Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Yoav Nir <ynir@checkpoint.com> Mon, 09 November 2009 21:05 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 178A63A68A4 for <tls@core3.amsl.com>; Mon, 9 Nov 2009 13:05:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vqI2w28kU8im for <tls@core3.amsl.com>; Mon, 9 Nov 2009 13:05:36 -0800 (PST)
Received: from dlpdemo.checkpoint.com (dlpdemo.checkpoint.com [194.29.32.54]) by core3.amsl.com (Postfix) with ESMTP id D64923A682D for <tls@ietf.org>; Mon, 9 Nov 2009 13:05:35 -0800 (PST)
X-CheckPoint: {4AF88127-1-14201DC2-FFFF}
Received: by dlpdemo.checkpoint.com (Postfix, from userid 105) id 0491D29C005; Mon, 9 Nov 2009 23:05:56 +0200 (IST)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by dlpdemo.checkpoint.com (Postfix) with ESMTP id E223529C002; Mon, 9 Nov 2009 23:05:56 +0200 (IST)
X-CheckPoint: {4AF88123-0-14201DC2-FFFF}
Received: from il-ex01.ad.checkpoint.com (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id nA9L5uc6001480; Mon, 9 Nov 2009 23:05:56 +0200 (IST)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Mon, 9 Nov 2009 23:06:00 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: David-Sarah Hopwood <david-sarah@jacaranda.org>, "tls@ietf.org" <tls@ietf.org>
Date: Mon, 09 Nov 2009 23:05:59 +0200
Thread-Topic: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Thread-Index: Acphc8xfMZxT+T1PTp6s68b8KNQpFAAC5+JZ
Message-ID: <006FEB08D9C6444AB014105C9AEB133FB36A4EBF03@il-ex01.ad.checkpoint.com>
References: <CE2A65CAAFE55048BA6682475F9A7DBF5EA6E59A16@ACLMAIL01.corp.audiocodes.com> <4AF81CFF.8010803@extendedsubset.com>, <4AF86EDF.3090004@jacaranda.org>
In-Reply-To: <4AF86EDF.3090004@jacaranda.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2009 21:05:37 -0000

David-Sarah Hopwood wrote:

> Marsh Ray wrote:
>> Yair Elharrar wrote:
>>> In addition, until such time that all clients in the world start
>>> supporting this extension (e.g. kiosks in airports), servers will
>>> have to support backward compatibility.
>>
>> It will be a trade-off for each server admin to weigh and decide their
>> policy. I suspect many admins will prefer not to allow insecure
>> connections from unpatched airport kiosks.
>
> To prevent this attack, they don't have to disallow connections, only
> renegotiations in which the extension is not used.

Even that can be further refined. You can freely renegotiate an authenticated session, as long as the renegotiation does not involve an identity change.

Obviously, if the first handshake include client authentication, any renegotiation that includes the same client cert is fine.

If the session is authenticated by the application (as in an HTTPS login page) it's also possible to renegotiate with impunity, but the interaction here between the application and the TLS layer may be too sensitive an bug prone to specify in the draft. For example, if an SSTP server renegotiates after the client has authenticated (through PPP), I don't think there's a security risk in not implementing the extension.