Re: [TLS] implementation of cookies in DTLS

Robin Seggelmann <seggelmann@fh-muenster.de> Mon, 14 March 2011 15:51 UTC

Return-Path: <seggelmann@fh-muenster.de>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 16FB63A6D6C for <tls@core3.amsl.com>; Mon, 14 Mar 2011 08:51:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 717z41FO5wKS for <tls@core3.amsl.com>; Mon, 14 Mar 2011 08:51:43 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.31.36]) by core3.amsl.com (Postfix) with ESMTP id 27CE93A6D1C for <tls@ietf.org>; Mon, 14 Mar 2011 08:51:39 -0700 (PDT)
Received: from [212.201.121.94] (helo=[10.0.1.103]) by smtprelay02.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from <seggelmann@fh-muenster.de>) id 1PzA4m-0007Jv-EW; Mon, 14 Mar 2011 16:52:56 +0100
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset=us-ascii
From: Robin Seggelmann <seggelmann@fh-muenster.de>
In-Reply-To: <4D7E3487.7090805@gnutls.org>
Date: Mon, 14 Mar 2011 16:52:55 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <40048296-255C-4DBF-A1B0-3E18721EE710@fh-muenster.de>
References: <4D7D0292.7080700@gnutls.org> <CC864D93-07CA-4381-8C7A-CB263A3CA7DA@fh-muenster.de> <4D7E3487.7090805@gnutls.org>
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
X-Mailer: Apple Mail (2.1082)
X-Df-Sender: mail@robin-seggelmann.de
Cc: =?iso-8859-1?Q?Michael_T=FCxen?= <tuexen@fh-muenster.de>, tls@ietf.org
Subject: Re: [TLS] implementation of cookies in DTLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Mar 2011 15:51:44 -0000

On Mar 14, 2011, at 4:30 PM, Nikos Mavrogiannopoulos wrote:

> On 03/14/2011 04:12 PM, Robin Seggelmann wrote:
> 
>>> Hello, I've been reading the section "Denial of Service
>>> Countermeasures" of DTLS and as I understand it the proposed
>>> subsystem (client-hello and client-hello-verify-request) is
>>> expected to operate before allocating state for the session to
>>> discard requests from clients with forged addresses.
>>> 
>>> Some comments: 1. The document says: If a server receives a
>>> ClientHello with an invalid cookie, it SHOULD treat it the same as
>>> a ClientHello with no cookie.
>>> 
>>> What does it mean with regards to the handshake sequence. Does the 
>>> second HelloVerifyRequest has seq=0 or seq=1?
>> 
>> The second HelloVerifyRequest should have seq=0 again, since the
>> server must not change its state. That's how I implemented it in
>> OpenSSL.  The server does not change any sequence numbers until a
>> cookie has been verified and the regular handshake continues.
> 
> What about the record_seq. Is it also 0? If yes  a client
> would see this record packet as a replay and discard it. If no
> it seems you have to keep state...

The record_seq is still increased, because it has to be unique. I wouldn't consider this as a problem because it's just a counter you're increasing. There is no resource allocation necessary and there is no benefit for an attacker to send many ClientHellos to increase the sequence number. It's only used for HMAC verification and replay check and will be reset to 0 after the ChangCipherSpec anyway.

However, I see your point. Maybe the document should state more explicitly that handshake sequence numbers must not be increased, because they always have to be the same and always have to start with 0, while the record_seq has to be unique and therefore has to change.

Regards,
Robin

>>> e.g. if I receive ClientHello (record_seq=0, seq=0)  ------>
>>> 
>>> <-- HelloVerifyRequest (record_seq=0, seq=0)
>>> 
>>> ClientHello (record_seq=1, seq=1)  ------> (wrong cookie)
>>> 
>>> <-- HelloVerifyRequest (record_seq=1, seq=1) [seq copied from
>>> clienthello]
>>> 
>>> ClientHello (record_seq=2, seq=2)  ------> (wrong cookie)
>>> 
>>> <-- HelloVerifyRequest (record_seq=2, seq=2) [seq copied from
>>> clienthello]
>>> 
>>> ClientHello (record_seq=3, seq=3)  ------>
>>> 
>>> [server allocates session and continues handshake]
>> That may be helpful, but in my opinion "must not change its state"
>> includes not changing any sequence numbers.
> 
> What is of most concern is the record_seq. A client would just discard
> packets with the same sequence number.
> 
> regards,
> Nikos