IETF Logo Mail Archive

Re: [TLS] simplistic renego protection

David-Sarah Hopwood <david-sarah@jacaranda.org> Sat, 21 November 2009 19:02 UTC

Return-Path: <djhopwood@googlemail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 037F13A6921 for <tls@core3.amsl.com>; Sat, 21 Nov 2009 11:02:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ibv427ZFqKT2 for <tls@core3.amsl.com>; Sat, 21 Nov 2009 11:02:15 -0800 (PST)
Received: from mail-ew0-f214.google.com (mail-ew0-f214.google.com [209.85.219.214]) by core3.amsl.com (Postfix) with ESMTP id 85D583A69FF for <tls@ietf.org>; Sat, 21 Nov 2009 11:02:14 -0800 (PST)
Received: by ewy6 with SMTP id 6so633906ewy.29 for <tls@ietf.org>; Sat, 21 Nov 2009 11:02:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type; bh=dmJxuT+VZwoHoI3iM6b+mOlAOjFWXzItvY6YQDOLZPA=; b=TKkXNpC5ewYQQGUYxeEBSrs3HgY/+2Zv1MdJuKLVrd6qzdl9r3w7xWvTyfYIOHAh1U XTnJ9CrR4Ig8Ty5bDnegD+bHrCCjKdqWCnBYihNoklnHA8HXdeSUaf3wzQMKu2NivhCh omweSiAVP4/ggQWZstu5SFPKjemoIIQQnHnD4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type; b=YuNjKhva/9UBwpaS3UnOY8g6UtUZiCrhcCO7hT0BCXn0wp4sK/gFg2uPxxxFWXGEwi Eln59kqosUoyCCebAKLthKJHDb+wTvy1AB+WWGm5YMna12JvnVt0wwYIJTgLLf70O5sN M0QYP6fW5oTM8wDvSASSEM0xwygUYWMRDj2as=
Received: by 10.213.23.156 with SMTP id r28mr2772850ebb.86.1258830125229; Sat, 21 Nov 2009 11:02:05 -0800 (PST)
Received: from ?192.168.0.2? (5e0212a1.bb.sky.com [94.2.18.161]) by mx.google.com with ESMTPS id 24sm661097eyx.6.2009.11.21.11.02.03 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 21 Nov 2009 11:02:03 -0800 (PST)
Sender: David-Sarah Hopwood <djhopwood@googlemail.com>
Message-ID: <4B0838E4.6010003@jacaranda.org>
Date: Sat, 21 Nov 2009 19:00:52 +0000
From: David-Sarah Hopwood <david-sarah@jacaranda.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: tls@ietf.org
References: <C72D632E.6830%stefan@aaa-sec.com>
In-Reply-To: <C72D632E.6830%stefan@aaa-sec.com>
X-Enigmail-Version: 0.96.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------enig08B2444EA144B5C6149AE5DC"
Subject: Re: [TLS] simplistic renego protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Nov 2009 19:02:16 -0000

Stefan Santesson wrote:
> On 09-11-20 7:41 PM, "David-Sarah Hopwood" <david-sarah@jacaranda.org>
> wrote:
> 
>>> One example is if authentication is performed with proper channel binding in
>>> a layer above TLS and the service is provided under that security context.
>>
>> I'm skeptical. How can "proper channel binding" be done correctly in a
>> layer above TLS, if the TLS library merges renegotiated sessions?
>> Since the session merging will result in the client and server's state
>> at the higher layer(s) being out of sync, nothing can be assumed about
>> the correct functioning of those layers.
> 
> The problem occurs on the clients initial handshake, being done in the
> clear, while the MITM is feeding this into a renegotiation with the server.
> 
> As this attack has been described, once the client and server has concluded
> an end-to-end handshake, the window for the attacker to do bad stuff is
> closed. All renegotiations are safe from this point on.

That's an oversimplification.

The attacker is able to add a prefix to the server's view of the session.
This changes the server's state from what it would have been on an
initial connection. How far the attacker's influence on the server's
state extends into that session, is dependent on the application protocol.

> The very act of channel binding, binds authentication of the client to
> unique properties of the TLS channel. Thus,  successful channel binding
> ensures that the client has concluded its first handshake (or it would not
> have anything to bind to). It also ensures that the TLS channel is carried
> end-to-end (or else channel binding would fail).

This is assuming away the problem. I said:

# How can "proper channel binding" be done correctly in a layer above
# TLS, if the TLS library merges renegotiated sessions?

The attack has already disrupted the functioning of the layer above TLS.
If any channel binding is done *at that layer* (or above), without
knowledge of the TLS renegotiation boundaries and taking specific account
of the vulnerability in TLS, then it can't be assumed to be reliable.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

v2.23.0 | Report a Bug | By Email