Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt
Marsh Ray <marsh@extendedsubset.com> Sun, 06 May 2012 16:54 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49DCC21F84F0 for <tls@ietfa.amsl.com>; Sun, 6 May 2012 09:54:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.401
X-Spam-Level:
X-Spam-Status: No, score=-2.401 tagged_above=-999 required=5 tests=[AWL=0.198, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZC8JKoS0WNhw for <tls@ietfa.amsl.com>; Sun, 6 May 2012 09:53:59 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by ietfa.amsl.com (Postfix) with ESMTP id 67A4E21F84EB for <tls@ietf.org>; Sun, 6 May 2012 09:53:59 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.72) (envelope-from <marsh@extendedsubset.com>) id 1SR4ic-000FvW-KE; Sun, 06 May 2012 16:53:58 +0000
Received: from [172.16.2.4] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 0D04B6081; Sun, 6 May 2012 16:53:57 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1/X8PT31iY6hqRuwIpW4MKNvQOuUhQy8AI=
Message-ID: <4FA6ACA1.8080603@extendedsubset.com>
Date: Sun, 06 May 2012 11:53:53 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: Mohamad Badra <mbadra@gmail.com>
References: <4FA401F7.5060003@extendedsubset.com> <4FA424A3.2010409@pobox.com> <4FA4264A.7070406@extendedsubset.com> <4FA4AE62.20506@pobox.com> <B3912FD3-F167-427A-B8EE-689898200939@checkpoint.com> <4FA55298.9010203@pobox.com> <65A74BBD-AA6D-447C-898D-8CB8C5966943@vpnc.org> <4FA55DAE.8020909@pobox.com> <508C47AD-7999-46EB-832A-4D66AAC87118@vpnc.org> <006FEB08D9C6444AB014105C9AEB133F017A7C056C48@il-ex01.ad.checkpoint.com> <CAOhHAXzGu+MR0=21mAbBswvJEsE2JneUhha2zvBF10umKE4cHg@mail.gmail.com> <5B46AA77-90A1-4BC8-92E7-B4533B36F78D@checkpoint.com> <CAOhHAXycZXk_DkTysxg5zMV+eSYoCOXiRzFJA6--wTq_PWBf6g@mail.gmail.com>
In-Reply-To: <CAOhHAXycZXk_DkTysxg5zMV+eSYoCOXiRzFJA6--wTq_PWBf6g@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 May 2012 16:54:00 -0000
On 05/06/2012 03:49 AM, Mohamad Badra wrote: > > I was reading "no need to have an (EC)DH certificate to authenticate the > first CCS". In that case, active attacks are possible. Right, EH does not resist active attacks. It is possible for an active attacker to learn what the client or server would have sent in the handshake. But any such attack causes the handshake to fail in all the scenarios where TLS currently provides integrity protection, i.e., everywhere except for anon-anon DH connections or a pwned trusted root CA. It may be possible to get better guarantees for messages that are sent after the Client Key Exchange or Server Key exchange (such as RFC 4680 'Supplemental Data' messages). But some TLS implementations reportedly do not check these signatures until the Finished messages and many non-browser clients do not even look at the name on the server cert until the handshake is complete. This means that the protections offered by EH to client certs is limited. Applications requiring serious security for the content of client certs should still use renegotiation. If the client has an interest in protecting the client cert he MUST NOT transmit the client cert until he's fully authenticated the server. Generally this requires renegotiation, but many servers will not allow the client to initiate that. Consequently, general purpose clients like web browsers can be tricked into transmitting the client cert to an active attacker. The only thing that can fix that is to change the client behavior to be more strict. In order to avoid breaking existing applications, clients can only become more strict if they are given positive indication to do so. Most forms of negotiation can be falsified by an active attacker at the point the client cert must be sent. So AFAICT the only way that a client cert used by web browsers can be protected from active attackers is to encode a positive indication in the client cert itself to require such protection. This must take the form of an authorization mechanism defining which server identities are allowed to receive the plaintext client cert and how they may be authenticated. If such a mechanism is ever put in place, EH may be able to optimize out the renegotiation. But we would have to approach that very carefully because the signature on the Server Key Exchange does not provide the same security properties as that of the server Finished. - Marsh
- [TLS] draft-ray-tls-encrypted-handshake-00.txt Marsh Ray
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Adam Langley
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Michael D'Errico
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Marsh Ray
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Nico Williams
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Yoav Nir
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Nico Williams
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Michael D'Errico
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Nico Williams
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Yoav Nir
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Paul Hoffman
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Marsh Ray
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Michael D'Errico
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Paul Hoffman
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Michael D'Errico
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Nikos Mavrogiannopoulos
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Paul Hoffman
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Marsh Ray
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Marsh Ray
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Mohamad Badra
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Paul Hoffman
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Nico Williams
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Nikos Mavrogiannopoulos
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Yoav Nir
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Mohamad Badra
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Yoav Nir
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Nikos Mavrogiannopoulos
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Mohamad Badra
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Marsh Ray
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Marsh Ray
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Stephen Farrell
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Yoav Nir
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Marsh Ray
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Paul Hoffman
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Yoav Nir
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Marsh Ray
- [TLS] draft-ray-tls-encrypted-handshake-00.txt Peter Sylvester
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Nikos Mavrogiannopoulos
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Marsh Ray
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Marsh Ray
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Peter Sylvester
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Yoav Nir
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Marsh Ray
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Yoav Nir
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Nikos Mavrogiannopoulos
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Martin Rex
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Peter Saint-Andre
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Peter Sylvester
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Tom Ritter
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Marsh Ray
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Adam Langley
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Nikos Mavrogiannopoulos
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Eric Rescorla
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Nikos Mavrogiannopoulos
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Nico Williams
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Eric Rescorla
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Eric Rescorla
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Marsh Ray
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Eric Rescorla
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Nikos Mavrogiannopoulos
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Eric Rescorla
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Marsh Ray
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Nico Williams
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Eric Rescorla
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Marsh Ray
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Marsh Ray
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Nikos Mavrogiannopoulos
- Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt Marsh Ray