Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Marsh Ray <marsh@extendedsubset.com> Tue, 10 November 2009 21:42 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4E7A33A6B88 for <tls@core3.amsl.com>; Tue, 10 Nov 2009 13:42:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.488
X-Spam-Level:
X-Spam-Status: No, score=-3.488 tagged_above=-999 required=5 tests=[AWL=1.111, BAYES_00=-2.599, GB_I_LETTER=-2]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XY5Zp8vqIlga for <tls@core3.amsl.com>; Tue, 10 Nov 2009 13:42:05 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 66C073A6B87 for <tls@ietf.org>; Tue, 10 Nov 2009 13:42:05 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1N7yTw-0001pL-F3; Tue, 10 Nov 2009 21:42:32 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 267176678; Tue, 10 Nov 2009 21:42:29 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1/V9nquu7P+4Os27mCbFYJyf53D5L5p0h0=
Message-ID: <4AF9DE40.60903@extendedsubset.com>
Date: Tue, 10 Nov 2009 15:42:24 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: mrex@sap.com
References: <200911102101.nAAL1Ai9025439@fs4113.wdf.sap.corp>
In-Reply-To: <200911102101.nAAL1Ai9025439@fs4113.wdf.sap.corp>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 21:42:06 -0000

Martin Rex wrote:

> If you lock down established identites, then I do not see a problem with this.

Really, it's the upper layers that define how 'identity' is to be
interpreted. TLS may know that the certs on one end or the other is the
same, but that is not the same as saying that the actual app-layer
identities are interchangeable.

>> I do see however, that data probably needs to stop flowing after sending
>> a Finished message until receiving the peer's Finished message, but
>> that affects only one direction and last for one round trip, not two.
> 
> Why Finished?  I think its everything following the ChangeCipherSpec.

For all the reasons that the Finished message was added to the protocol?

Hmmm, is app data allowed prior to the first finished message? No way,
couldn't happen.

> Sending an alert when that happens and closing the connection
> is fine with me.

Certainly preferable to passing something unexpected.

> I'm wondering whether there are application that actively abuse
> this feature and would break if the TLS implementation would exhibit
> semantics similar to those I outlined above and fail with an error
> if the TLS implementation would reject application data while
> performing the renegotiation handshake.

I believe that there are TLS library implementations that conduct
renegotiation transparently to the application code unless the app
specifically requests it.

Really there are a few missing letters in the plaintext alphabet.

Handshake - A marker, encodes identity info.
0x00 - 0xFF traditional data byte values.
EOD - End of data, like EOF.

Without that 'handshake' value actually there in the middle of the
plaintext buffered data coming out of the API, I don't know how
application code can get this right.

I haven't seen a TLS library API that defines things that way though.
Many provide a callback for the identity change, but it's unclear
what happens to buffered plaintext at the time it's called.

> What about the application data sent between the ChangeCipherSpec
> and the Finished messages?

Possibly Handshake is really two messages, HandshakeCCS and
HandshakeFinished.

If app data is prohibited before the first Finished, and the RI ext
strongly ties the sessions together, does this issue go away?

- Marsh