Re: [TLS] TLSrenego - current summary of semantics and possibilities
Martin Rex <mrex@sap.com> Tue, 10 November 2009 22:24 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5373F3A6BB4 for <tls@core3.amsl.com>; Tue, 10 Nov 2009 14:24:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.855
X-Spam-Level:
X-Spam-Status: No, score=-5.855 tagged_above=-999 required=5 tests=[AWL=-0.206, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 30a6wFKYYf0J for <tls@core3.amsl.com>; Tue, 10 Nov 2009 14:24:52 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 6E24D3A696C for <tls@ietf.org>; Tue, 10 Nov 2009 14:24:50 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nAAMPFxg019293 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 10 Nov 2009 23:25:15 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911102225.nAAMPElc000249@fs4113.wdf.sap.corp>
To: mike-list@pobox.com
Date: Tue, 10 Nov 2009 23:25:13 +0100
In-Reply-To: <4AF9D413.7090408@pobox.com> from "Michael D'Errico" at Nov 10, 9 12:58:59 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] TLSrenego - current summary of semantics and possibilities
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 22:24:53 -0000
Michael D'Errico wrote: > > > It is possible that a TLS client may not want to assert the TLS extension > > Renegotiation_Info in an initial ClientHello because of interoperability > > concerns with an installed base of not-quite-spec-compliant servers. > > Then it will end up buying a lot of pizza. What you're asking for is to discontinue talking to the entire installed base of SSL&TLS implementations. i.e. clients should only talk to updated servers (which means they must be updated clients). What about a transistion period? (A world-wide "SSL/TLS flag day" is probably unlikely) How do you determine the end of the transition period, i.e. the point in time where clients discontinue to servers that were not updated? > > Simply finishing the *initial* handshake completes the attack! (The > server saw it as a renegotiation, not the client.) But you do realize that it is an attack on the server? And do you further realize, that it is a problem of the server that request or at least allow renegotiation -- those that reject renegotiation are _not_ vulnerable. The MITM only makes you talk to someone. Considering how careless some security folks invent means to coerce someones software to talk to someone else (e.g. certificate URL TLS extension, AIA in X.509 certs), I don't feel it is fair to hold the TLS clients responsible for the problem. What you're asking for means that the Browsers should discontinue their re-connect fallback with a SSLv3 ClientHello, because the MITM could be able to coerce the browsers to do it. > > To protect against this, the only thing that a client can do is include > the empty renegotiation info extension. If the server returns it and > the handshake completes, there is no MITM. In fact if you were to then > renegotiate, you wouldn't need the extension (!) because you are already > certain that the handshake was with the server and not the MITM. HUH? The Renegotiation_Info is required for cryptographic binding during the renegotiation handshake. Without it, there is zero protection. > > There are a few possible results of sending the extension: > > a) the server responds with the extension > b) the server responds without including the extension > c) the server "crashes" because of the extension You have forgotten d) the server sends a fatal handshake alert e) the server closes the network connection > > > Overloading ("abusing") the semantics of other regular elements > > of an SSL/TLS handshake that have a lesser likelihood to upset > > legacy servers. > > > > - Assign one (or two) specific ciphersuite IDs that the client > > can include in the ciphersuites list which signal the clients > > notion of the connection state (initial vs. renegotiation) > > to the server. > > > > - Assign one (or two) compression algorithm IDs that the client > > can include in the supported compression algorithms list which > > signal the clients notion of the connection state (initial vs. > > renegotiation) to the server. > > I would not like to see this kind of solution. If code has to change, > Do The Right Thing. The IETF should provide solutions to the _real_ world. Limiting our solutions to an ideal world of academic purity will hurt the entire community of end users around the world. To me it looks like the TLS WG did not sufficiently care and push that implementations support the "official" extensibility provided already in the SSLv3 protocol (ClientHelloExtension), therefore we may have to resort to (ab)using the purpose of other extensibility options provided in the protocol that have a significantly higher interoperability among implementations. Assigning a ciphersuite IDs for the purpose of signaling support for TLS extension Renegotiation_Info in a initial handshake on a connection (as seen by the client) and including that ID in the ciphersuites list offered by the client might offend/confuse less of the old servers than a TLS client extension or a client.version != 0x03,0x00 It might be OK for an updated client to always send the TLS extension Renegotiate_Info with the verify_data from the client.finished message on a renegotiation handshake. In that case, we would not need to signal the clients notion of "initial vs. renegotiate" with an additional re-purposed ciphersuite ID. Even if _you_ can update all _your_ clients and server that you are using, this does not make the other non-patched (but also not vulnerable) servers go away. The problem that were facing right now is not caused by those servers. It's _our_ fault (Netscape and the IETF TLS WG), because _we_ created this problem with a design flaw in the protocol. So if _we_ are not trying to provide a solution in a fashion that breaks the least amount of the installed base, then we're not acting responsibly. That would amount to shifting blame / passing the buck, it would not be the engineering solution that the community expects from us. When thinking about re-purposing other areas of the exiting protocol, our concerns should be more along the lines: what will break if we do that? who might be confused by this change, and what problems may arise from such confusion? can the re-purposing lead to a new security problem by itself? How good can we interop-test this? Personally, I think that religious beliefs about protocol purity are much more important for new protocol design and forward interoperability issues. They are at most marginal when trying to fix a problem that is more than 14-years old would require then entire world to update in order to protect a small amount of people against a small amount of servers that will irresponsibly continue to make assumptions accross TLS session boundaries of an unprotected TLS renegotiation. -Martin
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - current summary of semantic… Pasi.Eronen
- [TLS] assert TLSext in renego-ServerHello instead… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- [TLS] TLSrenego - current summary of semantics an… Martin Rex
- Re: [TLS] TLSrenego - current summary of semantic… Steve Dispensa
- Re: [TLS] TLSrenego - current summary of semantic… Nicolas Williams
- Re: [TLS] TLSrenego - current summary of semantic… Yair Elharrar
- Re: [TLS] TLSrenego - current summary of semantic… Michael D'Errico
- Re: [TLS] TLSrenego - current summary of semantic… Marsh Ray
- Re: [TLS] TLSrenego - current summary of semantic… Nicolas Williams
- Re: [TLS] TLSrenego - current summary of semantic… Martin Rex
- Re: [TLS] TLSrenego - current summary of semantic… Michael D'Errico
- Re: [TLS] TLSrenego - current summary of semantic… Martin Rex
- Re: [TLS] TLSrenego - current summary of semantic… Michael D'Errico
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yair Elharrar
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yair Elharrar
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] TLSrenego - possibilities, suggestion f… Rob P Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yoav Nir
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Rob P Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Michael D'Errico
- Re: [TLS] TLSrenego - possibilities, suggestion f… Peter Gutmann
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yoav Nir
- Re: [TLS] TLSrenego - possibilities, suggestion f… Peter Gutmann
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] History of extensions Marsh Ray
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] History of extensions Eric Rescorla
- [TLS] Protected Renegotiation -- refined proposal Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] Protected Renegotiation -- refined prop… Martin Rex
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Yoav Nir
- Re: [TLS] assert TLSext in renego-ServerHello ins… Dr Stephen Henson
- Re: [TLS] History of extensions Eric Rescorla
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] Protected Renegotiation -- refined prop… Eric Rescorla
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] History of extensions Eric Rescorla
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Nasko Oskov
- Re: [TLS] History of extensions Eric Rescorla
- [TLS] Redefine Finished message for TLS 1.3 ? Nelson B Bolyard
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nicolas Williams
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nelson B Bolyard
- Re: [TLS] Redefine Finished message for TLS 1.3 ? David-Sarah Hopwood
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] Protected Renegotiation -- refined prop… Martin Rex
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nicolas Williams
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] History of extensions David-Sarah Hopwood
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Michael D'Errico
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] Redefine Finished message for TLS 1.3 ? David-Sarah Hopwood
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- [TLS] A crazy idea Michael D'Errico
- Re: [TLS] A crazy idea Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nelson B Bolyard
- Re: [TLS] A crazy idea Michael D'Errico
- Re: [TLS] Protected Renegotiation -- refined prop… Yoav Nir
- Re: [TLS] A crazy idea Nicolas Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Bodo Moeller
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Joseph Salowey (jsalowey)
- Re: [TLS] A not-so crazy idea Michael D'Errico
- Re: [TLS] TLSrenego - possibilities, suggestion f… Bodo Moeller
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Bodo Moeller
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Bodo Moeller
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] A not-so crazy idea Nicolas Williams
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] A not-so crazy idea Yair Elharrar
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] A not-so crazy idea Yoav Nir
- Re: [TLS] assert TLSext in renego-ServerHello ins… Nelson B Bolyard
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nelson Bolyard