Re: [TLS] MITM Attacks on Client Authentication after Resumption

Nico Williams <nico@cryptonector.com> Tue, 04 March 2014 20:43 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9ACC71A0235 for <tls@ietfa.amsl.com>; Tue, 4 Mar 2014 12:43:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DBgtA-slcuA3 for <tls@ietfa.amsl.com>; Tue, 4 Mar 2014 12:43:18 -0800 (PST)
Received: from homiemail-a34.g.dreamhost.com (agjbgdcfdbge.dreamhost.com [69.163.253.164]) by ietfa.amsl.com (Postfix) with ESMTP id C36F31A02F8 for <tls@ietf.org>; Tue, 4 Mar 2014 12:43:18 -0800 (PST)
Received: from homiemail-a34.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a34.g.dreamhost.com (Postfix) with ESMTP id 78F2B10070 for <tls@ietf.org>; Tue, 4 Mar 2014 12:43:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=K0vyxA+ocaGXBntxQN8T 0L6G1D4=; b=p15CpVhaOqNhKqfdss5FmiipbA1lrtDauTz6Jg17tKSQIjA3k+Wf pAM6TZiv2Oi53uKoc764TkW0IjLaQo9QyKcUUvoafm6W4J7Y0myZ5V0+dlXA1Z3p iRT/dMc3BE1dguAot+hfx0eIV8dYHJq3rUl727onKTH+YcTJIkZHqjE=
Received: from mail-we0-f177.google.com (mail-we0-f177.google.com [74.125.82.177]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a34.g.dreamhost.com (Postfix) with ESMTPSA id 24C911006E for <tls@ietf.org>; Tue, 4 Mar 2014 12:43:14 -0800 (PST)
Received: by mail-we0-f177.google.com with SMTP id u57so79187wes.36 for <tls@ietf.org>; Tue, 04 Mar 2014 12:43:14 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=92gMci2JJ8G4P+cOvMKQb5NKoCo4LdtVVhQN5BpaY+U=; b=fKWmux0YJ5zzB1tkTHnqY4XqRzERwf5uweEqjFlRzj1YYjgBwWCFqwV77PdWZG1VQI F6znD4AGlTMRh0qfUfWZdlt+sqwmpibDsuulWEVAiz9iizv0fecW5WFPBAX+b7giibkM CygRDdBQkRpt8RzxZQRlkv8xhU/yVJde+qVgNeeCUXE0aW5CSUBPJ+0JT0/Ws75Z2Lnz nZtB6KV4tpfeHRGlV49ptQokIAI//eF4JSh8uP+TZAQYtZPSXAPKnMvqfqet/dlhG0jL MpHg6nm6ARiFzger/PKPohg4rpfGOxtblbhkhcIN899xw8faiWA1mKFqcVtUWtZ1R+OW whcw==
MIME-Version: 1.0
X-Received: by 10.194.179.69 with SMTP id de5mr2689784wjc.4.1393965794082; Tue, 04 Mar 2014 12:43:14 -0800 (PST)
Received: by 10.217.108.132 with HTTP; Tue, 4 Mar 2014 12:43:14 -0800 (PST)
In-Reply-To: <BB2FE60E-A7CA-4EA7-BFC8-AB794EC6FF00@inria.fr>
References: <BB2FE60E-A7CA-4EA7-BFC8-AB794EC6FF00@inria.fr>
Date: Tue, 4 Mar 2014 14:43:14 -0600
Message-ID: <CAK3OfOgYK9MX5XKEkCKbnAN4DvcnXKoT796xyGe7nQYpC=W2_A@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Karthikeyan Bhargavan <karthikeyan.bhargavan@inria.fr>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/jm1bt2aNknUzORLRvWTz-ZNvlQQ
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] MITM Attacks on Client Authentication after Resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2014 20:43:19 -0000

Scott Cantor points out -rightly- that tls-server-end-point channel
bindings also have a problem if resumption+renegotiation can result in
the session over which authentication takes place to have the correct
server certificate.

Nico
--