[TLS] What is spliced

Eric Rescorla <ekr@networkresonance.com> Mon, 07 December 2009 22:02 UTC

Return-Path: <ekr@networkresonance.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 69FEE28C0E0 for <tls@core3.amsl.com>; Mon, 7 Dec 2009 14:02:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.925
X-Spam-Level:
X-Spam-Status: No, score=0.925 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MjfLYp0tJKX9 for <tls@core3.amsl.com>; Mon, 7 Dec 2009 14:02:51 -0800 (PST)
Received: from kilo.networkresonance.com (216.156.83.78.ptr.us.xo.net [216.156.83.78]) by core3.amsl.com (Postfix) with ESMTP id B4FC53A63EB for <tls@ietf.org>; Mon, 7 Dec 2009 14:02:51 -0800 (PST)
Received: from kilo.local (localhost [127.0.0.1]) by kilo.networkresonance.com (Postfix) with ESMTP id E36B16C5243 for <tls@ietf.org>; Mon, 7 Dec 2009 14:04:27 -0800 (PST)
Date: Mon, 07 Dec 2009 14:04:27 -0800
From: Eric Rescorla <ekr@networkresonance.com>
To: tls@ietf.org
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20091207220427.E36B16C5243@kilo.networkresonance.com>
Subject: [TLS] What is spliced
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2009 22:02:52 -0000

There has been a bunch of discussion about what the introduction should
say about what is spliced together in this attack. Here's my proposed
new text, based on trying to integrate various comments from Nelson,
Marsh, etc.

This attack can be prevented by cryptographically binding
renegotiation handshakes to the enclosing TLS channel, or more
properly, to the TLS handshake which established the security
parameters over which the new handshake is being performed. This
prevents the attacker from splicing a negotiation occuring over one
set of security parameters (including the initial pre-handshake
set of TLS_NULL_WITH_NULL_NULL) into
another set of security parameters. An attempt by an attacker to
inject himself as described above will result in a mismatch of the
extension and can thus be detected. The data used in the extension is
similar to, but not the same as, the channel binding data used in
[I-D.altman-tls-channel-bindings], however this extension is not a
generic-purpose RFC 5056 channel binding facility.

Comments?

-Ekr