Re: [TLS] simplistic renego protection
Michael D'Errico <mike-list@pobox.com> Mon, 16 November 2009 01:12 UTC
Return-Path: <mike-list@pobox.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 13F943A6831 for <tls@core3.amsl.com>; Sun, 15 Nov 2009 17:12:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.042
X-Spam-Level:
X-Spam-Status: No, score=-2.042 tagged_above=-999 required=5 tests=[AWL=0.557, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l4yIF2cGWW9n for <tls@core3.amsl.com>; Sun, 15 Nov 2009 17:12:11 -0800 (PST)
Received: from sasl.smtp.pobox.com (a-pb-sasl-sd.pobox.com [64.74.157.62]) by core3.amsl.com (Postfix) with ESMTP id 082B33A67FC for <tls@ietf.org>; Sun, 15 Nov 2009 17:12:09 -0800 (PST)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id 45C7D9E29B for <tls@ietf.org>; Sun, 15 Nov 2009 20:12:08 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=1jgRhzHMc+wX fXEfhyft+LQVM8k=; b=Bw8El7/rskowoXW8b8f6kPY6i9cH2eMNibfBLosax/Ck h1/9NSP8dDKLSEOghFj7SlG5/sfg4Dt1rGlCLLXTaGAFoqRs9XS8HFifcdkYi3rq 34g3oRvjniMZjRsNQbXA+R4k+TB6iAb27nP6vk1+VpdL5UoY5q8qO3PIEV0qNmc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=w+rAj1 plFiFIR0gXEultKZa9CQOEKbTNTdWCLGas61cVnZOei16Ii8GpdNX5upo31RAi31 Rk10py66kL8Py7oq4jK0Vyt6/A3vvvdRBzI/jFk1dqyiQUorkmX5bTOyL5zXHlyD YAFnltKFxa9vZZwNui7dswvrEw7Yxxm83HsJw=
Received: from a-pb-sasl-sd.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id 422CA9E29A for <tls@ietf.org>; Sun, 15 Nov 2009 20:12:08 -0500 (EST)
Received: from administrators-macbook-pro.local (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTPSA id D4DA99E298 for <tls@ietf.org>; Sun, 15 Nov 2009 20:12:07 -0500 (EST)
Message-ID: <4B00A722.1020400@pobox.com>
Date: Sun, 15 Nov 2009 17:13:06 -0800
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: tls@ietf.org
References: <200911160036.nAG0atRS014903@fs4113.wdf.sap.corp>
In-Reply-To: <200911160036.nAG0atRS014903@fs4113.wdf.sap.corp>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: 0F8378E0-D24D-11DE-84F6-EF34BBB5EC2E-38729857!a-pb-sasl-sd.pobox.com
Subject: Re: [TLS] simplistic renego protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2009 01:12:12 -0000
> The most simplistic approch to renego protection is > > 1. the client signals that it is patched through a fake > ciphersuite ID in each ClientHello > > 2. the client only supports secure renegotiation and > secure renegotiation is specified to change the definition > of the handshake message hash for renegotiation handshakes > to include the verify_data of the client.finished and > server.finished after the ServerHello. No, this does not plug the hole. The magic ciphersuite in (1) requires that the server recognize it, i.e. it is patched. Therefore it will not perform insecure renegotiation even without seeing the ciphersuite (especially without seeing it). And again the client's INITIAL handshake is the one that the server sees as a renegotiation in Marsh's attack, so the fact that the client won't REnegotiate (2) is unhelpful; the attack has already completed. Mike
- Re: [TLS] simplistic renego protection Chris Newman
- [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Joseph Salowey (jsalowey)
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Nelson B Bolyard
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection peter.robinson
- Re: [TLS] simplistic renego protection Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] simplistic renego protection Stephen Farrell
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Nasko Oskov
- Re: [TLS] simplistic renego protection Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Yair Elharrar
- Re: [TLS] simplistic renego protection Steve Dispensa
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Robert Dugal
- Re: [TLS] simplistic renego protection Pasi.Eronen
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Simon Josefsson
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Nasko Oskov
- Re: [TLS] simplistic renego protection Nelson B Bolyard
- Re: [TLS] simplistic renego protection Nelson B Bolyard
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Nelson B Bolyard
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- [TLS] Definition of "lenient server" David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Ben Laurie
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Bill Frantz
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Ben Laurie
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Ben Laurie
- Re: [TLS] simplistic renego protection Pasi.Eronen
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Pasi.Eronen
- Re: [TLS] simplistic renego protection Yngve Nysaeter Pettersen
- Re: [TLS] simplistic renego protection Peter Gutmann
- Re: [TLS] simplistic renego protection Kyle Hamilton