[TLS] Could the renegotiation attack be used for session hijacking?
Yoav Nir <ynir@checkpoint.com> Mon, 09 November 2009 12:59 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 421613A6AF6 for <tls@core3.amsl.com>; Mon, 9 Nov 2009 04:59:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id acsNOnzCW4MK for <tls@core3.amsl.com>; Mon, 9 Nov 2009 04:59:04 -0800 (PST)
Received: from dlpdemo.checkpoint.com (dlpdemo.checkpoint.com [194.29.32.54]) by core3.amsl.com (Postfix) with ESMTP id EFD5C3A6A0D for <tls@ietf.org>; Mon, 9 Nov 2009 04:59:03 -0800 (PST)
X-CheckPoint: {4AF80F23-2-14201DC2-FFFF}
Received: by dlpdemo.checkpoint.com (Postfix, from userid 105) id B5F9229C00B; Mon, 9 Nov 2009 14:59:29 +0200 (IST)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by dlpdemo.checkpoint.com (Postfix) with ESMTP id 9408C29C007 for <tls@ietf.org>; Mon, 9 Nov 2009 14:59:29 +0200 (IST)
X-CheckPoint: {4AF80F23-0-14201DC2-FFFF}
Received: from il-ex01.ad.checkpoint.com (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id nA9CxSc6021871 for <tls@ietf.org>; Mon, 9 Nov 2009 14:59:29 +0200 (IST)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Mon, 9 Nov 2009 14:59:32 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "tls@ietf.org list" <tls@ietf.org>
Date: Mon, 09 Nov 2009 14:59:27 +0200
Thread-Topic: Could the renegotiation attack be used for session hijacking?
Thread-Index: AcphPHrrNqDIrBl6R52p3VeQwkc5tw==
Message-ID: <34C84617-2B75-4F6D-9F0B-50A528D445C8@checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/signed; micalg="sha1"; boundary="Apple-Mail-36-291493463"; protocol="application/pkcs7-signature"
MIME-Version: 1.0
Subject: [TLS] Could the renegotiation attack be used for session hijacking?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2009 12:59:05 -0000
Hi. One of our security experts came up with an extension to the renegotiation attack, that may lead to session hijacking. It's probably not relevant for HTTPS, because those connections are short- lived, but may be relevant for applications with longer-lived sessions that require rekeying. draft-rescorla-tls-renegotiation should solve this as well: 1. Client connects without a certificate, but the session is authenticated by the protocol (like an HTTP form or FTP login). The MITM just proxies the connection to allow the client to authenticate. 2. After a while, the session requires rekeying, so the server sends a HelloRequest. 3. The MITM stops passing data to the client, and sends a ClientHello to the server. 4. The server and MITM complete the handshake, and the MITM has effectively hijacked the session from the client. The persistent application session means that the MITM is now authenticated to the server as the client. Seems to me that this will work, right? Am I missing something? Yoav