IETF Logo Mail Archive

Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Marsh Ray <marsh@extendedsubset.com> Tue, 10 November 2009 18:01 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B0C413A6B5B for <tls@core3.amsl.com>; Tue, 10 Nov 2009 10:01:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.478
X-Spam-Level:
X-Spam-Status: No, score=-2.478 tagged_above=-999 required=5 tests=[AWL=0.121, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lMIIK9FZIk3Z for <tls@core3.amsl.com>; Tue, 10 Nov 2009 10:01:45 -0800 (PST)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id DAFA53A6B5C for <tls@ietf.org>; Tue, 10 Nov 2009 10:01:45 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1N7v2i-000C0h-Nk; Tue, 10 Nov 2009 18:02:12 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id D91CD6678; Tue, 10 Nov 2009 18:02:10 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1+mCnn7FQbhfC4N59CRxTbaAuHR4zRu/+o=
Message-ID: <4AF9AA9E.8030603@extendedsubset.com>
Date: Tue, 10 Nov 2009 12:02:06 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Nicolas Williams <Nicolas.Williams@sun.com>
References: <006FEB08D9C6444AB014105C9AEB133FB36A4EBF03@il-ex01.ad.checkpoint.com> <200911092152.nA9LqVkW000963@fs4113.wdf.sap.corp> <20091109223417.GK1105@Sun.COM> <4AF8E755.5020208@extendedsubset.com> <20091110164609.GS1105@Sun.COM>
In-Reply-To: <20091110164609.GS1105@Sun.COM>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 18:01:46 -0000

Nicolas Williams wrote:
> On Mon, Nov 09, 2009 at 10:08:53PM -0600, Marsh Ray wrote:
> 
> TLS connections are not so long lived

But there is no defined upper limit.

> that we should worry about issues
> such as, for example, public key rollover or certificate expiration
> during a connection's lifetime.

I agree, but we should probably check that it's documented somewhere.

> Therefore a simple Certificate octet-
> for-octet comparison will do for identity comparison.  Anything more
> complicated than that (and anon->non-anon) would make Martin's proposal
> too unqieldy to consider at this point, and possibly ever.

So this restriction would not apply when another auth type is used?

>> Isn't that one of the major uses of renegotiation? To change identity?
> 
> But only from anonymous to non-anonymous, right?  That's also easy to
> specify.

One subtlety is that apps (https servers) are still expecting the
transition to preserve some guarantees about identity. Even though the
first session is "anonymous" it still has an identity, namely it has to
be the same party as all previous non-anonymous sessions on the same
connection.

The proposed Renegotiation Indication extension attempts to enforce
those guarantees, but I'm not sure it's so easy to specify that it
shouldn't be given a lot of thought. (Consider what happens when you add
various combinations of resumption into the mix.)

> Ordering cipher suites by strength is a complex
> topic that I'd rather avoid for the specific enhancement that Martin
> proposes.

Perhaps ordering levels of authentication is equally complex.

>> Would that make it illegal to resume a previous session over the same
>> underlying connection if it could not be proven it was "the same" identity?
> 
> There's no authentication during session resumption handshakes --
> there's only proving that both peers remember the relevant state,
> including master secret.

Isn't proving "I'm the same as that other guy" a form of authentication?

Surely this will be allowed:

  |--- session A anon ---||-- resumed A --|

Is this allowed?

  |--- session A anon ---|
  |--- session B anon ---||-- resumed A --|

I have heard that browsers may do this.

>> What if the session's identity were strengthened? Could you end up in a
>> situation where a session could be resumed on any of several other
>> connections except the one on which it originated!
> 
> I'm not sure I follow.  See above.

1  |--- session A anon ---||-- session B client cert auth --|
2  |--- session C anon -----|
3  |--- session D anon -----------|
4  |--- session E anon -----|

Would an effect of the proposal be that session A can be resumed on
connections (2, 3, 4) but not 1?

- Marsh

v2.23.0 | Report a Bug | By Email