IETF Logo Mail Archive

Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-renegotation: next

Marsh Ray <marsh@extendedsubset.com> Wed, 16 December 2009 22:09 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 330F43A6A8F for <tls@core3.amsl.com>; Wed, 16 Dec 2009 14:09:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.591
X-Spam-Level:
X-Spam-Status: No, score=-2.591 tagged_above=-999 required=5 tests=[AWL=0.008, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T+hLbjvnJvfb for <tls@core3.amsl.com>; Wed, 16 Dec 2009 14:09:19 -0800 (PST)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id 29D5B3A6A8D for <tls@ietf.org>; Wed, 16 Dec 2009 14:09:19 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1NL23M-0005vq-Lv; Wed, 16 Dec 2009 22:09:04 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 907D96678; Wed, 16 Dec 2009 22:09:02 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1+0s0MkZd8rAISZXaQJLDMOic8kT+DHIfg=
Message-ID: <4B295A7E.4080901@extendedsubset.com>
Date: Wed, 16 Dec 2009 16:09:02 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: mrex@sap.com
References: <200912162059.nBGKx7Sv017923@fs4113.wdf.sap.corp>
In-Reply-To: <200912162059.nBGKx7Sv017923@fs4113.wdf.sap.corp>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-renegotation: next
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2009 22:09:20 -0000

Martin Rex wrote:
> Kemp, David P. wrote:
>> Martin's text contradicts the AD's decision ...
> 
> I do not fully agree with the AD's determination of rough consensus.
> 
> For the MCSV signaling, the real rough consensus is different from
> what Pasi wrote:
> 
> http://www.ietf.org/mail-archive/web/tls/current/msg05306.html

That email is Michael Gray of IBM saying "I do not believe a technical
objection to the CipherSuite method has been presented" which is not
remotely the same as a real lack of "rough consensus".

> A mandatory Client->Server signaling through cipher suite may
> have less fanatic followers by the count of numbers,

Fanaticism is orthogonal to cardinality.

> but technical
> advantages and _no_ technical objections have been raised against it.

Let me re-state them then.

Making SCSV mandatory means that it no longer is the equivalent of an
empty extension, which raises the question of exactly what it does mean.
Saying it means "I'm updated" is simply begging the question.

Sending SCSV with no extension in a renegotiation Hello is a very
questionable thing to do. That combination of values is needed for
clients that wish to send an _initial_ hello and interoperate with
extensions-intolerant servers! Overloading to also mean (and be
ambiguous) with "I'm intentionally _renegotiating_ in a manner known to
be insecure" is bad. And that is a technical objection.

> The current either cipher suite or empty TLS extension RI signaling
> may have more "pro", but has significant objections against it
> because of the ambiguity,

"MUST send this and/or that" is not an ambiguity and you know it.

> increased complexity,

I disagree, see below.

> a 4x code size
> burden for old non-rengotiating servers

How can a TLS client prove in advance that the server could not have
been enticed to renegotiate by a MitM? It is not possible to do in
general, and thus no general implementation of the protocol can rely on
it for security.

I just don't see any explanation other than you are pushing this to save
a few lines of code in your own particular circumstance.

> and additional testing
> complexity.

Yes. These additional test cases are unfortunate, but nearly all vendors
agreed that it was necessary to have an SCSV option to avoid hitting
slow failures connecting to the extensions intolerant servers seen in
the wild.

If you were so concerned with testing complexity you wouldn't be pushing
to make simplifying assumptions in your implementation. Testing all
cases is certainly more work than the minimal code to support the one
and/or requirement.

> So as far as rough consensus is concerned, it is definitely
> with the approach I described.

The "mandatory SCSV" scheme seems primarily useful if your solution
works by modifying the PRF inputs on renegotiation and letting the
Finished hash comparisons detect the attack. That method had some merit
and was given serious consideration by myself and many others.

But again, the reason I could not ultimately support it is because it
involved changing the cryptographic calculations. Regardless of whether
you or I think that it was done correctly, it is a very very big deal to
some important users. It will invoke a formal cryptographic review
process which will prevent this solution from being usable by many
important sites any time soon.

Retro-fitting a "mandatory SCSV" requirement to the RI extension
proposal is what introduces the complexity and ambiguity without a
well-defined benefit.

Here are all the things that have to happen in order for a mandatory
SCSV requirement to be of benefit:

1. Client has to be in compatible/insecure mode.
2. Mitm has to impersonate a server of interest to the client.
3. Client does not check Mitm's cert on the initial handshake.
4. Client must be willing to conduct a server-initiated renegotiation
(from anonymous server).
5. Legit target server has to be in compatible/insecure mode.

If all these things happen, then the complicated protocol change
prevents one attack variant but leaves others.

In addition, another necessary condition for this to actually be a
useful improvement is:

6. Mitm can find no unpatched server of equal or greater value with
which to attack the connection of this client.

The additional complexity and ambiguity that the "mandatory SCSV" scheme
introduces for no real benefit is my technical objection against it.

- Marsh

v2.23.0 | Report a Bug | By Email