Re: [TLS] Inter-protocol attacks

mrex@sap.com (Martin Rex) Wed, 13 August 2014 14:00 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 244B51A02F0 for <tls@ietfa.amsl.com>; Wed, 13 Aug 2014 07:00:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NaM_ojdu1eUw for <tls@ietfa.amsl.com>; Wed, 13 Aug 2014 07:00:41 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 2A5A61A02D5 for <tls@ietf.org>; Wed, 13 Aug 2014 07:00:41 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id s7DE0SGu023954 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 13 Aug 2014 16:00:29 +0200 (MEST)
In-Reply-To: <53EB6180.2030006@delignat-lavaud.fr>
To: Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr>
Date: Wed, 13 Aug 2014 16:00:28 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20140813140028.BE4351AE06@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/YkGnwXu9yOOEpaEp5qaEyCl6z8U
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Inter-protocol attacks
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Aug 2014 14:00:45 -0000

Antoine Delignat-Lavaud wrote:
> 
> This is the TLS mailing list, and the relevant problem here is the 
> complete lack of any restriction in RFC 5246 and 5077 on when a session 
> can be resumed.

This lack is intentional.  The only prerequisite is that both peers
have the session in their cache and are willing to use it for a session
instead of a full handshake.


>
> Thus, we end up in a situation where resumption is up to 
> implementations to decide; because of the lack of any specification,
> TLS libraries simply hand off the decision to the application;


You seem to be seriously misinterpreting the specifications.
The TLS libraries are not "simply handing off the decision to the
application", they are EXPLICITLY REQUIRED to leave any such decision
to the application.

Last sentence of Section 1. Introduction of every TLS spec:

  https://tools.ietf.org/html/rfc2246#page-4

                             the decisions on how to initiate TLS
   handshaking and how to interpret the authentication certificates
   exchanged are left up to the judgment of the designers and
   implementors of protocols which run on top of TLS.


In the abstract definition, the TLS client implementation has _absolutely_
_no_idea_ who it is talking to, working purely on a memory buffer interface
to the client application.


What is probably dangerous and unreasonable is when a TLS implementation
lets an application interfere with the PKIX path validation of a peer cert
chain.

The application level "interpretation of authentication certificates
exchanged" ought to be independent from whether the TLS stack performs
a full or an abbreviated TLS handshake, and the calling application
ought to retrieve and check/map the peer certificates after completion
of the TLS handshake and independent of whether the handshake was
full or abbreviated (and independent from the PKIX path validation).



>
> the application won't know what to do (this kind of question is typically 
> considered out of the scope of application protocol definitions),

Nope, that can not possibly happen.  Per specification, the application
*KNOWS* what to do.

There might be clueless programmers that don't know what to do, but
that is a different issue.


> 
> SPDY is an interesting case, as it does specify a clear resumption 
> policy (even though, I must against stress out again, this policy 
> technically allows resumption between any two HTTP origins as long as 
> they appear in the same certificate; thus, CVE-2014-3166 does not 
> violate any TLS or HTTP specification and cannot be considered an 
> implementation bug). This policy should be interpreted as an 
> authorization function for TLS authentication. In a full handshake, 
> there is a well-specified and widely-adopted authorization function 
> defined in RFC 5280. The problem I am pointing out is that the SPDY and 
> PKIX authorization functions are incompatible. Thus, TLS features that 
> assume PKIX authorization, such as SNI or ChannelID, may not guarantee 
> the same security properties under SPDY authorization. Similarly, 
> certain PKIX extensions will also fail under SPDY authorization, most 
> notably certificate pinning.

PKIX authorization does not exist within TLS.  Whether it exists in
the function of the application that "decisions how to interpret the
authentication certificates" is purely an application matter an
none of TLS business.

Certificate pinning would be an application decision, not a TLS decision.

But with your description I somehow still fail to see a problem.
If the server certificate of such resumptions will *pass* the
"server endpoint identification", then why would re-doing the
server endpoint identification make a difference?


-Martin