Re: [TLS] MITM Attacks on Client Authentication after Resumption
Bodo Moeller <bmoeller@acm.org> Wed, 05 March 2014 02:25 UTC
Return-Path: <SRS0=QKSf=YG=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2121F1A0148 for <tls@ietfa.amsl.com>; Tue, 4 Mar 2014 18:25:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.476
X-Spam-Level:
X-Spam-Status: No, score=-1.476 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b3t6jmpFDu5e for <tls@ietfa.amsl.com>; Tue, 4 Mar 2014 18:25:15 -0800 (PST)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.131]) by ietfa.amsl.com (Postfix) with ESMTP id 343571A013C for <tls@ietf.org>; Tue, 4 Mar 2014 18:25:05 -0800 (PST)
Received: from mail-yh0-f50.google.com (mail-yh0-f50.google.com [209.85.213.50]) by mrelayeu.kundenserver.de (node=mreue001) with ESMTP (Nemesis) id 0MQBed-1WGMgA2hxj-005Ezg; Wed, 05 Mar 2014 03:25:02 +0100
Received: by mail-yh0-f50.google.com with SMTP id t59so416138yho.37 for <tls@ietf.org>; Tue, 04 Mar 2014 18:25:00 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=UUvzi3e8EokXtcN7KFDwrhgVfglDNdhkSWC1Pu4r2WM=; b=PqmIEKqW/bQ8jCPvh+SgeRWAjpkGJ8hbJQVRwtSsrzi8geeiV4gXA2MZSR+LZAw+ro xxf14k3bre/K+sMUBCVOKBxG2Nw730wtZSjUhW3gr09FM9cRhIVeecsQq+uwLHOsh384 uclT2LvEVNVMbzpkmbXKPTdfFlVFKPykyId1mej3yBCeiYKE0vBEt9o/RmF3NYPvlXy1 u+ovFCjlnXjC90/4SgxIO+/Tk6/JKIWbU1XTq09A/vG5Z2lkBdm71B4PHJfOG2KFEJZ5 i7pC3w+XLoOyG7H2pJM8JaN0SgPQgjjzwNYK6q7keIII0B8brvzRIpl+vZ8DJXRdu/w9 GFqw==
MIME-Version: 1.0
X-Received: by 10.236.229.195 with SMTP id h63mr105904yhq.121.1393986300616; Tue, 04 Mar 2014 18:25:00 -0800 (PST)
Received: by 10.170.78.5 with HTTP; Tue, 4 Mar 2014 18:25:00 -0800 (PST)
In-Reply-To: <20140303193737.2A2251AC36@ld9781.wdf.sap.corp>
References: <5314AF9B.8000402@drh-consultancy.co.uk> <20140303193737.2A2251AC36@ld9781.wdf.sap.corp>
Date: Tue, 04 Mar 2014 18:25:00 -0800
Message-ID: <CADMpkcKFv4oRHXPvsXMjEy8E=1A1Un0yy6rA26f9aWn8+djKjg@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: Martin Rex <mrex@sap.com>
Content-Type: multipart/alternative; boundary="001a11c1e2084529bd04f3d2ba0c"
X-Provags-ID: V02:K0:TiJzXmDrqHjwX7rlIuETTTGiic1WPxnGWEP2NbPlOJr ksJ8fmKgeqjPsQeo0ug9iaTFttUDWxUT9s3iT3a0cvvGc/noul Mf3ndmlhPYOe3pEin383nhAHvgKSQMs7ZGIVaraWOc+1guTYPX mC23fKLVagK+LKgTaz7AyT4g3JguvRRC9LJAmPKdLzEiR3Zbz4 tNFWAlAGtJH36qkUP+w6heMVqxw2Q80+WfYvvrsDAkZ8GIvgeY WM0mL5x874fSrsW3MsDdZ9cCClQnxYckfIPdSUxcTOvS2ALIQI z6Uxms8LT9TqiM2GTfwWw64KxjCQGAkQKQ+NMUQ8hKp97X9ODt VNgkCr6Y/xVgzY7ziyqhnzoqQ8W14Vo4dw0gnyJUDIJIyi9kx5 h4kAvjrIe/QLll9/0RZlNaiWSi/MlFDFA6hTd7TNsozIb/qQeI ElrmP
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/hZWFDbGVZUxUmOVPgTePoCQBaes
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] MITM Attacks on Client Authentication after Resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2014 02:39:46 -0000
Martin Rex <mrex@sap.com>: > Dr Stephen Henson wrote: > > > If the client checks the hostname against the certificate whenever a > > certificate is presented[2] then additionally the attacker needs a > certificate > > with the same hostname as the attacked server. > > > > 2. This isn't always the case. Some applications check the hostname only > after > > the handshake has completed. > > An application client that is using a TLS library _without_ callbacks, > and requests a blocking TLS handshake to be performed, will only get to > see the server certificate after the handshake has completed. > > While the X.509 cert chain validation might be performed in-band > by the TLS stack, the rfc2818 Section 3.1 server endpoint > identification is left up to the application caller. I certainly agree that there's an issue here, but I don't see how (in the context of the Triple Handshake Attack) this is about whether a handshake has completed. Maybe what you (Steve and Martin) mean is that some applications only check once, after the *initial* handshake on the connection has completed (not checking again if another, renegotiation, handshake completes)? Bodo
- [TLS] MITM Attacks on Client Authentication after… Karthikeyan Bhargavan
- Re: [TLS] MITM Attacks on Client Authentication a… Paterson, Kenny
- Re: [TLS] MITM Attacks on Client Authentication a… Dr Stephen Henson
- Re: [TLS] MITM Attacks on Client Authentication a… Karthikeyan Bhargavan
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Thomson
- Re: [TLS] MITM Attacks on Client Authentication a… Paterson, Kenny
- Re: [TLS] MITM Attacks on Client Authentication a… Adam Langley
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Rex
- Re: [TLS] MITM Attacks on Client Authentication a… Andrei Popov
- Re: [TLS] MITM Attacks on Client Authentication a… Watson Ladd
- Re: [TLS] MITM Attacks on Client Authentication a… Adam Langley
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Rex
- Re: [TLS] MITM Attacks on Client Authentication a… Salz, Rich
- Re: [TLS] MITM Attacks on Client Authentication a… Watson Ladd
- Re: [TLS] MITM Attacks on Client Authentication a… Nico Williams
- Re: [TLS] MITM Attacks on Client Authentication a… Dr Stephen Henson
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Thomson
- Re: [TLS] MITM Attacks on Client Authentication a… Dr Stephen Henson
- Re: [TLS] MITM Attacks on Client Authentication a… Adam Langley
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Rex
- Re: [TLS] MITM Attacks on Client Authentication a… Daniel Kahn Gillmor
- Re: [TLS] MITM Attacks on Client Authentication a… Nico Williams
- Re: [TLS] MITM Attacks on Client Authentication a… Bodo Moeller
- Re: [TLS] MITM Attacks on Client Authentication a… Xuelei Fan
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Rex
- Re: [TLS] MITM Attacks on Client Authentication a… Adam Langley
- Re: [TLS] MITM Attacks on Client Authentication a… Karthik Bhargavan
- Re: [TLS] MITM Attacks on Client Authentication a… Karthik Bhargavan
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Rex
- Re: [TLS] MITM Attacks on Client Authentication a… Xuelei Fan
- Re: [TLS] MITM Attacks on Client Authentication a… Karthik Bhargavan
- Re: [TLS] MITM Attacks on Client Authentication a… Xuelei Fan
- Re: [TLS] MITM Attacks on Client Authentication a… Liz meeks