Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18
Sam Scott <sam.scott89@gmail.com> Fri, 10 February 2017 19:46 UTC
Return-Path: <sam.scott89@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D1E9129B4F for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 11:46:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.45
X-Spam-Level:
X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tfmef1LqytNl for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 11:46:15 -0800 (PST)
Received: from mail-wm0-x244.google.com (mail-wm0-x244.google.com [IPv6:2a00:1450:400c:c09::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0548D1295A2 for <tls@ietf.org>; Fri, 10 Feb 2017 11:46:02 -0800 (PST)
Received: by mail-wm0-x244.google.com with SMTP id u63so8822240wmu.2 for <tls@ietf.org>; Fri, 10 Feb 2017 11:46:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:cc:from:message-id:date:mime-version :in-reply-to:content-transfer-encoding; bh=noDM03/wEekilj90zT74tC8Q65xf4s1+0C//2aP4PjM=; b=P2jN0Sc9SQUxcLvOtdVFgkl4Km4WSDPyXO4BBpTiFcwWysqAhmjNV++g9BMO78+w7f xNSto+DINkqVM5me0Fn6dncTFHGBmnrw2MRaKD8SPBK5Hfie7MNVgZifXOFECx3NWBH+ YbppTRUDD04mwwFTRSHBSb5TKdqeKvuKN/tXFCVCt6dH/ybCNtNwXZifLPjShGMBnnp0 SOdRlSjhI61y9TQw37rRGSWIOvB8hZjc6FuBdr9eJjtPfe7Vyovdjlt9jUbUMFHj8zxK 9N9r8pJpH/lSCdPMONFrCgsbkb2/8JE9w9zcE4rlPntK6ho/q/CxTFHz2BgGJva0X23q llUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :mime-version:in-reply-to:content-transfer-encoding; bh=noDM03/wEekilj90zT74tC8Q65xf4s1+0C//2aP4PjM=; b=J9qldFmIunMAXl8C9ZnCjo/fXDnC7GdmAC/RvxtKscRKmXG5N3HlIRsKD2Ielt/QBf 1JrdXkqcltvYMdIDyTl3uZoPI+La6kUXTulLXE6SpM5mhISt7KCRjsnCKIx+mK2/0aUJ /C9IEcxTdb8thHd55oSbtTDFjQ7fEeBlQpKC4K2PZLAU4RIe7u37MXTn6XzwBT1bsuXM jZrugTogimmpYKcsRdZSHZetnxiUYG/TXxU5teScZ4SNEHNERraIrB4V4RNOHrZ5c8Fh g0b3eSGqEbuVXoiDokmkidOkPffL1Qpsy4Dh1TB8VjtePkmdgl3zJgynSk/XOsvbux9i 1oPg==
X-Gm-Message-State: AMke39nsZi24nm+fd0tmRcDbayXm8ZD8fYK6vSJsmabD7oWiA5aNC0ePI7bi5qD69k5+pg==
X-Received: by 10.28.38.2 with SMTP id m2mr27410639wmm.44.1486755960285; Fri, 10 Feb 2017 11:46:00 -0800 (PST)
Received: from ?IPv6:2a02:c7d:c804:7d00:7e7a:91ff:fe9e:8149? ([2a02:c7d:c804:7d00:7e7a:91ff:fe9e:8149]) by smtp.gmail.com with ESMTPSA id u184sm909201wmb.29.2017.02.10.11.45.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Feb 2017 11:45:59 -0800 (PST)
To: Ilari Liusvaara <ilariliusvaara@welho.com>
References: <CABdrxL53Fd7tY6+qF-p=acvCDa=hvbPov83XSd-Y8-gB3c33Ag@mail.gmail.com> <20170210172224.GA22473@LK-Perkele-V2.elisa-laajakaista.fi>
From: Sam Scott <sam.scott89@gmail.com>
Message-ID: <dade38c1-e5a3-4058-9291-c94ea14dfe91@gmail.com>
Date: Fri, 10 Feb 2017 19:45:58 +0000
MIME-Version: 1.0
In-Reply-To: <20170210172224.GA22473@LK-Perkele-V2.elisa-laajakaista.fi>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/VXYbmt84mSd0FyCy-TNLdnRdtzQ>
Cc: tls@ietf.org
Subject: Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 19:46:23 -0000
Hi Ilari, Thanks for the comments. Assuming the client sends a valid certificate that the server accepts, then the server cannot finish the handshake or begin processing incoming application data until authenticating the client. This *almost* gives us property (A). In practice, the client is aware that the server has successfully authenticated since the protocol continues. In the case that the server has implemented the reject option (rejecting a certificate but still continuing), and indeed rejects the certificate, then the server should send an alert message (or NAK of some form) for the property to hold in the initial handshake. However, even if we take the certificate reject + continue scenario into account for the initial handshake, then it is clear that this decision can only be made by the server in the initial handshake, while in the post-handshake client auth, an attacker can decide this (by dropping the message). The reason we don't believe an explicit ACK is needed is because upgrading to a new pair of keys explicitly provides this. Specifically, the client will send all subsequent data to the server under a new key. The server will not be able to decrypt this data until they receive the client authentication messages and upgrade the keys. This can be strengthened if the client's updated write key is computed using the authentication messages. We agree that TLS enforcing ordering of messages provides similar guarantees. However, we are analysing the specification as it is presented, which does not guarantee this. Thanks, Sam
- [TLS] Awkward Handshake: Possible mismatch of cli… Cas Cremers
- Re: [TLS] Awkward Handshake: Possible mismatch of… Ilari Liusvaara
- Re: [TLS] Awkward Handshake: Possible mismatch of… Sam Scott
- Re: [TLS] Awkward Handshake: Possible mismatch of… Andrei Popov
- Re: [TLS] Awkward Handshake: Possible mismatch of… Sam Scott
- Re: [TLS] Awkward Handshake: Possible mismatch of… Eric Rescorla
- Re: [TLS] Awkward Handshake: Possible mismatch of… Victor Vasiliev
- Re: [TLS] Awkward Handshake: Possible mismatch of… Eric Rescorla
- Re: [TLS] Awkward Handshake: Possible mismatch of… Sam Scott
- Re: [TLS] Awkward Handshake: Possible mismatch of… Eric Rescorla
- Re: [TLS] Awkward Handshake: Possible mismatch of… Andrei Popov
- Re: [TLS] Awkward Handshake: Possible mismatch of… Sam Scott
- Re: [TLS] Awkward Handshake: Possible mismatch of… Eric Rescorla
- Re: [TLS] Awkward Handshake: Possible mismatch of… Cas Cremers
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Wong
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Benjamin
- Re: [TLS] Awkward Handshake: Possible mismatch of… Ilari Liusvaara
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Wong
- Re: [TLS] Awkward Handshake: Possible mismatch of… Andrei Popov
- Re: [TLS] Awkward Handshake: Possible mismatch of… Martin Thomson
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Wong
- Re: [TLS] Awkward Handshake: Possible mismatch of… Martin Rex
- Re: [TLS] Awkward Handshake: Possible mismatch of… Cas Cremers
- Re: [TLS] Awkward Handshake: Possible mismatch of… Andrei Popov
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Wong
- Re: [TLS] Awkward Handshake: Possible mismatch of… David Benjamin
- Re: [TLS] Awkward Handshake: Possible mismatch of… Andrei Popov
- Re: [TLS] Awkward Handshake: Possible mismatch of… Martin Rex