IETF Logo Mail Archive

Re: [TLS] Problem with DTLS 1.2 handshake

Eric Rescorla <ekr@rtfm.com> Mon, 26 March 2018 13:25 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D4F3127369 for <tls@ietfa.amsl.com>; Mon, 26 Mar 2018 06:25:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E7uAtVX-V2ly for <tls@ietfa.amsl.com>; Mon, 26 Mar 2018 06:25:00 -0700 (PDT)
Received: from mail-oi0-x233.google.com (mail-oi0-x233.google.com [IPv6:2607:f8b0:4003:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9778B127201 for <tls@ietf.org>; Mon, 26 Mar 2018 06:25:00 -0700 (PDT)
Received: by mail-oi0-x233.google.com with SMTP id x20-v6so15763310oie.2 for <tls@ietf.org>; Mon, 26 Mar 2018 06:25:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=mIhbm4dAgGVmgjLyO1uIfF+yITT1hU0xKQOz0aaUn3Q=; b=UaXHXV3RDUOW/wahjA4xTvgcnmmhBy6K6cHOC49oWV8EPvX6XvNvlZ1KnevORvy24y 4Vq1JLrKEWdsY9oQV5F9WJ8tGJ2dcimiUrIvYgUAOMyyoKrUhvLKXO0NMuHF6NtfA9xR fXBGgKOrV5t8Aw1tnyGtLVqwjXJT5nrh/iBL0tq+dbTaaw9pixqjAdhyigXHdyJ9WOuw pJQQjEbZBjEcEojGkUJa7qEG9gUIhQ+OyANI8Zc96WPZusMjTQXvrnottowoka+Wo1Lt ddgfYTnqe0yW2tEgl/4bfZVX6u/gX8ca3JxxXHJahfugLHRH+cOzcc3yOj8gkbZnL9t9 hakg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=mIhbm4dAgGVmgjLyO1uIfF+yITT1hU0xKQOz0aaUn3Q=; b=qs8gcO2z/8HvDxUz2BfxIdbTlRd5XHnIQVp0mBSQHMcoy5uNo7Z/UU32jfVgsTIcH2 MjmaWyvInmQr3xIp0bHutrN3ye4akkt54o3a4bPuYJmUSh+E8sCKBorg/CqI9FFB5MTA +Kna9GVPY3qWLKGa66meYV3E0FET6D4LZ1Dv1/9en8MyYzueMBsYuXHyG0UN8HSwA8sK aBgScH4As+X9XsgioF/peP2FAFqTLgbdg8AIxCVRCDRL/q9tgmrNOlo5CMaHlRBLKC/6 tHEOduammchIuhXqJTL6t5YwKIkFGhB08eLq8bW7/sC9qz5do5rQ3ZhH7dgA6IzLk5h+ UWLQ==
X-Gm-Message-State: AElRT7EpM+iGTxnwOoIQfijjEcw4ypET5Q9Hmtdl9xf0teJNIhJAE5o1 p8W+U8aELU/HQUzkMluJz5eNxfwrEA+uE40a7grX8d5T
X-Google-Smtp-Source: AIpwx49XEUDkYB9fXsbvR/myqmVZr48v1UFGkEm97QzV9x5cSXeJclwQxvjJisCCkTIpcgab/n1AQSoUSNz/wPpoSSg=
X-Received: by 10.202.79.70 with SMTP id d67mr2798795oib.138.1522070699726; Mon, 26 Mar 2018 06:24:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.23.21 with HTTP; Mon, 26 Mar 2018 06:24:19 -0700 (PDT)
In-Reply-To: <027001d3c503$a78b14c0$f6a13e40$@augustcellars.com>
References: <027001d3c503$a78b14c0$f6a13e40$@augustcellars.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 26 Mar 2018 06:24:19 -0700
Message-ID: <CABcZeBMTusQvQXfGbq+LRWBSDrvBu2bZcV0TBzo8VLDsQSm6pw@mail.gmail.com>
To: Jim Schaad <ietf@augustcellars.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a113d858a617219056850b33a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bFi52yKl18vrwKvi1xY2VoamZvE>
Subject: Re: [TLS] Problem with DTLS 1.2 handshake
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2018 13:25:02 -0000

First, just for clarification, you mean the TLS record MAC on the Finished
rather than the TLS Finished MAC, right?

Assuming that is correct, then I believe this is reasonable behavior. It
makes the protocol somewhat more resistant to damaged bits on the wire.
Note that QUIC takes this position even further: every packet is integrity
protected (the initial packets use a key based on the CID). The primary
consequence of this is slower failure detection, but the kind of case you're
talking about primarily happens when there is an implementation error,
so not much in the field anyway.

-Ekr


On Mon, Mar 26, 2018 at 6:09 AM, Jim Schaad <ietf@augustcellars.com> wrote:

> I appear to have run across an implementation that does not appear to
> violate the specification, but which in my opinion is just plain wrong.
>
> I am doing a handshake with PSK.  On the second flight from the client it
> sends
>
> [ChangeCipherSpec]
> Finished
>
> The server sees that the ChangeCipherSpec occurs and moves to use the keys.
> It then attempts to validate the MAC on the Finished message and silently
> ignores the Finish message because the MAC is incorrect and the text says
> that it is legal to ignore packets which have a bad MAC.  This means that
> my
> client re-sends the same flight to the server on and on because it never
> gets a response and assumes that the packet must be getting lost in
> transit.
>
>
> The document does not say that ignoring of bad MACs does not apply until
> the
> Finished message is received and processed.  I am not sure, but I believe
> the document needs to say that one cannot ignore a failed MAC on the first
> block of data in any epoch and must error on those messages.
>
> I have not looked to see if this is an issue for DTLS 1.3, but it could
> easily be.
>
> Jim
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email