Re: [TLS] MITM Attacks on Client Authentication after Resumption
Liz meeks <lizzylocdogg@gmail.com> Thu, 03 April 2014 13:57 UTC
Return-Path: <lizzylocdogg@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4E841A01B5 for <tls@ietfa.amsl.com>; Thu, 3 Apr 2014 06:57:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_38=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W4mD7CgUXmSb for <tls@ietfa.amsl.com>; Thu, 3 Apr 2014 06:57:17 -0700 (PDT)
Received: from mail-la0-x234.google.com (mail-la0-x234.google.com [IPv6:2a00:1450:4010:c03::234]) by ietfa.amsl.com (Postfix) with ESMTP id 8EF511A029D for <tls@ietf.org>; Thu, 3 Apr 2014 06:57:16 -0700 (PDT)
Received: by mail-la0-f52.google.com with SMTP id ec20so1344383lab.39 for <tls@ietf.org>; Thu, 03 Apr 2014 06:57:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=2dDHTlcxDCE/ZL/iz+wbXJ/guIjLoSnYao/y1hzd1AE=; b=xvgjpHfTCfuZnSPJ6eZtvc8/eiqsWdfYlvTP90bTy7uu1tfsI6b/MsKffNJScl+mWX RTfb5cYGcGEOvNygBoYC/NTANAEXdPwKfwaV80SD2jhD/kZIXOuQcdKIcTGEAEjpkJBu jJ+Dlv5v850OHjPq/lRkeCHX25vqk7if5/YZnHWlFKBTa/bLJXEBsQLe2nPbb/5q2KLa Pm0NcVHYbpRj+aHLE5VsC/HMSWlcfy+3ORLwS5bT3PX98910YxmaHl16gfkfJKmImEv+ 88CABnbmd4sSLaM/Gjn9/Zxsv7k15ZQ3bcZnZk//3NbgwyOuE98A/Bd8UdV2S6ETtm1k 0TSA==
MIME-Version: 1.0
X-Received: by 10.112.12.97 with SMTP id x1mr15259lbb.78.1396533431699; Thu, 03 Apr 2014 06:57:11 -0700 (PDT)
Received: by 10.152.18.133 with HTTP; Thu, 3 Apr 2014 06:57:11 -0700 (PDT)
Received: by 10.152.18.133 with HTTP; Thu, 3 Apr 2014 06:57:11 -0700 (PDT)
In-Reply-To: <E3602DA5-B23A-444D-BBF7-CFE949953C92@inria.fr>
References: <BB2FE60E-A7CA-4EA7-BFC8-AB794EC6FF00@inria.fr> <CF3A5B04.184EE%kenny.paterson@rhul.ac.uk> <E3602DA5-B23A-444D-BBF7-CFE949953C92@inria.fr>
Date: Thu, 03 Apr 2014 06:57:11 -0700
Message-ID: <CAGWT0_P9RCHv4xFg9H-UOj2kuufzi2xz85EjSOXL_5wes8vE-g@mail.gmail.com>
From: Liz meeks <lizzylocdogg@gmail.com>
To: Karthikeyan Bhargavan <karthikeyan.bhargavan@inria.fr>
Content-Type: multipart/alternative; boundary="001a11c3a1061d0f1204f623c7f1"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/YJusaLRnzOChE9Gy71OG17jdPQY
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] MITM Attacks on Client Authentication after Resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Apr 2014 13:57:23 -0000
Please stop sending me these emails On Mar 3, 2014 8:47 AM, "Karthikeyan Bhargavan" < karthikeyan.bhargavan@inria.fr> wrote: > > Rather, an application running at C might end up using TLS-protected data > that was supplied by M in step 2 of the attack as if it came from S (or > vice-versa). This is a comparable attack to the original renegotiation > attack of Ray&Dispensa and Rex. > > > Yes, indeed, the impact of our renegotiation attack is comparable to the > 2009 renegotiation attacks. > In fact, the setup of our attack is closer to Rex's version than Ray's > version: > http://www.ietf.org/mail-archive/web/tls/current/msg03928.html > > as far as I can see - for the 3rd step of the attack, it > seems that M just passes messages backwards and forwards and ends up NOT > knowing the keys shared by C and S. Any authentication protocol is > vulnerable to a "message passing" attack of this type in which the > adversary simply acts as a wire, and it's not considered an attack on such > protocols. > > > I would note that the renegotiation handshake we are speaking about is not > exactly a standalone authentication protocol. It is the second handshake on > a connection, with different client or server identity than the first > handshake. This leaves room for confusion: should an implementation > associate the connection to the first set of principals or the second? > > Indeed, it's correct that C *is* connected to S and S *is* connected to C > after step 3! (not just that they "think" they are so-connected). > > > Kenny, you seem to suggest that only the second should be considered. > Common web browsers and HTTPS libraries only consider the first. It is > interesting to try and understand which is the right answer here. > > -Karthik > > > > What matters here is how a server application running at S interprets data > that may have been sent under TLS protection in the first 2 steps in the > attack: it may assume it came from C when in fact it came from M. > > The more accurate description from Karthik's text is this: > > Step 3. (Renegotiation C-M-S) > > > ... > Both handshakes complete with new mutually-authenticated sessions and > record keys. > C now thinks it is connected to S and S thinks it is connected to C. > (M does not know the new record keys but its previous messages to S on > the same connection > may be treated as authenticated by C.) > > > > Indeed, it's correct that C *is* connected to S and S *is* connected to C > after step 3! (not just that they "think" they are so-connected). > > Cheers > > Kenny > > > On 03/03/2014 15:20, "Karthikeyan Bhargavan" > <karthikeyan.bhargavan@inria.fr> wrote: > > We are going to present some new man-in-the-middle attacks on TLS > applications in Tuesday¹s working group meeting. These attacks were > found as part of our research on trying to prove cryptographic > security for a TLS implementation [1]. We presenting some of the > materials here to kick-start some discussion and get early comments on > our proposed countermeasure. Some people on the list already know of > these attacks but this is the first public disclosure. > > More details are at https://secure-resumption.com > <https://secure-resumption.com/> [2] > > Scenario > ====== > Consider a client C that normally authenticates to a server S using a > client certificate. If C uses the same certificate to authenticate to > a malicious server M, then we show that M can use C¹s certificate to > authenticate its own connection to S. > > The attack relies on the combination of an initial RSA or DHE > handshake, followed by session resumption on a new connection, > followed by a client-authenticated renegotiation. During the first two > handshakes, C has a connection to M and M has a connection to > S. During the third handshake, M is able to authenticate as C to S and > as S to C. > > This server-based man-in-the-middle attack should normally have been > prevented by the Renegotiation Indication (RI) extension [3] but by > injecting session resumption between the two full handshakes, we are > able to bypass the renegotiation countermeasure. > > Triple Handshake Attack > ================ > I¹ll briefly summarise the attack below for an initial RSA key > exchange. The webpage [2] has diagrams that will be easier to follow, > describes more attack variants, and provides some disclosure status. > > The attack proceeds in three steps: > > Step 1. (Initial Handshakes C-M, M-S) > - C connects to M and M connects to S, both handshakes use RSA. > - M forwards C¹s and S¹s client hellos to each other. > - M receives an encrypted PMS from C and reencrypts it towards S. > - Both handshakes complete with new sessions and record keys. > Both sessions have the same master secret, random nonces, and session id. > (M knows the master secret and record keys since it participated in both > handshakes) > > Step 2. (Session Resumption C-M, M-S) > - C resumes its session with M on a new connection. > - M resumes its session with S on a new connection. > - M forwards all the abbreviated handshake messages unchanged between C > and S. > - Note that the RI extensions on both handshakes are empty, > since it is the first handshake on the connection > - Both handshakes complete with new record keys (and reuse old sessions) > Both connections have the same record keys and handshake logs (verify > data) > (M still knows the record keys and can send messages in either > direction.) > > Step 3. (Renegotiation C-M-S) > - S requests M for renegotiation with client certificate. > M requests C for renegotiation with client certificate. > - M forwards all renegotiation messages unchanged between C and S > - Note that since the handshake logs in the preceding handshake were the > same, > the RI extensions on both handshakes will be the same. > - Both handshakes complete with new mutually-authenticated sessions and > record keys. > C now thinks it is connected to S and S thinks it is connected to C. > (M does not know the new record keys but its previous messages to S on > the same connection > may be treated as authenticated by C.) > > At the end of Step 3, S has an incoming connection on which it > initially received data from an anonymous client (M) and later > received data from an authenticated client (C). This breaks the > intended guarantees of the RI extension. > > Countermeasures > =========== > During Step 3, C has a connection on which it first received M¹s > certificate and later S¹s certificate. If C refuses to accept this > change of server identity, then it can prevent Step 3 of the > attack. Indeed, we recommend mainstream web browsers and HTTPS > libraries should systematically forbid the change of server identities > during renegotiation. > > However, already at the end of Step 2, a number of connection and > session parameters, such as the tls-unique channel binding for the two > connections are the same. So any application-level mechanism that > relies on the TLS master secret [4] or channel bindings [5] or exports > TLS keying material [6] is vulnerable to a similar man-in-the-middle > attack. > > We argue that the core vulnerability here is that the TLS master > secret is not bound to enough elements of the TLS session. We propose > a new TLS extension that binds the master secret to the hash of the > all relevant handshake messages in the initial handshake. > > The proposed draft is available at: > http://secure-resumption.com/draft-bhargavan-tls-session-hash-00.txt > > The key idea is that each full handshake is associated with a session > hash, computed as > > session_hash = Hash(handshake_messages) > > where handshake_messages consist of all messages up to and including > the ClientKeyExchange. The extended master secret computation enabled > by the extension is then computed as > > master_secret = PRF(pre_master_secret, > "extended master secret", > session_hash) [0..47]; > > We¹ve implemented this extension in OpenSSL without much difficulty. > Changing the master secret derivation may seem radical, but we believe > it is the main way to counter future attacks that may rely on the > session synchronization (step 1) that we exploit here. > > An alternative countermeasure would be an extension (along the lines > of [3]) that includes the session hash as defined above in the > ClientHello and ServerHello messages of the abbreviated > handshake. This would provide an explicit link between the resumption > handshake and its original full handshake, and hence prevent the > renegotiation attack described above. > > We welcome comments and suggestions. > -Karthik Bhargavan, Antoine Delignat-Lavaud, and Alfredo Pironti > > [1] http://mitls.org <http://mitls.org/> > [2] https://secure-resumption.com <https://secure-resumption.com/> > [3] RFC5746: Transport Layer Security Renegotiation Indication Extension > [4] The Compound Authentication Binding Problem > (draft-puthenkulam-eap-binding-04) > [5] RFC5929: Channel Bindings for TLS > [6] RFC5705: Keying Material Exporters for Transport Layer Security > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- [TLS] MITM Attacks on Client Authentication after… Karthikeyan Bhargavan
- Re: [TLS] MITM Attacks on Client Authentication a… Paterson, Kenny
- Re: [TLS] MITM Attacks on Client Authentication a… Dr Stephen Henson
- Re: [TLS] MITM Attacks on Client Authentication a… Karthikeyan Bhargavan
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Thomson
- Re: [TLS] MITM Attacks on Client Authentication a… Paterson, Kenny
- Re: [TLS] MITM Attacks on Client Authentication a… Adam Langley
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Rex
- Re: [TLS] MITM Attacks on Client Authentication a… Andrei Popov
- Re: [TLS] MITM Attacks on Client Authentication a… Watson Ladd
- Re: [TLS] MITM Attacks on Client Authentication a… Adam Langley
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Rex
- Re: [TLS] MITM Attacks on Client Authentication a… Salz, Rich
- Re: [TLS] MITM Attacks on Client Authentication a… Watson Ladd
- Re: [TLS] MITM Attacks on Client Authentication a… Nico Williams
- Re: [TLS] MITM Attacks on Client Authentication a… Dr Stephen Henson
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Thomson
- Re: [TLS] MITM Attacks on Client Authentication a… Dr Stephen Henson
- Re: [TLS] MITM Attacks on Client Authentication a… Adam Langley
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Rex
- Re: [TLS] MITM Attacks on Client Authentication a… Daniel Kahn Gillmor
- Re: [TLS] MITM Attacks on Client Authentication a… Nico Williams
- Re: [TLS] MITM Attacks on Client Authentication a… Bodo Moeller
- Re: [TLS] MITM Attacks on Client Authentication a… Xuelei Fan
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Rex
- Re: [TLS] MITM Attacks on Client Authentication a… Adam Langley
- Re: [TLS] MITM Attacks on Client Authentication a… Karthik Bhargavan
- Re: [TLS] MITM Attacks on Client Authentication a… Karthik Bhargavan
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Rex
- Re: [TLS] MITM Attacks on Client Authentication a… Xuelei Fan
- Re: [TLS] MITM Attacks on Client Authentication a… Karthik Bhargavan
- Re: [TLS] MITM Attacks on Client Authentication a… Xuelei Fan
- Re: [TLS] MITM Attacks on Client Authentication a… Liz meeks