Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Martin Rex <mrex@sap.com> Tue, 10 November 2009 21:00 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 42A5B3A6900 for <tls@core3.amsl.com>; Tue, 10 Nov 2009 13:00:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.862
X-Spam-Level:
X-Spam-Status: No, score=-5.862 tagged_above=-999 required=5 tests=[AWL=-0.213, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tP2AbYozFQnt for <tls@core3.amsl.com>; Tue, 10 Nov 2009 13:00:48 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id 8B59C3A68AF for <tls@ietf.org>; Tue, 10 Nov 2009 13:00:45 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id nAAL1B54008272 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 10 Nov 2009 22:01:11 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911102101.nAAL1Ai9025439@fs4113.wdf.sap.corp>
To: mike-list@pobox.com
Date: Tue, 10 Nov 2009 22:01:10 +0100
In-Reply-To: <4AF8F363.2030201@pobox.com> from "Michael D'Errico" at Nov 9, 9 09:00:19 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal08
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 21:00:52 -0000
Michael D'Errico wrote: > > > As previously described in another message, the current spec has a > > requirement that additonal application data may be arbitrarily > > interleaved with a renegotiation handshake. I think this requirement > > makes a security assessment of the protocol impossible for changing > > identities. > > If your TLS API was able to tell you exactly where in the application > data stream a renegotiation has completed successfully, you would > be able to apply the original security parameters to the data received > prior to the renegotiation, and then switch to the new parameters for > the data received after the renegotiation. What about the application data sent between the ChangeCipherSpec and the Finished messages? It certainly must be encrypted by the crypto parameters of the new session. But it can not be considered authentic before the finished messages have been verified. And when the finished messages verify, then I consider it inappropriate to associate that data with the _previously_ authenticated session&identity. Since the current SSL&TLS specs are completely ambiguous, you can not claim "if your TLS API was able to tell you exactly where in the application data stream", because currently no such semantics exist! Two independent implementations of TLS that claim to tell you exactly where the position is may identify entirely different positions -- and with the current spec, it is impossible to decide where the position should be. > > That would catch the MITM attack being discussed now. We're going to plug that MITM attack with secure renegotiation. But that will not affect the miserable ambiguity for where the original session ends and the new session starts if we do allow established identities to change during renegotiation. To fix that, we will have to spell out the precise semantics in a specification. IMHO, the cleanest would be to disallow application data transfer during a renegotiation handshake. > > > Personally, I would it find much cleaner if the semantics for the > > renegotiation would require the TLS peers to suspend transmission > > of application data while performing TLS renegotiation, > > i.e. > > > > the client must not send any application data between > > ClientHello and the client's Finished message > > > > the server must not send any application data between > > ServerHello and either no_renegotiation alert or > > the server's Finished message > > > > the client must drop all application data received > > between ServerHello and either no_renegotiation alert > > or the server's Finished message > > > > the server must drop all application data received > > between the ClientHello and the client's Finished message > > When I first implemented TLS, the only reason I could envision for > renegotiation was to refresh the symmetric keys, so I made it work > asynchronously. I wrote about it in this message: > > http://www.ietf.org/mail-archive/web/tls/current/msg04042.html > > With this design, application data can flow at nearly full speed while > a renegotiation is taking place. Requiring all data to stop flowing > during a renegotiation, may be unnecessary in some situations. If you lock down established identites, then I do not see a problem with this. For a delayed TLS client-cert authentication, this implies the semantics that the newly established identity assumes responsibility for everything that has been sent over the previous session. (The assumption that is currently a problem for servers doing renegotiation without a cryptographic binding between previous and renegotiated session. > I do see however, that data probably needs to stop flowing after sending > a Finished message until receiving the peer's Finished message, but > that affects only one direction and last for one round trip, not two. Why Finished? I think its everything following the ChangeCipherSpec. > > When you add changing client credentials to the mix, then data flow > probably has to stop, but that is really an application-level decision. > Also silently dropping data never seems like the right thing to do IMHO. _I_ did not write _silent_ dropping. Dropping and aborting is fine. Dropping in the sense of "MUST NOT make it available to the application". I said "drop" after having previously specified that the other side MUST NOT send during the handshake. That MUST NOT send app data directly translates to a requirement for the receiver to drop that data. Sending an alert when that happens and closing the connection is fine with me. > > > Are there currently applications that actively abuse the possibility > > provided by the spec to interleave application data and handshake > > messages of a TLS renegotiation handshake (provided that the > > TLS implementation that (a) they're using and (b) they're talking > > to actually allow this. The fact that the spec says so, doesn't > > mean that everyone has implemented it in this fashion (since it > > is complex,difficult and possibly insecure)? > > Yes, see the above referenced message. But I don't agree that it's > abuse since that is what the spec. says to do. I certainly didn't not want to blame you for implementing exactly what the TLS spec says in your TLS implementation. I'm sorry if I wrote it that way. I'm wondering whether there are application that actively abuse this feature and would break if the TLS implementation would exhibit semantics similar to those I outlined above and fail with an error if the TLS implementation would reject application data while performing the renegotiation handshake. -Martin
- [TLS] draft-rescorla-tls-renegotiate and MITM res… Yair Elharrar
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yoav Nir
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yoav Nir
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Dr Stephen Henson
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yair Elharrar
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yoav Nir
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Nicolas Williams
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… David-Sarah Hopwood
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… David-Sarah Hopwood
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yair Elharrar
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yoav Nir
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Nicolas Williams
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… David-Sarah Hopwood
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Michael D'Errico
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Nicolas Williams
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Nicolas Williams
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Steve Dispensa
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… David-Sarah Hopwood
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Peter Saint-Andre
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yoav Nir
- Re: [TLS] To API or not Bill Frantz
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Michael D'Errico
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- [TLS] RC4+3DES rekeying - long-lived TLS connecti… Martin Rex
- Re: [TLS] RC4+3DES rekeying - long-lived TLS conn… David-Sarah Hopwood
- Re: [TLS] RC4+3DES rekeying - long-lived TLS conn… Peter Saint-Andre