IETF Logo Mail Archive

Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 14 February 2017 16:14 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AB0612967F for <tls@ietfa.amsl.com>; Tue, 14 Feb 2017 08:14:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bhjIQW2oQWAh for <tls@ietfa.amsl.com>; Tue, 14 Feb 2017 08:14:31 -0800 (PST)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) by ietfa.amsl.com (Postfix) with ESMTP id 50085129668 for <tls@ietf.org>; Tue, 14 Feb 2017 08:14:30 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id 200ED1B94C; Tue, 14 Feb 2017 18:14:29 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id 8_x3frgK6_ao; Tue, 14 Feb 2017 18:14:28 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id C454E21C; Tue, 14 Feb 2017 18:14:28 +0200 (EET)
Date: Tue, 14 Feb 2017 18:14:25 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Cas Cremers <cas.cremers@cs.ox.ac.uk>
Message-ID: <20170214161425.GA3866@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABdrxL6qupAu+Ztxw7BU1e-eoy-kfJKRQq+ZZyoKokXHNZEoZQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CABdrxL6qupAu+Ztxw7BU1e-eoy-kfJKRQq+ZZyoKokXHNZEoZQ@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/SF2AUsGXVitNPl0k5NHAHxXV3Rc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Feb 2017 16:14:33 -0000

On Mon, Feb 13, 2017 at 12:32:53PM +0000, Cas Cremers wrote:
> 
> The main takeaway is that the client never really receives any
> acknowledgement of whether the verification provided was successful or
> rejected through an in-band mechanism.
> 
> The context of the keys does not include the client’s authentication status
> (nor the client’s certificate), and is the same in both cases. From a
> formal analysis point of view, this results in a mismatch where the client
> and server may not agree on the mutual authentication status, which is the
> main point we wanted to raise.

It is not just problem of "context of keys". TLS 1.3 explicitly allows
silently rejecting client authentication. No fatal error, no NAK, no
nothing.

Which impiles that client and server can disagree even about status of
in-handshake authentication. Including in resumption, even if the RMS
supposedly includes client's authentication status in its context.

This problem actually cuts protocol layers, and that's why it is so
hard. And things get even more fun when resumption is involved.

I expect there will be quite a bit of implementations that won't
trigger any errors if EE key can be parsed and the client signature
verified (due to layering rendering that way pretty natural).
 
> Assuming now that the key context will not be changed, we suggest to
> explicitly mention in the security guarantees section that the client,
> after sending authentication messages, cannot be sure at any point that the
> server has received these messages and considers the connection to be
> mutually authenticated. If the client wishes to obtain such a guarantee, it
> has to be informed by the server’s application.

See above why changing "context" won't fix the problem.

And yeah, "if you want to be sure, ask application layer" is
probably about the best that can be done.



-Ilari

v2.23.0 | Report a Bug | By Email