IETF Logo Mail Archive

Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18

Sam Scott <sam.scott89@gmail.com> Sat, 11 February 2017 14:52 UTC

Return-Path: <sam.scott89@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADF4312960E for <tls@ietfa.amsl.com>; Sat, 11 Feb 2017 06:52:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.738
X-Spam-Level:
X-Spam-Status: No, score=-1.738 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o5KR9vFDxNwm for <tls@ietfa.amsl.com>; Sat, 11 Feb 2017 06:52:57 -0800 (PST)
Received: from mail-wr0-x22b.google.com (mail-wr0-x22b.google.com [IPv6:2a00:1450:400c:c0c::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AECB12953B for <tls@ietf.org>; Sat, 11 Feb 2017 06:52:57 -0800 (PST)
Received: by mail-wr0-x22b.google.com with SMTP id k90so125998367wrc.3 for <tls@ietf.org>; Sat, 11 Feb 2017 06:52:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:cc:from:message-id:date:mime-version :in-reply-to; bh=l8MivqEfQy85UCYTPerSCLT2QSFYOEeJ8Gb5Al9b1ug=; b=SVQsXF3XsOc2yGWy0x9nrA7yF6EQERe9LTBElG+RbKzrp6gekmu/Fdkt23N5gCxcsn 3QHfAK5egyqZj6FbMGpYkDmbcCEj5vkuTIDPIB8Px2C/qzk0jlf5DtZ4S9fPAiEUkGn1 BrE3N50x71U0H8wHfWe/P9MHRkGmdaWygWZ2BxfBD3OQjetyDrgRrqP9IPMaDEX3sDTz rrdtb3lmKQZpHWN2xDVPTvuBA3hlRhUoYKgO+8mhhxyW3JVvU+zWz+EZh5k8AdKv0ibK gazupGcXJYPH4epnaHrDrQKQwD+incA5unAOus1+r0GLpczNoL4YEhuR70KAlwOS7pf3 2ecg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :mime-version:in-reply-to; bh=l8MivqEfQy85UCYTPerSCLT2QSFYOEeJ8Gb5Al9b1ug=; b=T0UYbNHibUTRTbsYI40xERC2BgViWkBvy7XGq45ktvXOtLNz0bPVQ43VWQdUkhJ1aS ISQlyEoSqvYUQyP6/0RyRHQHgt/FjM6uVTkg8kbUXqP0HPC697WYEpQHQ7S05JoZydrb 8JHEbvWWK22VyPQk+fxQFEc7xNMVBMJubQNi0Kz0kG7qGxue7RVk9Swl0By1XBT569HH bm/6EbsRy1pXfbabS0WPvtswAGEW6JdAE8y7zcVfAxBBqez1fu8/vIdIbX1IgCxOPwcT EUid2UykIa62eoCvks9KmAIpfDbiZQK9XopQhYoSW2upTWO5WiFkVpQIALCfMauHq+2/ T0Ig==
X-Gm-Message-State: AMke39mPELBL13XeDfz+/EKryXO9oyYSM5tIj1OM7UBKyikOiKZjeoI0jao02bqOUzPFBQ==
X-Received: by 10.223.149.39 with SMTP id 36mr12148308wrs.125.1486824775484; Sat, 11 Feb 2017 06:52:55 -0800 (PST)
Received: from ?IPv6:2a02:c7d:c804:7d00:7e7a:91ff:fe9e:8149? ([2a02:c7d:c804:7d00:7e7a:91ff:fe9e:8149]) by smtp.gmail.com with ESMTPSA id o143sm5462113wmd.3.2017.02.11.06.52.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 11 Feb 2017 06:52:54 -0800 (PST)
To: Andrei Popov <Andrei.Popov@microsoft.com>, Eric Rescorla <ekr@rtfm.com>
References: <CABdrxL53Fd7tY6+qF-p=acvCDa=hvbPov83XSd-Y8-gB3c33Ag@mail.gmail.com> <20170210172224.GA22473@LK-Perkele-V2.elisa-laajakaista.fi> <dade38c1-e5a3-4058-9291-c94ea14dfe91@gmail.com> <CABcZeBPxid8W-r4uUXewFg+cYtUssqQLOcjJ=2ueuyVqj4qZUA@mail.gmail.com> <a7d4852e-b74c-9a29-5872-e0b1e2bb31a5@gmail.com> <CY1PR0301MB0842B2E974E5E5AF94EF706A8C470@CY1PR0301MB0842.namprd03.prod.outlook.com>
From: Sam Scott <sam.scott89@gmail.com>
Message-ID: <304937cb-ca58-d4aa-a731-fd1498848637@gmail.com>
Date: Sat, 11 Feb 2017 14:52:53 +0000
MIME-Version: 1.0
In-Reply-To: <CY1PR0301MB0842B2E974E5E5AF94EF706A8C470@CY1PR0301MB0842.namprd03.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------DF7E5870FD3AB5A7C14D3E2A"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/dwReYWrSvmM7O51GmjsGmGVfpCg>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Feb 2017 14:52:59 -0000

Is it common that 0.5 RTT data will be sent by the server in a fresh 
session? I.e. not after a resumption and therefore without the client 
previously sending early data?

Even so, it does also seem like a slightly troubling scenario, since the 
client has no (in-band) mechanism to determine the authentication was 
successful (or even at what point it arrived). Again, this could be 
rectified by forcing the client/server to update their keys, and even 
better if they include the client's authentication messages.

However, NewSessionTicket messages do not have this problem since the 
server wont send these before processing the client Finished, but it 
could still be an issue in the post-hs scenario.

Just want to reiterate: thanks all for helping to clarify this behaviour 
we've encountered. Hopefully it proves a useful insight into the 
guarantees (or lack thereof) provided  by client authentication. Also it 
is really useful in helping us to refine our model :)

Sam

On 11/02/17 01:49, Andrei Popov wrote:
>
> What about Eric’s other point:
>
> ØI am not sure that the regular TLS handshake guarantees these
>
> Øproperties either. The reason is that the server is permitted to
>
> Øsend data prior to receiving the client's second flight (0.5 RTT
>
> Ødata).
>
> With the server sending data prior to receiving the client’s second 
> flight, it seems that property B is not there when using in-handshake 
> client authentication as well?
>
> Cheers,
>
> Andrei
>
> *From:*TLS [mailto:tls-bounces@ietf.org] *On Behalf Of *Sam Scott
> *Sent:* Friday, February 10, 2017 12:53 PM
> *To:* Eric Rescorla <ekr@rtfm.com>
> *Cc:* tls@ietf.org
> *Subject:* Re: [TLS] Awkward Handshake: Possible mismatch of 
> client/server view on client authentication in post-handshake mode in 
> Revision 18
>
> Hi Ekr,
>
> That's a good summary of the situation. Indeed we weren't previously 
> considering TLS as able to enforce the ordering of messages which does 
> seem to mitigate our scenario for property A. We haven't really had a 
> chance to take that into consideration for property B, but at a glance 
> it does still seem to be an issue.
>
> As mentioned in my other email, one scenario we encountered this was 
> if (using your message numbering as reference) messages 5 or 9 
> happened to be a NewSessionTicket. In this case, the client might be 
> under the impression that they have a session ticket for a mutually 
> authenticated channel.
>
> Thanks,
>
> Sam
>
> On 10/02/17 20:39, Eric Rescorla wrote:
>
>     Cas, Sam,
>
>     I thought I understood your concern here but maybe I don't.
>
>     Say we have the following sequence of messages
>
>       1. C->S: ClientHello
>
>       2. S->C: ServerHello...ServerFinished
>
>       3. C->S: ClientFinished
>
>       4. C->S: App message
>
>       5. S->C: App message
>
>       6. S->C: CertificateRequest
>
>       7: C->S: Certificate...Finished
>
>       8: C->S: App message
>
>       9: S->C: App message
>
>     As you indicate, there's some ambiguity from the client's perspective
>
>     (property B) about whether messages 5 and 9 were sent by the server
>
>     prior to or after receiving message 7, and also message 8. This
>
>     ambiguity exists even without an attacker and may or may not be
>
>     resolved at the application layer. An attacker can exploit this
>
>     ambiguity by holding messages 7 and 8 and (as long as application
>
>     semantics permit this).
>
>     Where I get confused is about property A. As I understand your
>
>     claim, an attacker can hold message 7 but deliver message 8 and
>
>     therefore, even if the client knows that 9 was in response to 8,
>
>     he doesn't know that the server received 7. As Ilari says, I don't
>
>     believe that this is correct because TLS enforces message ordering.
>
>     I agree that the specification doesn't explicitly say this, but
>
>     it's implicit in the processing rules via the following:
>
>     1. The encryption for each TLS record depends on the record sequence
>
>        number (RSN).
>
>     2. Records do not carry their RSN, so when you decrypt a message, you
>
>        must use the last RSN + 1
>
>     3. When you fail to decrypt a message (which is what happens if
>     you have
>
>        the wrong RSN) you are required to tear down the connection
>
>        (https://tlswg.github.io/tls13-spec/#record-payload-protection).
>
>     For this reason, if the attacker removes message 7, then 8 will not
>
>     be decryptable, and so ordering is preserved. As Ilari says, this
>     isn't
>
>     true in DTLS 1.3 which we'll presumably have to deal with one way
>
>     or the other before standardization (my plan would be just to forbid
>
>     post-handshake auth). Do you disagree with this? If so, perhaps you
>
>     could explain.
>
>     -Ekr
>
>     P.S. I am not sure that the regular TLS handshake guarantees these
>
>     properties either. The reason is that the server is permitted to
>
>     send data prior to receiving the client's second flight (0.5 RTT
>
>     data). See:
>
>     https://tlswg.github.io/tls13-spec/#protocol-overview
>
>     On Fri, Feb 10, 2017 at 11:45 AM, Sam Scott <sam.scott89@gmail.com
>     <mailto:sam.scott89@gmail.com>> wrote:
>
>         Hi Ilari,
>
>         Thanks for the comments.
>
>         Assuming the client sends a valid certificate that the server
>         accepts, then the server cannot finish the handshake or begin
>         processing incoming application data until authenticating the
>         client. This *almost* gives us property (A). In practice, the
>         client is aware that the server has successfully authenticated
>         since the protocol continues.
>
>         In the case that the server has implemented the reject option
>         (rejecting a certificate but still continuing), and indeed
>         rejects the certificate, then the server should send an alert
>         message (or NAK of some form) for the property to hold in the
>         initial handshake.
>
>         However, even if we take the certificate reject + continue
>         scenario into account for the initial handshake, then it is
>         clear that this decision can only be made by the server in the
>         initial handshake, while in the post-handshake client auth, an
>         attacker can decide this (by dropping the message).
>
>         The reason we don't believe an explicit ACK is needed is
>         because upgrading to a new pair of keys explicitly provides
>         this. Specifically, the client will send all subsequent data
>         to the server under a new key. The server will not be able to
>         decrypt this data until they receive the client authentication
>         messages and upgrade the keys.
>
>         This can be strengthened if the client's updated write key is
>         computed using the authentication messages.
>
>         We agree that TLS enforcing ordering of messages provides
>         similar guarantees. However, we are analysing the
>         specification as it is presented, which does not guarantee this.
>
>         Thanks,
>
>         Sam
>
>
>
>         _______________________________________________
>         TLS mailing list
>         TLS@ietf.org <mailto:TLS@ietf.org>
>         https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email