Re: [TLS] MITM Attacks on Client Authentication after Resumption

Bodo Moeller <bmoeller@acm.org> Wed, 05 March 2014 02:25 UTC

Return-Path: <SRS0=QKSf=YG=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2121F1A0148 for <tls@ietfa.amsl.com>; Tue, 4 Mar 2014 18:25:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.476
X-Spam-Level:
X-Spam-Status: No, score=-1.476 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b3t6jmpFDu5e for <tls@ietfa.amsl.com>; Tue, 4 Mar 2014 18:25:15 -0800 (PST)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.131]) by ietfa.amsl.com (Postfix) with ESMTP id 343571A013C for <tls@ietf.org>; Tue, 4 Mar 2014 18:25:05 -0800 (PST)
Received: from mail-yh0-f50.google.com (mail-yh0-f50.google.com [209.85.213.50]) by mrelayeu.kundenserver.de (node=mreue001) with ESMTP (Nemesis) id 0MQBed-1WGMgA2hxj-005Ezg; Wed, 05 Mar 2014 03:25:02 +0100
Received: by mail-yh0-f50.google.com with SMTP id t59so416138yho.37 for <tls@ietf.org>; Tue, 04 Mar 2014 18:25:00 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=UUvzi3e8EokXtcN7KFDwrhgVfglDNdhkSWC1Pu4r2WM=; b=PqmIEKqW/bQ8jCPvh+SgeRWAjpkGJ8hbJQVRwtSsrzi8geeiV4gXA2MZSR+LZAw+ro xxf14k3bre/K+sMUBCVOKBxG2Nw730wtZSjUhW3gr09FM9cRhIVeecsQq+uwLHOsh384 uclT2LvEVNVMbzpkmbXKPTdfFlVFKPykyId1mej3yBCeiYKE0vBEt9o/RmF3NYPvlXy1 u+ovFCjlnXjC90/4SgxIO+/Tk6/JKIWbU1XTq09A/vG5Z2lkBdm71B4PHJfOG2KFEJZ5 i7pC3w+XLoOyG7H2pJM8JaN0SgPQgjjzwNYK6q7keIII0B8brvzRIpl+vZ8DJXRdu/w9 GFqw==
MIME-Version: 1.0
X-Received: by 10.236.229.195 with SMTP id h63mr105904yhq.121.1393986300616; Tue, 04 Mar 2014 18:25:00 -0800 (PST)
Received: by 10.170.78.5 with HTTP; Tue, 4 Mar 2014 18:25:00 -0800 (PST)
In-Reply-To: <20140303193737.2A2251AC36@ld9781.wdf.sap.corp>
References: <5314AF9B.8000402@drh-consultancy.co.uk> <20140303193737.2A2251AC36@ld9781.wdf.sap.corp>
Date: Tue, 4 Mar 2014 18:25:00 -0800
Message-ID: <CADMpkcKFv4oRHXPvsXMjEy8E=1A1Un0yy6rA26f9aWn8+djKjg@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: Martin Rex <mrex@sap.com>
Content-Type: multipart/alternative; boundary=001a11c1e2084529bd04f3d2ba0c
X-Provags-ID: V02:K0:TiJzXmDrqHjwX7rlIuETTTGiic1WPxnGWEP2NbPlOJr ksJ8fmKgeqjPsQeo0ug9iaTFttUDWxUT9s3iT3a0cvvGc/noul Mf3ndmlhPYOe3pEin383nhAHvgKSQMs7ZGIVaraWOc+1guTYPX mC23fKLVagK+LKgTaz7AyT4g3JguvRRC9LJAmPKdLzEiR3Zbz4 tNFWAlAGtJH36qkUP+w6heMVqxw2Q80+WfYvvrsDAkZ8GIvgeY WM0mL5x874fSrsW3MsDdZ9cCClQnxYckfIPdSUxcTOvS2ALIQI z6Uxms8LT9TqiM2GTfwWw64KxjCQGAkQKQ+NMUQ8hKp97X9ODt VNgkCr6Y/xVgzY7ziyqhnzoqQ8W14Vo4dw0gnyJUDIJIyi9kx5 h4kAvjrIe/QLll9/0RZlNaiWSi/MlFDFA6hTd7TNsozIb/qQeI ElrmP
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/hZWFDbGVZUxUmOVPgTePoCQBaes
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] MITM Attacks on Client Authentication after Resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2014 02:39:46 -0000

Martin Rex <mrex@sap.com>om>:

> Dr Stephen Henson wrote:
>


> > If the client checks the hostname against the certificate whenever a
> > certificate is presented[2] then additionally the attacker needs a
> certificate
> > with the same hostname as the attacked server.
> >
> > 2. This isn't always the case. Some applications check the hostname only
> after
> > the handshake has completed.
>


> An application client that is using a TLS library _without_ callbacks,
> and requests a blocking TLS handshake to be performed, will only get to
> see the server certificate after the handshake has completed.
>
> While the X.509 cert chain validation might be performed in-band
> by the TLS stack, the rfc2818 Section 3.1 server endpoint
> identification is left up to the application caller.


I certainly agree that there's an issue here, but I don't see how (in the
context of the Triple Handshake Attack) this is about whether a handshake
has completed.  Maybe what you (Steve and Martin) mean is that some
applications only check once, after the *initial* handshake on the
connection has completed (not checking again if another, renegotiation,
handshake completes)?

Bodo