IETF Logo Mail Archive

Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18

Sam Scott <sam.scott89@gmail.com> Fri, 10 February 2017 20:31 UTC

Return-Path: <sam.scott89@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB06612959C for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 12:31:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.45
X-Spam-Level:
X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6eI9xMLLvi5c for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 12:31:12 -0800 (PST)
Received: from mail-wm0-x243.google.com (mail-wm0-x243.google.com [IPv6:2a00:1450:400c:c09::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4E9F12943A for <tls@ietf.org>; Fri, 10 Feb 2017 12:31:11 -0800 (PST)
Received: by mail-wm0-x243.google.com with SMTP id c85so8967364wmi.1 for <tls@ietf.org>; Fri, 10 Feb 2017 12:31:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:cc:from:message-id:date:mime-version :in-reply-to:content-transfer-encoding; bh=VQRevXcxeFCkM2ckGy431aGI5umZrZrpJHl0q3uml4I=; b=On7AyRNOpqIBxJcAyDy9UtINzVyLDM+fAyo1dlDyHHoCAltvba7sLtfOwbuKL1Cjnq 2sf9a+21XKX3jfh2u51na4ZvUi25DECd/EYb00g00P9BuZX2vK/ubI+dHv48vswWJVF6 59v/8rf8brOfjNM28UPit8OzG30kXZib4ymYexgU5izrGOzCmYY+e8LM8KGTM9YVqgv2 O4c6qiLaOIfWEU0eGvMkpUTuwB1SiiAOAn60z2JnA2e0U0Hfnq2zZtvFp0kLCGAjZ3b8 wGm74X4TKmQI/fhbzvUK9Bb1Q3vB4/5dhiwmwKVgrSZEn+o+FS5qXhbbVrCPCAeZAvS5 jkvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :mime-version:in-reply-to:content-transfer-encoding; bh=VQRevXcxeFCkM2ckGy431aGI5umZrZrpJHl0q3uml4I=; b=ZzLFK2sGiHLSTZUWg4VBUVseEZoIZjbUvitWNhM9pyiCceHMHRoaPnKhcXGjpZwLFg Rg1+CX0PcnUurbuHytze85qD2E97HSsEHNoddcAm/ZwmdZcYP0JcujbP4p+6c3FluNwW p4o5ZbuW5MazWgaBFX/GyAs2KkvtQVySI19Adk7oSMcMZYcfgZ+2dlfqAilCCvir2KLh qjrE1E+fX0ve3PWTyXjIz4TggcXxhKYlW5LU1VUSDOUo6nRpVFlghMI/scbbeGV7MiVr q0oUA0QFwazWDGI0nkPVad60KZ+Gkquv0OvgsS3o8am/YD866Bf13cstyJbwC6Ele0AV 9c4A==
X-Gm-Message-State: AMke39mNZ0lIAvm78grEhpzTTSLK8/r7vzIHSdqEUhJp2/WGx7u8andeJS5d9Q3EYCRabQ==
X-Received: by 10.28.98.2 with SMTP id w2mr9664054wmb.66.1486758669847; Fri, 10 Feb 2017 12:31:09 -0800 (PST)
Received: from ?IPv6:2a02:c7d:c804:7d00:7e7a:91ff:fe9e:8149? ([2a02:c7d:c804:7d00:7e7a:91ff:fe9e:8149]) by smtp.gmail.com with ESMTPSA id o2sm1019308wmb.28.2017.02.10.12.31.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Feb 2017 12:31:09 -0800 (PST)
To: Andrei Popov <Andrei.Popov@microsoft.com>, Ilari Liusvaara <ilariliusvaara@welho.com>
References: <CABdrxL53Fd7tY6+qF-p=acvCDa=hvbPov83XSd-Y8-gB3c33Ag@mail.gmail.com> <20170210172224.GA22473@LK-Perkele-V2.elisa-laajakaista.fi> <dade38c1-e5a3-4058-9291-c94ea14dfe91@gmail.com> <CY1PR0301MB084246763E664775322D79BA8C440@CY1PR0301MB0842.namprd03.prod.outlook.com>
From: Sam Scott <sam.scott89@gmail.com>
Message-ID: <a188d6f6-d918-e81c-cb5b-472dbfb0590e@gmail.com>
Date: Fri, 10 Feb 2017 20:31:08 +0000
MIME-Version: 1.0
In-Reply-To: <CY1PR0301MB084246763E664775322D79BA8C440@CY1PR0301MB0842.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/YCdeL3jyPi9k73YJ-3bie55w2ps>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 20:31:13 -0000

Hi all,

Thanks Ilari and Andrei for pointing towards the fact that TLS 
guarantees ordering of messages.

On closer inspection, this has a similar effect as our partial fix to 
ensure the server must process the authentication message before continuing.

We still consider the lack of a strict binding by not including the 
client certificate in the transcript to be a slight problem, but this is 
less of an issue than what we first discovered. Our model assumes 
messages can arrive out of order, so perhaps we are instead considering 
a weaker variant, similar to DTLS.

The core observation remains that the context does not change when going 
from unilateral to mutual, which seems counter to the intuition of the 
context. We would prefer the context to also contain the client cert in 
mutual authentication. Indeed, we first encountered this issue when 
considering whether the client/server would agree on the authentication 
status after a session resumption. In this case, the client auth and 
NewSessionTicket messages may cross over which would result in a similar 
mismatch.

Thanks,

Sam

On 10/02/17 19:54, Andrei Popov wrote:
> Hi Sam,
>
> This part is not clear to me:
>> ...while in the post-handshake client auth, an attacker can decide this (by dropping the message).
> How does the attacker drop a TLS-protected message without terminating the connection?
>
> Thanks,
>
> Andrei
>
> -----Original Message-----
> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Sam Scott
> Sent: Friday, February 10, 2017 11:46 AM
> To: Ilari Liusvaara <ilariliusvaara@welho.com>
> Cc: tls@ietf.org
> Subject: Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18
>
> Hi Ilari,
>
> Thanks for the comments.
>
> Assuming the client sends a valid certificate that the server accepts, then the server cannot finish the handshake or begin processing incoming application data until authenticating the client. This *almost* gives us property (A). In practice, the client is aware that the server has successfully authenticated since the protocol continues.
>
> In the case that the server has implemented the reject option (rejecting a certificate but still continuing), and indeed rejects the certificate, then the server should send an alert message (or NAK of some form) for the property to hold in the initial handshake.
>
> However, even if we take the certificate reject + continue scenario into account for the initial handshake, then it is clear that this decision can only be made by the server in the initial handshake, while in the post-handshake client auth, an attacker can decide this (by dropping the message).
>
> The reason we don't believe an explicit ACK is needed is because upgrading to a new pair of keys explicitly provides this. Specifically, the client will send all subsequent data to the server under a new key.
> The server will not be able to decrypt this data until they receive the client authentication messages and upgrade the keys.
>
> This can be strengthened if the client's updated write key is computed using the authentication messages.
>
> We agree that TLS enforcing ordering of messages provides similar guarantees. However, we are analysing the specification as it is presented, which does not guarantee this.
>
> Thanks,
>
> Sam
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email