Re: [TLS] TLSrenego - possibilities, suggestion for SSLv3
Marsh Ray <marsh@extendedsubset.com> Wed, 11 November 2009 03:59 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7C93E3A6A62 for <tls@core3.amsl.com>; Tue, 10 Nov 2009 19:59:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.232
X-Spam-Level:
X-Spam-Status: No, score=-2.232 tagged_above=-999 required=5 tests=[AWL=-0.233, BAYES_00=-2.599, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NkMqvGX4HPIK for <tls@core3.amsl.com>; Tue, 10 Nov 2009 19:59:10 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 68CA73A6901 for <tls@ietf.org>; Tue, 10 Nov 2009 19:59:10 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1N84Mr-000A2n-M0 for tls@ietf.org; Wed, 11 Nov 2009 03:59:37 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id EF5F46678 for <tls@ietf.org>; Wed, 11 Nov 2009 03:59:36 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX18T96kKl7w5+7S4ESNZ+9jo1wBFUYqiqkE=
Message-ID: <4AFA36A8.9010805@extendedsubset.com>
Date: Tue, 10 Nov 2009 21:59:36 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
References: <200911102225.nAAMPElc000249@fs4113.wdf.sap.corp> <4AFA06CC.2080703@pobox.com>
In-Reply-To: <4AFA06CC.2080703@pobox.com>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] TLSrenego - possibilities, suggestion for SSLv3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2009 03:59:11 -0000
Michael D'Errico wrote: >> What you're asking for is to discontinue talking to the entire installed >> base of SSL&TLS implementations. i.e. clients should only talk to >> updated servers (which means they must be updated clients). > > I'm not asking for that. Even if Michael were, is there a choice? Is it even that unprecedented? Many endpoints no longer talk SSLv2. Presumably there was at least some software that once spoke earlier variants. Why were they abandoned, was it for saving bytes? Probably not. Did it make or save anybody much money? Probably not, SNI would long have been adopted if money were a sufficient motivator. No, earlier versions were abandoned because they were found to be less-than-ideal in the security department. This weakness is one of the last nails in the coffin for SSLv3, doomed from the start due to its lack of proper extensibility. It seems appropriate since it was 3.0 that quietly introduced this renegotiation bug. >> What about a transistion period? >> (A world-wide "SSL/TLS flag day" is probably unlikely) > > Yes, very unlikely. In some sense, SSLv3 was given the "legacy" label in January 1999, the date on RFC 2246 defining TLS 1.0. Who can complain after having been given 11 years' notice? For fixing TLS, there will certainly be a transition period the length of which will be determined by vendors, admins, and users as always. >>> Simply finishing the *initial* handshake completes the attack! (The >>> server saw it as a renegotiation, not the client.) >> >> But you do realize that it is an attack on the server? > [] > The server is attacked, but the client is also a victim because they > need to spend the time and energy convincing their credit card company > they didn't order something. It's an attack on a protocol which both parties are counting on for secure communications. There's nothing inherent in it that favors the security of one side over the other. >> And do you further realize, that it is a problem of the server >> that request or at least allow renegotiation -- those that reject >> renegotiation are _not_ vulnerable. > > Agreed. What if variants of the attack allow MITM to renegotiate with the client and inject data towards it? Doesn't the server application have just as much an interest in the integrity of the message as the client app does? Would you want to exchange critical secret documents with someone who was known to fall for simple email scams? > He can indeed. This is a really bad flaw. I'm saying that it's risky to > fall back, but I'm sure that won't stop everyone from doing it. I believe the key is correct information at the appropriate times. I personally would expect my browser to warn me if it was falling back to a less secure communication path. Users should expect to be given both complete raw information and synthesized recommendations such that they can 1) make an informed decision, 2) not be talked-down to, 3) learn something if they're in that mood. >>>> - Assign one (or two) specific ciphersuite IDs that the client >>>> can include in the ciphersuites list which signal the clients >>>> notion of the connection state (initial vs. renegotiation) >>>> to the server. >>>> >>>> - Assign one (or two) compression algorithm IDs that the client >>>> can include in the supported compression algorithms list which >>>> signal the clients notion of the connection state (initial vs. >>>> renegotiation) to the server. >>> I would not like to see this kind of solution. If code has to change, >>> Do The Right Thing. A simple 'renegotiating' flag has been proposed several times, but I don't think it adequately addresses the problem (binding the sessions over a single connection). Now MITM just has to put the client in some state such that the client believes he's renegotiating (without losing the connection crypto state or having some private key). It's certainly allowed for a conformant TLS client to be willing to renegotiate with MITM. I believe there are actual applications that may do that (intentionally or not). Perhaps it could be useful for SSLv3 though. Really though, we need to smuggle as much content as we can from the previous Finished messages. For example, probably no one would mind if we used some of those bottom bits of the GMT time in the ClientHello "random". We could probably put a few bits in the random area, too. After all, if they were willing to throw away 30+ bits of entropy (13% of it!) just to send the current time, surely we could use some space for verify data. Just 10 bits could make the attack 1000x harder. The same trick could be used to smuggle Finished verify data in the Server Hello as well. Thinking about it, the Hello messages are passed under the same crypto params as the verify data was originally, so it's not disclosing anything new. They also cannot be manipulated to assume certain values without breaking the hash in way that would be catastrophic even without renegotiation. They are statistically psuedorandom. One thing is that the Finished verify data is longer than the Hello.Random. Go figure. So we might take a subset of its bits, or they could be distributed as a statistical "watermark" on top of actual random data. For a worst-case estimate we could assume verify data are altogether free of entry. Even then we could make the MITM's job about a billion times harder at the cost of only another 13% of entropy from the random pool. Seems like something along these lines might work. This may be cryptographically dumb in some obvious way. I haven't thought about it much until just now and obviously it would need review. >> The IETF should provide solutions to the _real_ world. >> Limiting our solutions to an ideal world of academic purity will >> hurt the entire community of end users around the world. There are many, many deployments of TLS that will upgrade both endpoints to the most secure version the millisecond it becomes available from their vendors. They are very much in the real world. - Marsh
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - current summary of semantic… Pasi.Eronen
- [TLS] assert TLSext in renego-ServerHello instead… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- [TLS] TLSrenego - current summary of semantics an… Martin Rex
- Re: [TLS] TLSrenego - current summary of semantic… Steve Dispensa
- Re: [TLS] TLSrenego - current summary of semantic… Nicolas Williams
- Re: [TLS] TLSrenego - current summary of semantic… Yair Elharrar
- Re: [TLS] TLSrenego - current summary of semantic… Michael D'Errico
- Re: [TLS] TLSrenego - current summary of semantic… Marsh Ray
- Re: [TLS] TLSrenego - current summary of semantic… Nicolas Williams
- Re: [TLS] TLSrenego - current summary of semantic… Martin Rex
- Re: [TLS] TLSrenego - current summary of semantic… Michael D'Errico
- Re: [TLS] TLSrenego - current summary of semantic… Martin Rex
- Re: [TLS] TLSrenego - current summary of semantic… Michael D'Errico
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yair Elharrar
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yair Elharrar
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] TLSrenego - possibilities, suggestion f… Rob P Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yoav Nir
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Rob P Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Michael D'Errico
- Re: [TLS] TLSrenego - possibilities, suggestion f… Peter Gutmann
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yoav Nir
- Re: [TLS] TLSrenego - possibilities, suggestion f… Peter Gutmann
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] History of extensions Marsh Ray
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] History of extensions Eric Rescorla
- [TLS] Protected Renegotiation -- refined proposal Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] Protected Renegotiation -- refined prop… Martin Rex
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Yoav Nir
- Re: [TLS] assert TLSext in renego-ServerHello ins… Dr Stephen Henson
- Re: [TLS] History of extensions Eric Rescorla
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] Protected Renegotiation -- refined prop… Eric Rescorla
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] History of extensions Eric Rescorla
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Nasko Oskov
- Re: [TLS] History of extensions Eric Rescorla
- [TLS] Redefine Finished message for TLS 1.3 ? Nelson B Bolyard
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nicolas Williams
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nelson B Bolyard
- Re: [TLS] Redefine Finished message for TLS 1.3 ? David-Sarah Hopwood
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] Protected Renegotiation -- refined prop… Martin Rex
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nicolas Williams
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] History of extensions David-Sarah Hopwood
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Michael D'Errico
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] Redefine Finished message for TLS 1.3 ? David-Sarah Hopwood
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- [TLS] A crazy idea Michael D'Errico
- Re: [TLS] A crazy idea Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nelson B Bolyard
- Re: [TLS] A crazy idea Michael D'Errico
- Re: [TLS] Protected Renegotiation -- refined prop… Yoav Nir
- Re: [TLS] A crazy idea Nicolas Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Bodo Moeller
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Joseph Salowey (jsalowey)
- Re: [TLS] A not-so crazy idea Michael D'Errico
- Re: [TLS] TLSrenego - possibilities, suggestion f… Bodo Moeller
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Bodo Moeller
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Bodo Moeller
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] A not-so crazy idea Nicolas Williams
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] A not-so crazy idea Yair Elharrar
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] A not-so crazy idea Yoav Nir
- Re: [TLS] assert TLSext in renego-ServerHello ins… Nelson B Bolyard
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nelson Bolyard