IETF Logo Mail Archive

Re: [TLS] Summarizing identity change discussion so far

Marsh Ray <marsh@extendedsubset.com> Wed, 09 December 2009 22:59 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 165763A67EB for <tls@core3.amsl.com>; Wed, 9 Dec 2009 14:59:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.595
X-Spam-Level:
X-Spam-Status: No, score=-2.595 tagged_above=-999 required=5 tests=[AWL=0.004, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OC-gzSHAfl82 for <tls@core3.amsl.com>; Wed, 9 Dec 2009 14:59:40 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 3296C3A680F for <tls@ietf.org>; Wed, 9 Dec 2009 14:59:40 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1NIVVI-000MvP-NQ; Wed, 09 Dec 2009 22:59:28 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 7FDAE603A; Wed, 9 Dec 2009 22:59:27 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1/ABt8eWND4kJvse0b5O6HiEvyk62XZH54=
Message-ID: <4B202BCD.40500@extendedsubset.com>
Date: Wed, 09 Dec 2009 16:59:25 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Pasi.Eronen@nokia.com
References: <808FD6E27AD4884E94820BC333B2DB774F31A4FD08@NOK-EUMSG-01.mgdnok.nokia.com> <4B1E4E10.90201@cs.tcd.ie> <808FD6E27AD4884E94820BC333B2DB774F31D235DE@NOK-EUMSG-01.mgdnok.nokia.com> <4B1E786A.7070100@extendedsubset.com> <808FD6E27AD4884E94820BC333B2DB774F31D2391E@NOK-EUMSG-01.mgdnok.nokia.com>
In-Reply-To: <808FD6E27AD4884E94820BC333B2DB774F31D2391E@NOK-EUMSG-01.mgdnok.nokia.com>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] Summarizing identity change discussion so far
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2009 22:59:41 -0000

Hello all,

I'm wearing a warm red and gray hat today.

Pasi.Eronen@nokia.com wrote:
> Marsh Ray wrote:
> 
>>> and can cause security vulnerabilities for some of them.
>> Do we know of any examples? I can only think of some very subtle and
>> hypothetical ones that require client and server apps that are already
>> coded for switching identities intentionally.
> 
[...]
> 
> I guess an even worse example would be something like this:
> 
>   conn = openTlsConnection(host, port)
>   if not verifyCertChain(conn.getPeerCert()):
>      raise "Not a valid cert"
>   if conn.getPeerCert().getName() != expected_name:
>      raise "Name in certificate doesn't match"
>   # continue...

_After_ renegotation is fixed (and/or disabled by default) though, how
is this a problem? RI proves the data has come from the same remote
endpoint. That same remote endpoint has proven that he can supply an
acceptable cert, too.

In order for this example to be a problem, the legitimate client would
have to renegotiate specifically for the purpose of dropping certain
cert credentials. This would seem to imply that the application code was
expecting cert changes.

This is not to say that there's no application that could be confused by
such a change, only that I haven't seen any real examples. Nelson
suggested a test tool used internally with NSS might do something
agressive with certs and renegotiation like that.

I don't think it's inherently broken. It seems reasonable to me for one
party to say "By the initial handshake and two subsequent renegotiations
I have proven posession of the private keys for these three certificates".

With renegotiation fixed, credentials supplied on different handshakes
may legitimately be treated as additive. This is how https client
certificates often work: an initial anon-client connection adds a client
cert to the connection by renegotiating.

The actual credentials policy should be documented as part of the app
protocol on top of TLS. Most of them would document "no renegotiation"
and I think that should be the default for implementations.

> Most TLS libraries seem to support both callback and get() style
> functions for accessing/checking certificates.

Most script-language bindings to OpenSSL seem not to support the
callback mechanism very well. Just a data point.

> Although using the callback-style APIs might be more common (and in
> some sence nicer, since it allows you to abort the handshake 
> a bit earlier -- but an app developer might not care about this very 
> much), I think it would be a surprise to most app developers that 
> using the get-style APIs might not be secure.
> 
> (And I wouldn't be surprised at all if real applications using
> those get() style APIs are found...) 

You know they exist when all example code for some very popular
implementations and languages does it that way.

- Marsh

v2.23.0 | Report a Bug | By Email