Re: [TLS] TLSrenego - possibilities, suggestion for SSLv3

Nasko Oskov <noskov@microsoft.com> Fri, 13 November 2009 19:27 UTC

Return-Path: <noskov@microsoft.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BE2E43A68DA for <tls@core3.amsl.com>; Fri, 13 Nov 2009 11:27:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.191
X-Spam-Level:
X-Spam-Status: No, score=-10.191 tagged_above=-999 required=5 tests=[AWL=0.408, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cGWkvTgU5F-s for <tls@core3.amsl.com>; Fri, 13 Nov 2009 11:27:41 -0800 (PST)
Received: from smtp.microsoft.com (maila.microsoft.com [131.107.115.212]) by core3.amsl.com (Postfix) with ESMTP id D25F63A677D for <tls@ietf.org>; Fri, 13 Nov 2009 11:27:41 -0800 (PST)
Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (157.54.79.159) by TK5-EXGWY-E801.partners.extranet.microsoft.com (10.251.56.50) with Microsoft SMTP Server (TLS) id 8.2.176.0; Fri, 13 Nov 2009 11:28:30 -0800
Received: from TK5EX14MLTW652.wingroup.windeploy.ntdev.microsoft.com (157.54.71.68) by TK5EX14MLTC104.redmond.corp.microsoft.com (157.54.79.159) with Microsoft SMTP Server id 14.0.639.20; Fri, 13 Nov 2009 11:02:02 -0800
Received: from TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com ([169.254.3.181]) by TK5EX14MLTW652.wingroup.windeploy.ntdev.microsoft.com ([157.54.71.68]) with mapi; Fri, 13 Nov 2009 11:02:03 -0800
From: Nasko Oskov <noskov@microsoft.com>
To: "mrex@sap.com" <mrex@sap.com>, Marsh Ray <marsh@extendedsubset.com>
Thread-Topic: [TLS] TLSrenego - possibilities, suggestion for SSLv3
Thread-Index: AQHKZJBMt0TyUbupqEiUlJLepKUMApE0XCYw
Date: Fri, 13 Nov 2009 19:00:41 +0000
Deferred-Delivery: Fri, 13 Nov 2009 19:01:00 +0000
Message-ID: <B197003731D4874CA41DE7B446BBA3E829CBC5C0@TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com>
References: <4AFB2B42.9060602@extendedsubset.com> from "Marsh Ray" at Nov 11, 9 03:23:14 pm <200911131837.nADIb6GY000472@fs4113.wdf.sap.corp>
In-Reply-To: <200911131837.nADIb6GY000472@fs4113.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Sat, 14 Nov 2009 08:36:24 -0800
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLSrenego - possibilities, suggestion for SSLv3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Nov 2009 19:27:42 -0000

Martin Rex wrote:
>Marsh Ray wrote:
>> 
>> Well, if the remote endpoint allows you to initiate a renegotiation. 
>> MS IIS for example responds with a TCP RST, other implementations may 
>> be less direct.
>
>From what Nico said in earlier messages about the Programming Model for Microsoft's TLS implementation (schannel SSP), the code above SSPI must know an implement a lot of TLS message flow.
>
>According to that sketch, performing a TLS handshake requires a significant amount of code above SSPI, and performing a TLS renegotiation requires an awful huge amount of code above SSPI.  I have never used schannel myself (and haven't found >programming examples yet), but it seems that the app on top of SSPI _must_ know whether incoming data is application data, protected application data or handshake messages and pass each of them to distinct SSPI calls or get an error.
>The return calls of those SSPI functions probably indicate which call to do next (or which kind of data to expect next).

It is the return codes from the different APIs that tell you whether you should go back go negotiation or not. The application itself should never look at the actual packets and make decisions on their own.

>So an app on top of SSPI using the schannel SSP might not expect the client to request rekeying at arbitrary times during communication and that unexpected (protected) ClientHello handshake message is then passed to a Message-unprotection call of >SSPI where it is rejected.
>When that happens, the server seems to terminate the session (delete the security context) and close the socket/connection, which might be the reason why you receive a TCP RST.
>
>
>Nico also mentioned, that with SSPI, the renegotiation context uses a different/seperate context handle that the original context.

That is not entirely true. If a client wants to renegotiate, they just call the proper API with the current context, which emits renegotiation and handshaking begins.

>Which seems to imply, that for a TLS renegotiation by the app on top of SSPI, the app has to call the message protection/unprotection calls of the previous context for the initial handshake messages of the new context -- until the Interator Function(s) >indicate that this is no longer necessary (because ChangeCipherSpec has been sent).

The way it works is that message protection/unprotection returns a special error code instructing the application to start handshaking again, using the same context.

>If TLS renegotiation actually works like this in SSPI, then an SSPI app is actually playing the MITM-Attack every time that it renegotiates (i.e. it would perform the MITM-Attack on its own TLS stack).

It doesn't work this way, so you don't have to play the MiTM game itself. All the details are hidden behind the SSPI APIs and one has to just react based on return values.

Nasko