Re: [TLS] Inter-protocol attacks
Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr> Wed, 13 August 2014 13:01 UTC
Return-Path: <antoine@delignat-lavaud.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A6D41A0095 for <tls@ietfa.amsl.com>; Wed, 13 Aug 2014 06:01:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WqR8kk__fEX3 for <tls@ietfa.amsl.com>; Wed, 13 Aug 2014 06:01:03 -0700 (PDT)
Received: from argon.maxg.info (argon.maxg.info [IPv6:2001:41d0:2:7f22::1]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 761371A0053 for <tls@ietf.org>; Wed, 13 Aug 2014 06:01:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=delignat-lavaud.fr; s=dkim; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=Fja3EBHk/2R5K1+Yu0wNsMmWTnHE//yWk3REgwOyC6A=; b=Q6RPKNbZndeME+Omxn0pcXMSZesYOaJxcpJ2aR34kdQuJZfLqu2QETNO53BFOn/b2ysO6ejr8q6IvHAAayhkR2SAd0Ox5Oyt08Gh50Hjc+EPS/5yg2icVnVLXcKtJjGZ;
Received: from localhost (authenticated.user.IP.removed [::1]) by argon.maxg.info with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (envelope-from <antoine@delignat-lavaud.fr>) id 1XHYAZ-0001Nd-54 ; Wed, 13 Aug 2014 15:00:47 +0200
Message-ID: <53EB6180.2030006@delignat-lavaud.fr>
Date: Wed, 13 Aug 2014 14:00:48 +0100
From: Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Martin Thomson <martin.thomson@gmail.com>
References: <CACsn0cmrtZm63ao876ryJPV1o-m2f4Mjda-H5JkH8q=Jjbc=qA@mail.gmail.com> <53E771B7.7060609@delignat-lavaud.fr> <CABkgnnXqt5+cJ=b45R7Xdm+ckZ9GFLzcj1f=aXuTEEXprtWS1w@mail.gmail.com>
In-Reply-To: <CABkgnnXqt5+cJ=b45R7Xdm+ckZ9GFLzcj1f=aXuTEEXprtWS1w@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/OCCZLNTdlbHI98o7bxH2YDpRnug
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Inter-protocol attacks
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Aug 2014 13:01:06 -0000
Le 8/11/2014 7:06 AM, Martin Thomson a écrit : > On 10 August 2014 06:20, Antoine Delignat-Lavaud > <antoine@delignat-lavaud.fr> wrote: >> Chrome introduced a very significant change to the authentication model of >> TLS that went virtually unnoticed. In SPDY, the TLS client session cache is >> no longer indexed by domain and port, but instead by domain set, IP and >> port: in classic TLS, an established connection or session can only be >> reused for the same domain, whereas in SPDY, it can be reused for any domain >> in the certificate verified when the session was created, provided that it >> points to the same IP as the original connection. The DNS condition is >> obviously meaningless to a network attacker, which means that all security >> guarantees that were previously session-specific should now be considered >> certificate-specific. > The behaviour you describe isn't quite correct, because - I believe - > that it requires that the DNS resolve to the same IP (or that one of a > set of alternative values point there). But that's not a particularly > important detail, DNS has never been a part of the security story for > https. It's a big part of http, but we all know what you get there. Ultimately, we agree that the precise DNS condition doesn't matter. In HTTPS, DNS is under attacker control. > Either way, this behaviour has been discussed at some length and was > not found lacking in the SPDY/HTTP2 context. Yes, HTTP/2 standardizes > this practice. The poor handling of Host header fields in HTTP/1.1 > means that it will probably never be advisable to do something like > this there. > > As always, I caution that we have to be careful to distinguish between > attacks on implementations and attacks on standards. I am aware that > there are bugs in implementations. I'm also told that they are > somewhat difficult to exploit. The argument is not whether such attacks are to blame on implementation or specification. The question is whether behavior such as reusing a connection established with attacker.com to send data meant for google.com /should be considered an attack at all/. This is the TLS mailing list, and the relevant problem here is the complete lack of any restriction in RFC 5246 and 5077 on when a session can be resumed. Thus, we end up in a situation where resumption is up to implementations to decide; because of the lack of any specification, TLS libraries simply hand off the decision to the application; the application won't know what to do (this kind of question is typically considered out of the scope of application protocol definitions), and thus let the user decide. Of course, the user is very unlikely to understand the security impact of session cache or name-based certificate settings, and this is how we end up with the kind of attacks I demonstrated at Black Hat. SPDY is an interesting case, as it does specify a clear resumption policy (even though, I must against stress out again, this policy technically allows resumption between any two HTTP origins as long as they appear in the same certificate; thus, CVE-2014-3166 does not violate any TLS or HTTP specification and cannot be considered an implementation bug). This policy should be interpreted as an authorization function for TLS authentication. In a full handshake, there is a well-specified and widely-adopted authorization function defined in RFC 5280. The problem I am pointing out is that the SPDY and PKIX authorization functions are incompatible. Thus, TLS features that assume PKIX authorization, such as SNI or ChannelID, may not guarantee the same security properties under SPDY authorization. Similarly, certain PKIX extensions will also fail under SPDY authorization, most notably certificate pinning. From the TLS viewpoint, it is reasonable to consider authorization outside the scope of the protocol. However, for the security of TLS, authentication and authorization must critically be preserved by resumption, as it is entirely a protocol feature that currently occurs without any application involvement. The issue may disappear in TLS 1.3 if resumption is removed, but in current versions, the use of different authorization policies for full handshakes and resumption should be considered a weakness, which can be exploited. Speaking of this, I have to disagree with your claim that attacks in this class are difficult to exploit. It may be true if you compare these attacks to heartbleed or browser memory bugs. However, compared to BEAST, Lucky13 or triple handshake, these attacks are orders of magnitude more exploitable. Best, Antoine Delignat-Lavaud
- [TLS] Inter-protocol attacks Watson Ladd
- Re: [TLS] Inter-protocol attacks Bodo Moeller
- Re: [TLS] Inter-protocol attacks Ilari Liusvaara
- Re: [TLS] Inter-protocol attacks Antoine Delignat-Lavaud
- Re: [TLS] Inter-protocol attacks Martin Thomson
- Re: [TLS] Inter-protocol attacks Antoine Delignat-Lavaud
- Re: [TLS] Inter-protocol attacks Martin Rex
- Re: [TLS] Inter-protocol attacks Ilari Liusvaara
- Re: [TLS] Inter-protocol attacks Martin Rex
- Re: [TLS] Inter-protocol attacks Antoine Delignat-Lavaud
- Re: [TLS] Inter-protocol attacks Karthikeyan Bhargavan
- Re: [TLS] Inter-protocol attacks Martin Thomson