IETF Logo Mail Archive

Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt

Marsh Ray <marsh@extendedsubset.com> Sun, 06 May 2012 16:54 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49DCC21F84F0 for <tls@ietfa.amsl.com>; Sun, 6 May 2012 09:54:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.401
X-Spam-Level:
X-Spam-Status: No, score=-2.401 tagged_above=-999 required=5 tests=[AWL=0.198, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZC8JKoS0WNhw for <tls@ietfa.amsl.com>; Sun, 6 May 2012 09:53:59 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by ietfa.amsl.com (Postfix) with ESMTP id 67A4E21F84EB for <tls@ietf.org>; Sun, 6 May 2012 09:53:59 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.72) (envelope-from <marsh@extendedsubset.com>) id 1SR4ic-000FvW-KE; Sun, 06 May 2012 16:53:58 +0000
Received: from [172.16.2.4] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 0D04B6081; Sun, 6 May 2012 16:53:57 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1/X8PT31iY6hqRuwIpW4MKNvQOuUhQy8AI=
Message-ID: <4FA6ACA1.8080603@extendedsubset.com>
Date: Sun, 06 May 2012 11:53:53 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: Mohamad Badra <mbadra@gmail.com>
References: <4FA401F7.5060003@extendedsubset.com> <4FA424A3.2010409@pobox.com> <4FA4264A.7070406@extendedsubset.com> <4FA4AE62.20506@pobox.com> <B3912FD3-F167-427A-B8EE-689898200939@checkpoint.com> <4FA55298.9010203@pobox.com> <65A74BBD-AA6D-447C-898D-8CB8C5966943@vpnc.org> <4FA55DAE.8020909@pobox.com> <508C47AD-7999-46EB-832A-4D66AAC87118@vpnc.org> <006FEB08D9C6444AB014105C9AEB133F017A7C056C48@il-ex01.ad.checkpoint.com> <CAOhHAXzGu+MR0=21mAbBswvJEsE2JneUhha2zvBF10umKE4cHg@mail.gmail.com> <5B46AA77-90A1-4BC8-92E7-B4533B36F78D@checkpoint.com> <CAOhHAXycZXk_DkTysxg5zMV+eSYoCOXiRzFJA6--wTq_PWBf6g@mail.gmail.com>
In-Reply-To: <CAOhHAXycZXk_DkTysxg5zMV+eSYoCOXiRzFJA6--wTq_PWBf6g@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 May 2012 16:54:00 -0000

On 05/06/2012 03:49 AM, Mohamad Badra wrote:
>
> I was reading "no need to have an (EC)DH certificate to authenticate the
> first CCS". In that case, active attacks are possible.

Right, EH does not resist active attacks. It is possible for an active 
attacker to learn what the client or server would have sent in the 
handshake. But any such attack causes the handshake to fail in all the 
scenarios where TLS currently provides integrity protection, i.e., 
everywhere except for anon-anon DH connections or a pwned trusted root CA.

It may be possible to get better guarantees for messages that are sent 
after the Client Key Exchange or Server Key exchange (such as RFC 4680 
'Supplemental Data' messages). But some TLS implementations reportedly 
do not check these signatures until the Finished messages and many 
non-browser clients do not even look at the name on the server cert 
until the handshake is complete.

This means that the protections offered by EH to client certs is 
limited. Applications requiring serious security for the content of 
client certs should still use renegotiation.

If the client has an interest in protecting the client cert he MUST NOT 
transmit the client cert until he's fully authenticated the server. 
Generally this requires renegotiation, but many servers will not allow 
the client to initiate that.

Consequently, general purpose clients like web browsers can be tricked 
into transmitting the client cert to an active attacker. The only thing 
that can fix that is to change the client behavior to be more strict. In 
order to avoid breaking existing applications, clients can only become 
more strict if they are given positive indication to do so. Most forms 
of negotiation can be falsified by an active attacker at the point the 
client cert must be sent.

So AFAICT the only way that a client cert used by web browsers can be 
protected from active attackers is to encode a positive indication in 
the client cert itself to require such protection. This must take the 
form of an authorization mechanism defining which server identities are 
allowed to receive the plaintext client cert and how they may be 
authenticated.

If such a mechanism is ever put in place, EH may be able to optimize out 
the renegotiation. But we would have to approach that very carefully 
because the signature on the Server Key Exchange does not provide the 
same security properties as that of the server Finished.

- Marsh

v2.23.0 | Report a Bug | By Email