IETF Logo Mail Archive

Re: [TLS] simplistic renego protection

Stefan Santesson <stefan@aaa-sec.com> Sat, 21 November 2009 22:58 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 264EB3A68B1 for <tls@core3.amsl.com>; Sat, 21 Nov 2009 14:58:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[AWL=0.270, BAYES_00=-2.599, HELO_EQ_SE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PzttV4zujI7f for <tls@core3.amsl.com>; Sat, 21 Nov 2009 14:58:51 -0800 (PST)
Received: from s87.loopia.se (s87.loopia.se [194.9.94.111]) by core3.amsl.com (Postfix) with ESMTP id E8D143A689F for <tls@ietf.org>; Sat, 21 Nov 2009 14:58:50 -0800 (PST)
Received: from s29.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id A055228A888 for <tls@ietf.org>; Sat, 21 Nov 2009 23:58:54 +0100 (CET)
Received: (qmail 31057 invoked from network); 21 Nov 2009 22:58:45 -0000
Received: from 213-64-142-247-no153.business.telia.com (HELO [192.168.1.3]) (stefan@fiddler.nu@[213.64.142.247]) (envelope-sender <stefan@aaa-sec.com>) by s29.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <david-sarah@jacaranda.org>; 21 Nov 2009 22:58:45 -0000
User-Agent: Microsoft-Entourage/12.23.0.091001
Date: Sat, 21 Nov 2009 23:58:45 +0100
From: Stefan Santesson <stefan@aaa-sec.com>
To: David-Sarah Hopwood <david-sarah@jacaranda.org>, tls@ietf.org
Message-ID: <C72E2F35.6867%stefan@aaa-sec.com>
Thread-Topic: [TLS] simplistic renego protection
Thread-Index: Acpq/i1v5mxv+1ndn0Wj1QPAoqhKqg==
In-Reply-To: <4B08650A.9090409@jacaranda.org>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Subject: Re: [TLS] simplistic renego protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Nov 2009 22:58:52 -0000

I don't think this discussion is critical to selecting a solution, but one
more go in-line;


On 09-11-21 11:09 PM, "David-Sarah Hopwood" <david-sarah@jacaranda.org>
wrote:

> Stefan Santesson wrote:
>> On 09-11-21 8:00 PM, "David-Sarah Hopwood" <david-sarah@jacaranda.org>
>> wrote:
>> 
>>> That's an oversimplification.
>>> 
>>> The attacker is able to add a prefix to the server's view of the session.
>>> This changes the server's state from what it would have been on an
>>> initial connection. How far the attacker's influence on the server's
>>> state extends into that session, is dependent on the application protocol.
>> 
>> So we are saying the same thing.
>> 
>> As you say, it depends on the application. What I claim is that it is
>> possible to design an application that use channel binding to keep itself
>> safe from this attack. All it needs to do is to make sure that it's state is
>> reset after completed channel binding.
> 
> That's not correct; it needs to know that the client's state is reset as
> well (see below).

Frankly, I can't see why it isn't enough for the server to reset it's state
regardless of the client. The server will simply regard the first message
after channel-binding as the first legitimate message from the client.

> But suppose for the sake of argument, that both the client
> and server's state is reset when a renegotiation occurs. In that case,
> channel binding is a red herring. Resetting the client and server states
> prevents the attack regardless of channel binding.

The difference is that channel binding offers a safe point in time when you
can do this reset.

> But then, why use
> renegotiation (and unnecessarily risk interoperability problems) if you're
> going to use it in a way that is completely equivalent to making a new
> connection?
> 

I agree, you have a point here. The point is more that you don't need to
take action to turn re-negotiation off if you are safe from the attack.

>> The fact that it is possible to be safe despite this vulnerability is an
>> argument that lenient servers should be supported in the solution.
> 
> Suppose that an unpatched client performs a renegotiation. The server
> doesn't know whether this is an intended renegotiation or an attack; so,
> it must reset its state,

No. If the renegotiation occurs after a successful channel binding, the
server can be assured that this is not an attack.

So the server will reset it's state after channel binding but not on
following renegotiations.

> as though the client had made a new connection.
> But with most application protocols, that won't work, because the client
> hasn't reset its state.
> 
> It might work in some special cases, where the application protocol is
> stateless between requests (like HTTP) and the renegotiation occurred
> at a request boundary. But then, there is absolutely no advantage to
> using renegotiation; it's unnecessary complexity.
> 
> One might argue: OK, renegotiation is unnecessary, but what if we want to
> retain interoperability with clients that do it anyway (between stateless
> requests, since that's the only case that would work)? However, in practice
> clients don't renegotiate just for the fun of it; we need to consider how
> renegotiation is actually used. I have not yet seen any plausible use case
> for continuing to support renegotiation with unpatched clients, where it
> wouldn't be simpler and more secure to do something else (given that you're
> suggesting that we modify how the server uses the application protocol in
> any case). For instance, when using renegotiation to prompt the client to
> present a client cert, it's easier to have it make such requests on a
> different port.

You might be absolutely right here. However, I think the burden of proof
should be reversed. Lenient servers should be supported unless we know for
sure that there is no legitimate use case. It should be the choice of the
local administrator to be strict, not the choice of the protocol designer.

IMO, if one solution can support of lenient servers, and the other proposal
can't then the one that can has merit.

/Stefan

v2.23.0 | Report a Bug | By Email