Re: [TLS] draft-ietf-tls-renegotation: next steps
David-Sarah Hopwood <david-sarah@jacaranda.org> Thu, 17 December 2009 03:11 UTC
Return-Path: <djhopwood@googlemail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 798FE3A6868 for <tls@core3.amsl.com>; Wed, 16 Dec 2009 19:11:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L-t-liipmaLP for <tls@core3.amsl.com>; Wed, 16 Dec 2009 19:11:18 -0800 (PST)
Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.24]) by core3.amsl.com (Postfix) with ESMTP id 9D99D3A6B2C for <tls@ietf.org>; Wed, 16 Dec 2009 19:10:54 -0800 (PST)
Received: by ey-out-2122.google.com with SMTP id 4so1313518eyf.5 for <tls@ietf.org>; Wed, 16 Dec 2009 19:10:35 -0800 (PST)
Received: by 10.213.25.79 with SMTP id y15mr7738332ebb.74.1261019434806; Wed, 16 Dec 2009 19:10:34 -0800 (PST)
Received: from ?192.168.0.2? (5e058d2d.bb.sky.com [94.5.141.45]) by mx.google.com with ESMTPS id 16sm967972ewy.6.2009.12.16.19.10.31 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 16 Dec 2009 19:10:32 -0800 (PST)
Sender: David-Sarah Hopwood <djhopwood@googlemail.com>
Message-ID: <4B29A121.8060005@jacaranda.org>
Date: Thu, 17 Dec 2009 03:10:25 +0000
From: David-Sarah Hopwood <david-sarah@jacaranda.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: tls@ietf.org
References: <808FD6E27AD4884E94820BC333B2DB774F31F17456@NOK-EUMSG-01.mgdnok.nokia.com> <20091216190811.71BF56C823C@kilo.networkresonance.com>
In-Reply-To: <20091216190811.71BF56C823C@kilo.networkresonance.com>
X-Enigmail-Version: 0.96.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------enig5CA41497858694EC4E175E54"
Subject: Re: [TLS] draft-ietf-tls-renegotation: next steps
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2009 03:11:21 -0000
Eric Rescorla wrote: > At Wed, 16 Dec 2009 10:53:37 +0100, > <Pasi.Eronen@nokia.com> wrote: >> - The current draft doesn't clearly say what should be included in >> legacy (insecure) renegotiation ClientHellos. I am not sure if we have >> enough clear opinions to call consensus, but keeping it aligned with >> the initial ClientHello (either MSCV or extension) seems to be one >> simple approach (but I hope to see the actual text). > > Attached is some candidate text that attempts to implement this. > > It is possible that un-upgraded servers will request that the client > renegotiate. It is RECOMMENDED that clients refuse this > renegotiation request. Clients which do so MUST respond to such > requests with a "no_renegotiation" alert [RFC 5246 requires this > alert to be at the "warning" level.] It is possible that the > apparently un-upgraded server is in fact an attacker who is then > allowing the client to renegotiate with a different, legitimate, > upgraded server. In order to detect this attack, clients which > choose to renegotiate MUST provide either the > TLS_RENEGO_PROTECTION_REQUEST SCSV or "renegotiation_info" in their > ClientHello. In a legitimate renegotiation with an un-upgraded > server, either of these signals will be ignored by the server. > However, if the server (incorrectly) fails to ignore extensions, > sending the "renegotiation_info" extension may cause a handshake > failure. Thus, it is permitted, though NOT RECOMMENDED, for the > client to simply send the SCSV. This is the only situation in which > clients are permitted to not send the "renegotiation_info" extension > in a ClientHello which is used for renegotiation. > > Note that in the case of this downgrade attack attack above, if this > is the initial handshake from the server's perspective, then use of > the SCSV from the client precludes detection of this attack by the > server. That is not correct. If the server is also upgraded, it can detect that the SCSV has been sent without the extension on a renegotiating handshake. This case must be an attack, because the client wouldn't have sent only the SCSV if it knew that the server was upgraded. (If the connection is a legitimate renegotiation and the server hasn't changed, the client would know that it is upgraded from the presence of the extension in the ServerHello of the previous handshake.) It is only un-upgraded servers that will not detect the attack (but the client accepted that possibility, contrary to the RECOMMENDATION in the second sentence of the above text). OTOH, I think it's perfectly reasonable not to allow clients to send only the SCSV on a renegotiation. As you say, > Sending RI in this instance only creates > an interop problem when a server (1) is doing something we know to be > really unsafe and (2) can't even ignore extensions correctly. Either way, the draft should specify that an upgraded server MUST abort a renegotiating handshake if it receives only SCSV without the extension. -- David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
- [TLS] draft-ietf-tls-renegotation: next steps Pasi.Eronen
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next steps Paul Hoffman
- Re: [TLS] draft-ietf-tls-renegotation: next steps Michael D'Errico
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next steps Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next steps Eric Rescorla
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Kemp, David P.
- Re: [TLS] draft-ietf-tls-renegotation: next steps Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Marsh Ray
- [TLS] Generic process issues (Re: Re: draft-ietf-… Nicolas Williams
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Marsh Ray
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next steps David-Sarah Hopwood
- Re: [TLS] draft-ietf-tls-renegotation: next steps David-Sarah Hopwood
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next Pasi.Eronen
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next Kyle Hamilton
- Re: [TLS] draft-ietf-tls-renegotation: next Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Michael D'Errico
- Re: [TLS] draft-ietf-tls-renegotation: next David-Sarah Hopwood