Re: [TLS] TLS renegotiation issue

Nicolas Williams <Nicolas.Williams@sun.com> Thu, 05 November 2009 18:01 UTC

Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7AE5428C113 for <tls@core3.amsl.com>; Thu, 5 Nov 2009 10:01:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.229
X-Spam-Level:
X-Spam-Status: No, score=-5.229 tagged_above=-999 required=5 tests=[AWL=-0.783, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, J_BACKHAIR_46=1, J_CHICKENPOX_66=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y6cXsJO0RifD for <tls@core3.amsl.com>; Thu, 5 Nov 2009 10:01:52 -0800 (PST)
Received: from sca-ea-mail-4.sun.com (sca-ea-mail-4.Sun.COM [192.18.43.22]) by core3.amsl.com (Postfix) with ESMTP id 958C628C116 for <tls@ietf.org>; Thu, 5 Nov 2009 10:01:52 -0800 (PST)
Received: from dm-central-01.central.sun.com ([129.147.62.4]) by sca-ea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id nA5I2FMs009785 for <tls@ietf.org>; Thu, 5 Nov 2009 18:02:15 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id nA5I2EiJ016395 for <tls@ietf.org>; Thu, 5 Nov 2009 11:02:15 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id nA5Hoixl009265; Thu, 5 Nov 2009 11:50:45 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id nA5HoiH6009264; Thu, 5 Nov 2009 11:50:44 -0600 (CST)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Thu, 5 Nov 2009 11:50:44 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Martin Rex <mrex@sap.com>
Message-ID: <20091105175044.GG5124@Sun.COM>
References: <73843DF9-EFCB-4B8D-913E-FE2235E5BDD3@rtfm.com> <200911051711.nA5HBfOl028765@fs4113.wdf.sap.corp> <20091105171308.GY1105@Sun.COM>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20091105171308.GY1105@Sun.COM>
User-Agent: Mutt/1.5.7i
Cc: Eric Rescorla <ekr@rtfm.com>, tls@ietf.org
Subject: Re: [TLS] TLS renegotiation issue
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2009 18:01:53 -0000

On Thu, Nov 05, 2009 at 11:13:08AM -0600, Nicolas Williams wrote:
> On Thu, Nov 05, 2009 at 06:11:41PM +0100, Martin Rex wrote:
> >  - on TLS session renegotiations, the client should sent the TLS extension
> >    with the extension data containing the client.random and server.random
> >    from the existing session.
> 
> The MITM can make sure they match.
> 
> Why not just send an extension with the tls-unique channel binding for
> the first/outer connection, and then make sure that that gets fed as an
> input for the PRF in the second/inner connection?  I.e., proper channel
> binding.  The MITM _cannot_ make sure that the tls-unique CB of the
> client<->MITM and MITM<->server outer connections match.

I should expand on this.

Suppose you have:

 client <-> MITM <-> server

When the client sends its outer conenction client Hello to the MITM, the
MITM sends one with the same client.random to the server and waits for
the server to send its Hello back, then the MITM sends a Hello back to
the client using the same server.random that the server sent to the
MITM.

The first exchange completes on both sides of the MITM, then the client
sends a request.  The MITM replaces the client's request with whatever
the MITM wants and sends that to the server.  The server requests a
re-negotiation, the MITM passes that on.  When the client and server
re-negotiate they will see that the client.random and server.random from
the outer TLS connection matches.  The MITM wins.

You can't use the client.random and server.random as channel bindings.

But the client's Finished message from the outer TLS connection works.

Suppose the first handshake uses an anonymous DH cipher suite.  The MITM
cannot solve the discrete logarithm problem, therefore the MITM cannot
make sure that the client and server exponentials match for both, the
client<->MITM and MITM<->server connections, therefore the MITM also
cannot cause the Finished messages to match.

Suppose the first handshake uses an RSA key transport key exchange.
This means there must be a server cert.  The MITM cannot make sure that
the server cert seen by the client in its client<->MITM TLS connection
matches that of the real server in the MITM<->server TLS connection
without either possessing the server's private key or breaking RSA.

In all cases, no matter what the TLS key exchange method used, the
Finished messages had better bind the entire handshake and the key
exchange in such a way that no MITM can force the Finished messages to
have any particular value or otherwise match another connection's
Finished messages.  This is central to the security of TLS.  If a MITM
can make the Finished messages for two connections match, then the MITM
must have broken TLS itself.  That's what makes the TLS Finished
messages such a wonderful channel binding for TLS connections.

(In all cases, if the MITM can solve the discrete logarithm problem, has
possession of the server's private key, or can break RSA, you have
bigger problems than a MITM attack.)

Nico
--