 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Sam Scott <sam.scott89@gmail.com>, Ilari Liusvaara <ilariliusvaara@welho.com>
Thread-Topic: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18
Thread-Index: AQHSg5t3h43MYmEytkO14a3ComoThqFifUUAgAAoHQCAAAGI0A==
Date: Fri, 10 Feb 2017 19:54:30 +0000
Message-ID: <CY1PR0301MB084246763E664775322D79BA8C440@CY1PR0301MB0842.namprd03.prod.outlook.com>
References: <CABdrxL53Fd7tY6+qF-p=acvCDa=hvbPov83XSd-Y8-gB3c33Ag@mail.gmail.com> <20170210172224.GA22473@LK-Perkele-V2.elisa-laajakaista.fi> <dade38c1-e5a3-4058-9291-c94ea14dfe91@gmail.com>
In-Reply-To: <dade38c1-e5a3-4058-9291-c94ea14dfe91@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:9::1d2]
x-ms-office365-filtering-correlation-id: 69e6dd79-defa-4316-e9d1-08d451eea0bf
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY1PR0301MB0843;
x-microsoft-exchange-diagnostics: 1; CY1PR0301MB0843; 7:JdOJJVdTxyzgdegRUakq/ZCbSovaugOW8P3SsRSZ5M7mtwd4CBnoTAK8QjwZ8IEgaUG91LTnK4xZjlXQEBpzjqjg17lzc5z4QlxXNVlGy270WVTrqPxQ3xuB7OnFx+qw2Y5S1FgvrDXgLnCCDlOAL+p0Q0nQ5tNME3nHemeCylVldE7SbkL2dY8vrM4+uEFock1xQnl/bSSy7wUP2j0/K03wcrkTowM/OmHbWd0igFc/wpTfgpUf58RGzsvyTkna97GJt8cYrF37FoP2Wh6caE2LWfYKUKLUx0hkH1s5WgO6K84i7X89PdnD4tHg6CJuChcN7k17vrIZmpxekeLVGvq667OMtil6YsasCP2jPKJsmRmjxEuawRbTPXfPpnn9SUiIEa2w5VSMXuZQIMdznkspPZNmq7+NbHrTZhh5TfRvHagGqDo726T77GwVE5yBZ/2giVpFfpUlqN6WH55aQqiYP+xffbOkerrzOBnTZwTh16ZHb+nC0Uw1/Hh3bISIwSrKZBuqmDWMWUhUCHv4d3IljB4pnQ7ceAGWA/uBivs=
x-microsoft-antispam-prvs: <CY1PR0301MB0843CA885ED431F6038B98908C440@CY1PR0301MB0843.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123555025)(20161123562025)(20161123560025)(20161123564025)(6072148)(6042181); SRVR:CY1PR0301MB0843; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0301MB0843;
x-forefront-prvs: 0214EB3F68
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(377454003)(189002)(199003)(13464003)(51914003)(4326007)(229853002)(106116001)(105586002)(106356001)(76176999)(54356999)(122556002)(74316002)(6116002)(86362001)(2950100002)(2906002)(7736002)(50986999)(189998001)(53936002)(7696004)(97736004)(305945005)(102836003)(81156014)(86612001)(101416001)(33656002)(5005710100001)(10090500001)(8990500004)(10290500002)(5660300001)(6436002)(81166006)(8936002)(3280700002)(55016002)(6506006)(3660700001)(39060400001)(77096006)(38730400002)(6306002)(6246003)(8676002)(9686003)(25786008)(2900100001)(68736007)(99286003)(92566002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB0843; H:CY1PR0301MB0842.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Feb 2017 19:54:30.4478 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0301MB0843
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/N8zcWD1n8k3zmsL_t7Mfxv_vwm4>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 19:54:35 -0000

Hi Sam,

This part is not clear to me:
> ...while in the post-handshake client auth, an attacker can decide this (by dropping the message).

How does the attacker drop a TLS-protected message without terminating the connection?

Thanks,

Andrei

-----Original Message-----
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Sam Scott
Sent: Friday, February 10, 2017 11:46 AM
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: tls@ietf.org
Subject: Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18

Hi Ilari,

Thanks for the comments.

Assuming the client sends a valid certificate that the server accepts, then the server cannot finish the handshake or begin processing incoming application data until authenticating the client. This *almost* gives us property (A). In practice, the client is aware that the server has successfully authenticated since the protocol continues.

In the case that the server has implemented the reject option (rejecting a certificate but still continuing), and indeed rejects the certificate, then the server should send an alert message (or NAK of some form) for the property to hold in the initial handshake.

However, even if we take the certificate reject + continue scenario into account for the initial handshake, then it is clear that this decision can only be made by the server in the initial handshake, while in the post-handshake client auth, an attacker can decide this (by dropping the message).

The reason we don't believe an explicit ACK is needed is because upgrading to a new pair of keys explicitly provides this. Specifically, the client will send all subsequent data to the server under a new key. 
The server will not be able to decrypt this data until they receive the client authentication messages and upgrade the keys.

This can be strengthened if the client's updated write key is computed using the authentication messages.

We agree that TLS enforcing ordering of messages provides similar guarantees. However, we are analysing the specification as it is presented, which does not guarantee this.

Thanks,

Sam

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email