Re: [TLS] Request for review: Next Protocol Negotiation Extension
Marsh Ray <marsh@extendedsubset.com> Thu, 19 August 2010 15:01 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5AD2A3A6878 for <tls@core3.amsl.com>; Thu, 19 Aug 2010 08:01:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.761
X-Spam-Level:
X-Spam-Status: No, score=-1.761 tagged_above=-999 required=5 tests=[AWL=0.238, BAYES_00=-2.599, J_CHICKENPOX_14=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id elkb+aqRV0Lv for <tls@core3.amsl.com>; Thu, 19 Aug 2010 08:01:43 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 871763A6829 for <tls@ietf.org>; Thu, 19 Aug 2010 08:01:43 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1Om6dG-0007zo-8o; Thu, 19 Aug 2010 15:02:18 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 947236095; Thu, 19 Aug 2010 15:02:15 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX19jMQe2as9H1rIQaZMsBjqIyezUQGEhlB4=
Message-ID: <4C6D4776.1060006@extendedsubset.com>
Date: Thu, 19 Aug 2010 10:02:14 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100713 Thunderbird/3.0.6
MIME-Version: 1.0
To: Nathaniel W Filardo <nwf@cs.jhu.edu>
References: <4C6AB936.1070801@extendedsubset.com> <AANLkTimgjqQMdwqL_xZXGSG5hSMLqDtYH62t698e_hx9@mail.gmail.com> <4C6AD7EA.4040307@extendedsubset.com> <000401cb3e4f$456f6d60$d04e4820$@briansmith.org> <4C6B1BAA.5060303@pobox.com> <AANLkTi=QzEmzuhX=rKkTFjVvWxP5r_0zcVHq00L-4JoS@mail.gmail.com> <4C6B8189.5080406@extendedsubset.com> <AANLkTi=9TLG4f5eZ6h6duYKvcVueT53H26WNZpWV6TKS@mail.gmail.com> <F91CB64B-E0F6-42B7-B91B-F9F7464709E1@iki.fi> <AANLkTi=TmbOiLCpiOWyxXSDs-z-V5Bw7w=gLtvoerAvy@mail.gmail.com> <20100819073021.GV18003@gradx.cs.jhu.edu>
In-Reply-To: <20100819073021.GV18003@gradx.cs.jhu.edu>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Request for review: Next Protocol Negotiation Extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Aug 2010 15:01:45 -0000
On 08/19/2010 02:30 AM, Nathaniel W Filardo wrote: > > The particular class of attacks you're worried about all involve an agent, > C, making requests to a server S, on behalf of some untrusted third party, > M. Further, S thinks that it is speaking P and C thinks that it is speaking > Q, with P != Q. It happens to be that S's interpretation of P is compatible > with C's production of Q. > > For concrete example, in the case of P=SMTP and Q=HTTP, > [] > NPN does _nothing_ to help here, since TLS is not involved. _Every_ > cross-protocol attack I am aware of is of this class; if you can provide > citations otherwise, I would love to see them. Lately I've been looking into a long-existing credentials forwarding attack on NTLM authentication. It's cross-protocol in the sense that the authentication can, in fact, be taken from an SMTP connection and used to authenticate an HTTPS session. http://extendedsubset.com/?p=36 The slides pdf linked from there shows a grid of the explored and open attack space. > Now, we can ignore (P,Q) being (SMTP,HTTPS) or (SMTPS,HTTP) since neither > off-diagonal form is going to be able to bring up the TLS session to > everybody's satisfaction. It seems plausible that the attacker might control enough data in the Client Hello, e.g. SNI, that it could be usefully interpreted by the server. Or more simply, just sending the random binary data would probably crash more than one server out there. > (P,Q)=(SMTPS,HTTPS) with neither C nor S expecting to see authentication > essentially behaves as (SMTP,HTTP), I agree; TLS NPN helps here. > > (P,Q)=(SMTPS,HTTPS) with S expecting C to authenticate will result in a > cross-protocol attack iff either of the following conditions are met: > 1. C has a client certificate which S will accept and S does not expect > in-band authentication. I could imagine this happening, and without user intervention. Consider a corporate PKI scenario where every user and every server gets their cert from the same cert management system run by the IT dept. > 2. M has been able to specifically craft a P-message involving suitable > credentials for C's use in this transmission. A forwarding attack such as is possible with NTLM could potentially allow this. > Neither of these are terribly realisitic (in my mostly speculative opinion). > Note that if S's knobs are set such that P requires a challenge-response > authentication pass, that M will, whp, be unable to successfully take option > 2. Well the idea of WebSockets is to give full-duplex communications to attacker supplied Javascript. If he can successfully complete the initial handshake, it's better to assume anything is possible after that. > In all, while I have no intrinsic objection to TLS NPN, it seems to me that > the solution should be independent of the cryptographic provisioning layer, > since it demonstrably has nothing to do with said functionality. The TLS layer would seem to have a some of things going for it: 1. It's designed to authenticate-or-fail connections, i.e., it doesn't observe Postel's law. 2. Piggybacking on the TLS handshake could save a round trip. - Marsh
- [TLS] Request for review: Next Protocol Negotiati… Adam Barth
- Re: [TLS] Request for review: Next Protocol Negot… Eric Rescorla
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Peter Sylvester
- Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
- Re: [TLS] Request for review: Next Protocol Negot… Nikos Mavrogiannopoulos
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
- Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
- Re: [TLS] Request for review: Next Protocol Negot… Martin Rex
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Steingruebl, Andy
- Re: [TLS] Request for review: Next Protocol Negot… Eric Rescorla
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Geoffrey Keating
- Re: [TLS] Request for review: Next Protocol Negot… Martin Rex
- Re: [TLS] Request for review: Next Protocol Negot… Nikos Mavrogiannopoulos
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
- Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
- Re: [TLS] Request for review: Next Protocol Negot… Juho Vähä-Herttua
- Re: [TLS] Request for review: Next Protocol Negot… Brian Smith
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Adam Langley
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Nathaniel W Filardo
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Adam Barth
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Nathaniel W Filardo
- Re: [TLS] Request for review: Next Protocol Negot… Martin Rex
- Re: [TLS] Request for review: Next Protocol Negot… Peter Gutmann
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Martin Rex
- Re: [TLS] Request for review: Next Protocol Negot… Marsh Ray
- Re: [TLS] Request for review: Next Protocol Negot… Michael D'Errico