IETF Logo Mail Archive

Re: [TLS] TLSrenego - current summary of semantics and possibilities

Michael D'Errico <mike-list@pobox.com> Tue, 10 November 2009 20:57 UTC

Return-Path: <mike-list@pobox.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A683D3A6A2F for <tls@core3.amsl.com>; Tue, 10 Nov 2009 12:57:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.589
X-Spam-Level:
X-Spam-Status: No, score=-2.589 tagged_above=-999 required=5 tests=[AWL=0.010, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K62qAMt3Ogc1 for <tls@core3.amsl.com>; Tue, 10 Nov 2009 12:57:22 -0800 (PST)
Received: from sasl.smtp.pobox.com (a-pb-sasl-sd.pobox.com [64.74.157.62]) by core3.amsl.com (Postfix) with ESMTP id A4F903A68C9 for <tls@ietf.org>; Tue, 10 Nov 2009 12:57:22 -0800 (PST)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id C0F929AF07 for <tls@ietf.org>; Tue, 10 Nov 2009 15:57:48 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=CgAJGHUS0ycJ k7fbft3yxpVK0rE=; b=g6peYW0pKnDFCUeFChFBhfXIHGh3P6MDNhCQ6pCPYGSu wXVxQG9wzAUjWKrSGA8EPmKhFonW3NOymutb16QcecSnnPoPg3UlvHZ+1Te1ynW2 GcvrOT0LT9fc1Rd9NejW87dMset/CKZcbzlIy2WPUmAHFDnj5osdE71RNBFITc0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=gwnYOU ad7SnHS713ibVXwneiPotHZnlDxq36lLKtwj3XOBEJcLgN5ZdL2ciyY33X1ZlkIe sLtOYcINXZMb6Dyp24RtQcQmZ5lRStoSPV6I7LAJc5IQ6zvSNchIelLJvC5iC8VQ KPCjR6Wehuk76Tfw9i0M2whR8o7WEm0JrUPCw=
Received: from a-pb-sasl-sd.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id BE4089AF06 for <tls@ietf.org>; Tue, 10 Nov 2009 15:57:48 -0500 (EST)
Received: from administrators-macbook-pro.local (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTPSA id D44B69AF02 for <tls@ietf.org>; Tue, 10 Nov 2009 15:57:47 -0500 (EST)
Message-ID: <4AF9D413.7090408@pobox.com>
Date: Tue, 10 Nov 2009 12:58:59 -0800
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: tls@ietf.org
References: <200911101928.nAAJSGjI020038@fs4113.wdf.sap.corp>
In-Reply-To: <200911101928.nAAJSGjI020038@fs4113.wdf.sap.corp>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: B414D13A-CE3B-11DE-8380-BD45BBB5EC2E-38729857!a-pb-sasl-sd.pobox.com
Subject: Re: [TLS] TLSrenego - current summary of semantics and possibilities
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 20:57:23 -0000

> It is possible that a TLS client may not want to assert the TLS extension
> Renegotiation_Info in an initial ClientHello because of interoperability
> concerns with an installed base of not-quite-spec-compliant servers.

Then it will end up buying a lot of pizza.

Simply finishing the *initial* handshake completes the attack!  (The
server saw it as a renegotiation, not the client.)

To protect against this, the only thing that a client can do is include
the empty renegotiation info extension.  If the server returns it and
the handshake completes, there is no MITM.  In fact if you were to then
renegotiate, you wouldn't need the extension (!) because you are already
certain that the handshake was with the server and not the MITM.

There are a few possible results of sending the extension:

     a) the server responds with the extension
     b) the server responds without including the extension
     c) the server "crashes" because of the extension

(a) is fine as long as the extension is empty.
(c) could be simulated by the MITM, so be careful -- falling back to a
     less-secure mode can play into their hands
(b) continue at your own risk -- a client could hold off on sending a
     certificate (if requested) and not send any Cookies.  The HTTPS
     request will fail, but the client can just reissue it after the
     failure -- possibly after renegotiating to send its certificate
     (this is secure if the client has verified the server's cert).

> Overloading ("abusing") the semantics of other regular elements
> of an SSL/TLS handshake that have a lesser likelihood to upset
> legacy servers.
> 
>    - Assign one (or two) specific ciphersuite IDs that the client
>      can include in the ciphersuites list which signal the clients
>      notion of the connection state (initial vs. renegotiation)
>      to the server.
> 
>    - Assign one (or two) compression algorithm IDs that the client
>      can include in the supported compression algorithms list which
>      signal the clients notion of the connection state (initial vs.
>      renegotiation) to the server.

I would not like to see this kind of solution.  If code has to change,
Do The Right Thing.

> We could define a new TLS handshake message "RenegotiationRequest"
> to be sent instead of a "HelloRequest".  This would be an option for
> those servers, that will abort the handshake and connection
> if the client does not send the TLS extension Renegotiation_Info.

Again, the attack happens on the client's *initial* handshake, so it
never receives a HelloRequest.

Mike

v2.23.0 | Report a Bug | By Email