IETF Logo Mail Archive

Re: [TLS] Summarizing identity change discussion so far

Martin Rex <mrex@sap.com> Tue, 08 December 2009 16:11 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 454BF28C1F4 for <tls@core3.amsl.com>; Tue, 8 Dec 2009 08:11:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.192
X-Spam-Level:
X-Spam-Status: No, score=-6.192 tagged_above=-999 required=5 tests=[AWL=0.057, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EXId3kPFXI+1 for <tls@core3.amsl.com>; Tue, 8 Dec 2009 08:11:40 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 2091B28C1F2 for <tls@ietf.org>; Tue, 8 Dec 2009 08:11:39 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nB8GBQI5002564 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 8 Dec 2009 17:11:26 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200912081611.nB8GBQ8a019273@fs4113.wdf.sap.corp>
To: Pasi.Eronen@nokia.com
Date: Tue, 08 Dec 2009 17:11:26 +0100
In-Reply-To: <808FD6E27AD4884E94820BC333B2DB774F31D235DE@NOK-EUMSG-01.mgdnok.nokia.com> from "Pasi.Eronen@nokia.com" at Dec 8, 9 02:12:07 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal08
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Summarizing identity change discussion so far
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Dec 2009 16:11:42 -0000

Pasi.Eronen@nokia.com wrote:
> 
> The security considerations section of this draft has to describe the
> fact that even with this fix, renegotiation does things that will
> surprise application developers, and can cause security
> vulnerabilities for some of them.
> 
> That part we cannot avoid -- some text has to be included.
> 
> It's not absolutely required that the text makes recommendations how
> to avoid those vulnerabilities, but IMHO it would be a bit strange to
> just describe the security problem without saying anything how to
> avoid it...


I agree with this reasoning.

Given the contention on this topic, I would prefer the guidance
to be:

 - non-normative on default behaviour

 - normative (SHOULD) on specific options a TLS implementation
   should offer to applications

Two options where identifying the exact location of renegotiation
in app-data is not necessary and interleaving of app-data and
renegotiation handshake is not a security problem:
  - no renegotiation
  - renegotiation only for identical certificate (chain)  = memcmp()
    (allowing authentication of a previously un-authenticated party)

Defining constraints for changes in identity where the application
has to deal with these changes becomes complex very quickly.

When there is some signaling between TLS implementation and application
(like a callback), and application data that arrives during the
renegotiation handshake is either dropped or leads to failed hanshake,
then a change of identity--even for something as "insignificant" as
a certificate renewal is manageable for the application.

There are issues in the existing SSL & TLS protocol specs that
cause a problem for such semantics: (a) the TLS spec explicitly allows
transfer of application messages interleaved with renegotiation
handshake messages, and (b) the TLS spec indicates that handshake
messages have precedence over application data, without saying
what this means.  Since this precedence is _not_ about processing
at the record layer (in TLS, all messages must be processed in order),
so it can only be about delivery to application.  But here, it
creates a confusion in the wrong direction.  Application data delivered
interleaved with the renegotiation handshake is protected under the
original cipher suite and under the original authentication.
Delaying that data until after authentication seems unreasonable,
because it would require an additional facility to tell the application
at what point in the application data stream the identity change
happened, long after the signaling of the new identity.


When application data delivery is allowed during renegotiation handshake
and the identity change signaling is _NOT_ after successful verification
of the peer's finished messsage, but instead is performed much earlier
in the handshake (such as during processing of the Certificate
handshake message), then this may easily create additional security
problems for an application.

 
-Martin

v2.23.0 | Report a Bug | By Email