[TLS] What is spliced
Eric Rescorla <ekr@networkresonance.com> Mon, 07 December 2009 22:02 UTC
Return-Path: <ekr@networkresonance.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 69FEE28C0E0 for <tls@core3.amsl.com>; Mon, 7 Dec 2009 14:02:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.925
X-Spam-Level:
X-Spam-Status: No, score=0.925 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MjfLYp0tJKX9 for <tls@core3.amsl.com>; Mon, 7 Dec 2009 14:02:51 -0800 (PST)
Received: from kilo.networkresonance.com (216.156.83.78.ptr.us.xo.net [216.156.83.78]) by core3.amsl.com (Postfix) with ESMTP id B4FC53A63EB for <tls@ietf.org>; Mon, 7 Dec 2009 14:02:51 -0800 (PST)
Received: from kilo.local (localhost [127.0.0.1]) by kilo.networkresonance.com (Postfix) with ESMTP id E36B16C5243 for <tls@ietf.org>; Mon, 7 Dec 2009 14:04:27 -0800 (PST)
Date: Mon, 07 Dec 2009 14:04:27 -0800
From: Eric Rescorla <ekr@networkresonance.com>
To: tls@ietf.org
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20091207220427.E36B16C5243@kilo.networkresonance.com>
Subject: [TLS] What is spliced
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2009 22:02:52 -0000
There has been a bunch of discussion about what the introduction should say about what is spliced together in this attack. Here's my proposed new text, based on trying to integrate various comments from Nelson, Marsh, etc. This attack can be prevented by cryptographically binding renegotiation handshakes to the enclosing TLS channel, or more properly, to the TLS handshake which established the security parameters over which the new handshake is being performed. This prevents the attacker from splicing a negotiation occuring over one set of security parameters (including the initial pre-handshake set of TLS_NULL_WITH_NULL_NULL) into another set of security parameters. An attempt by an attacker to inject himself as described above will result in a mismatch of the extension and can thus be detected. The data used in the extension is similar to, but not the same as, the channel binding data used in [I-D.altman-tls-channel-bindings], however this extension is not a generic-purpose RFC 5056 channel binding facility. Comments? -Ekr
- [TLS] What is spliced Eric Rescorla
- Re: [TLS] What is spliced tom.petch
- Re: [TLS] What is spliced Martin Rex
- Re: [TLS] What is spliced Martin Rex