IETF Logo Mail Archive

Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt

Yoav Nir <ynir@checkpoint.com> Sun, 06 May 2012 18:00 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE46921F8534 for <tls@ietfa.amsl.com>; Sun, 6 May 2012 11:00:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.384
X-Spam-Level:
X-Spam-Status: No, score=-10.384 tagged_above=-999 required=5 tests=[AWL=0.215, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 26wYv+nA79xY for <tls@ietfa.amsl.com>; Sun, 6 May 2012 11:00:53 -0700 (PDT)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id C7F3921F84F8 for <tls@ietf.org>; Sun, 6 May 2012 11:00:52 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id q46I0gAs015115; Sun, 6 May 2012 21:00:43 +0300
X-CheckPoint: {4FA6C9EC-0-1B221DC2-2FFFF}
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Sun, 6 May 2012 21:00:41 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Marsh Ray <marsh@extendedsubset.com>
Date: Sun, 06 May 2012 21:00:36 +0300
Thread-Topic: [TLS] draft-ray-tls-encrypted-handshake-00.txt
Thread-Index: Ac0rsiXRYf0yoC0NRPCXyGBDFD+E1g==
Message-ID: <55D3931D-2F6F-4749-A45E-6027021A1468@checkpoint.com>
References: <4FA401F7.5060003@extendedsubset.com> <4FA424A3.2010409@pobox.com> <4FA4264A.7070406@extendedsubset.com> <4FA4AE62.20506@pobox.com> <B3912FD3-F167-427A-B8EE-689898200939@checkpoint.com> <4FA55298.9010203@pobox.com> <65A74BBD-AA6D-447C-898D-8CB8C5966943@vpnc.org> <4FA55DAE.8020909@pobox.com> <508C47AD-7999-46EB-832A-4D66AAC87118@vpnc.org> <006FEB08D9C6444AB014105C9AEB133F017A7C056C48@il-ex01.ad.checkpoint.com> <CAOhHAXzGu+MR0=21mAbBswvJEsE2JneUhha2zvBF10umKE4cHg@mail.gmail.com> <5B46AA77-90A1-4BC8-92E7-B4533B36F78D@checkpoint.com> <CAOhHAXycZXk_DkTysxg5zMV+eSYoCOXiRzFJA6--wTq_PWBf6g@mail.gmail.com> <4FA6ACA1.8080603@extendedsubset.com>
In-Reply-To: <4FA6ACA1.8080603@extendedsubset.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 11e83128f69608a32ef3454544c8a63f9c39156825
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-ray-tls-encrypted-handshake-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 May 2012 18:00:53 -0000

On May 6, 2012, at 7:53 PM, Marsh Ray wrote:

> On 05/06/2012 03:49 AM, Mohamad Badra wrote:
>> 
>> I was reading "no need to have an (EC)DH certificate to authenticate the
>> first CCS". In that case, active attacks are possible.
> 
> Right, EH does not resist active attacks. It is possible for an active 
> attacker to learn what the client or server would have sent in the 
> handshake. But any such attack causes the handshake to fail in all the 
> scenarios where TLS currently provides integrity protection, i.e., 
> everywhere except for anon-anon DH connections or a pwned trusted root CA.
> 
> It may be possible to get better guarantees for messages that are sent 
> after the Client Key Exchange or Server Key exchange (such as RFC 4680 
> 'Supplemental Data' messages). But some TLS implementations reportedly 
> do not check these signatures until the Finished messages and many 
> non-browser clients do not even look at the name on the server cert 
> until the handshake is complete.
> 
> This means that the protections offered by EH to client certs is 
> limited. Applications requiring serious security for the content of 
> client certs should still use renegotiation.
> 
> If the client has an interest in protecting the client cert he MUST NOT 
> transmit the client cert until he's fully authenticated the server. 
> Generally this requires renegotiation, but many servers will not allow 
> the client to initiate that.
> 
> Consequently, general purpose clients like web browsers can be tricked 
> into transmitting the client cert to an active attacker. The only thing 
> that can fix that is to change the client behavior to be more strict. In 
> order to avoid breaking existing applications, clients can only become 
> more strict if they are given positive indication to do so. Most forms 
> of negotiation can be falsified by an active attacker at the point the 
> client cert must be sent.

I must be missing something. Here's your modified handshake, and I'm assuming (EC)DHE_RSA or (EC)DHE_ECDSA

      Client                                               Server

      ClientHello (with EH ext)    -------->
                                                    ServerHello2a
                                               [ChangeCipherSpec]
                                                    ServerHello2b
                                                     Certificate*
                                               ServerKeyExchange*
                                              CertificateRequest*
                                   <--------      ServerHelloDone
      [ChangeCipherSpec]
      Certificate*
      ClientKeyExchange
      CertificateVerify*
      Finished                     -------->
                                   <--------             Finished
      Application Data             <------->     Application Data

An active attacker can either move DH public keys between the client and server, but in that case it won't have the shared secret, and so - no certificate
So the active attacker has to perform a different DH with each side. But that means that the ServerKeyExchange from the server signs a different public key from the one the client saw, so that's not valid, and the attacker can't generate one that is appropriate, because it doesn't have the private key for the server certificate.

So regardless of whether ECDSA or RSA keys are used, how can the attacker get the certificate?

Yoav

v2.39.1 | Report a Bug | By Email | System Status