IETF Logo Mail Archive

Re: [TLS] Next Protocol Negotiation 03

Paul Hoffman <paul.hoffman@vpnc.org> Thu, 15 November 2012 00:56 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B64F21F866E for <tls@ietfa.amsl.com>; Wed, 14 Nov 2012 16:56:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.537
X-Spam-Level:
X-Spam-Status: No, score=-102.537 tagged_above=-999 required=5 tests=[AWL=0.063, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8bDqFw9oHZar for <tls@ietfa.amsl.com>; Wed, 14 Nov 2012 16:56:27 -0800 (PST)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id ADEA321F8646 for <tls@ietf.org>; Wed, 14 Nov 2012 16:56:27 -0800 (PST)
Received: from [10.20.30.102] (50-0-66-243.dsl.dynamic.fusionbroadband.com [50.0.66.243]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id qAF0uPRD036139 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 14 Nov 2012 17:56:26 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <462d1af8e2f84827abfac376f21d06d2@BN1PR03MB072.namprd03.prod.outlook.com>
Date: Wed, 14 Nov 2012 16:56:31 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <7C5DB110-3025-477E-9B59-C7D05C2AEB63@vpnc.org>
References: <CAL9PXLy31VzxLidgOy64MnDAyRE=HU=hxyBXW1rgB+Xnd0vKjA@mail.gmail.com> <4F981528.9010903@gnutls.org> <CAL9PXLzWNTxOjRnVPk67anfAkWizagcAsWRWJM3ShY6oWv9PjA@mail.gmail.com> <4F985162.7040405@extendedsubset.com> <f5178418cb4549fea8e210d6a3bc22d1@BN1PR03MB072.namprd03.prod.outlook.com> <CAL9PXLx4Qc_zjDWC2z_Gg-XAZ_VVNtBun9SpHFWe6Fgs=cpYiw@mail.gmail.com> <462d1af8e2f84827abfac376f21d06d2@BN1PR03MB072.namprd03.prod.outlook.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
X-Mailer: Apple Mail (2.1499)
Cc: tls@ietf.org
Subject: Re: [TLS] Next Protocol Negotiation 03
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Nov 2012 00:56:28 -0000

On Nov 14, 2012, at 3:30 PM, Andrei Popov <Andrei.Popov@microsoft.com> wrote:

> Here is an example active attack which could reveal the negotiated protocol:
> - MITM downgrades the cipher during TLS handshake.
> - MITM can decrypt EncryptedExtensions message and find out which application protocol has been negotiated between the server and the client.
> - Finished messages are exchanged, at which point the attack is detected and the session is aborted. But the attacker knows the application protocol that is likely to be negotiated between this server and this client in the future.

This is arguing that the EncryptedExtensions message might be misnamed, in that an active MITM who doesn't mind breaking the exchange can view it. This is similar to identity-exposing attacks in IKEv1. It's a design tradeoff.

> Negotiating in the client and server hello messages (in the clear) achieves the goal of reducing round trips. The added complexity of EncryptedExtensions does not provide much security value.

I like the current design of NPN better than negotiating in the clear (and thus giving passive MITM firewalls another place to block based on policy). It doesn't feel that EncryptedExtensions is complex and it forces an MITM who wants to know the protocol being used to become noticeable active attackers.

> In those situations where the next protocol negotiation needs to be confidential, one could use TLS renegotiation. Alternatively, the next protocol can be negotiated after exchanging Finished messages, outside of the TLS handshake.

Renegotiation adds round trips and complexity, as we have seen in this WG. "Outside of the TLS handshake" just pushes this off to layer 7 and forces a change to all application servers and clients to do the negotiation. It seems cleaner to keep this in TLS.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email