IETF Logo Mail Archive

Re: [TLS] matching identity, by default

Marsh Ray <marsh@extendedsubset.com> Fri, 04 December 2009 13:42 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7CC393A691E for <tls@core3.amsl.com>; Fri, 4 Dec 2009 05:42:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.509
X-Spam-Level:
X-Spam-Status: No, score=-2.509 tagged_above=-999 required=5 tests=[AWL=0.090, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JRuBJCFEMULK for <tls@core3.amsl.com>; Fri, 4 Dec 2009 05:42:08 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 6F4D73A68D1 for <tls@ietf.org>; Fri, 4 Dec 2009 05:42:08 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1NGYQ2-000NGC-GK; Fri, 04 Dec 2009 13:41:59 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 0ACF6603C; Fri, 4 Dec 2009 13:41:56 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1+e2s3U2SK0X/BilcmZS4CS92fsJ1FQNTI=
Message-ID: <4B1911A2.40701@extendedsubset.com>
Date: Fri, 04 Dec 2009 07:41:54 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: James Manger <james@manger.com.au>
References: <200912040154.nB41sIt2029221@fs4113.wdf.sap.corp> <4B188413.2070303@extendedsubset.com> <58AAE640-FAE0-493A-A2EF-FCA0EE4E3816@manger.com.au>
In-Reply-To: <58AAE640-FAE0-493A-A2EF-FCA0EE4E3816@manger.com.au>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "tls@ietf.org Working Group" <tls@ietf.org>
Subject: Re: [TLS] matching identity, by default
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2009 13:42:09 -0000

James Manger wrote:
> Marsh,
> 
>> In other words, an endpoint could
>> renegotiate an anonymous connection ten times to provide ten different
>> certificates, and the other party can securely treat all data sent over
>> that connection as having been authenticated to all ten certificates!
> 
> This point about all data being authenticated by all certs is a good
> point to emphasis.
> Unfortunately, it does not mean typical applications wont get confused
> (ie have vulnerabilities) when they hadn't explicitly anticipated that
> 10 certs could be renegotiated.

Yep.

>> I have a driver's license issued by Kansas and a passport issued by the
>> US Dept of State, yet I do not assume two different identities.
>> Sometimes, I am even requested to provide both!
> 
> Consider turning up to a Whitehouse check point, showing your
> credentials to a guard, and "renegotiating" whenever you like by showing
> another credential. A controller talking to the guard on the phone asks:
> [controller] What is the name on the credential?
> [guard] Marsh Ray
> [controller] Type of credential?
> [guard] passport
> /now you show the guard your driver license/
> [controller] Issuer of credential?
> [guard] Kansas
> 
> The controller thinks he has authenticated Marsh Ray with a passport
> issued by Kansas.

lol - good example

> If you happen to have a library card under a fake name and you showed
> that first, the controller might think he has authenticated Bugs Bunny
> with a Passport from the US Dept of State. Ouch! That might allow the
> wrong person into a Whitehouse party ;-)
> 
> In this analogy, the guard is a TLS library, the controller is an
> application, your cards are certificates, and the protocol of showing
> your cards is TLS (with the fix!).

In real applications, there's also the possibility you could end up
authenticated as Kansas.

> Is the error the controller's fault or the guards fault? The
> application's or the TLS library's (or the protocol's for not providing
> sufficient guidance)?

Oh there's probably enough blame to go all around.

> This suggests another way for a TLS library to ensure it doesn't confuse
> an application that doesn't explicitly stated it is prepared for
> renegotiations.

I think it's becoming clear that very few application developers
realized that TLS had this capacity for renegotiation, much less that
their TLS library was doing it automatically.

'No renegotiation' is probably a good default.

> A library could tell the application only about one peer identity it
> authenticates (probably the first it authenticates).
> For instance, Java's HttpsURLConnection.getServerCertificates() method
> could return the same set of certificates for the life of the object
> (the life of the TLS connection), and simply not tell the application
> about any different certificates from renegotiations. The TLS library
> could still renegotiate and switch to new sessions, but the application
> would be blissfully unaware -- and still secure.
> 
> Somehow this behaviour doesn't feel quite right, but I think it would be
> ok.

Does seem a bit busted. The application may be renegotiating for the
explicit purpose of dropping credentials, such as when switching to a
new identity.

There's no solution short of disabling renegotiation by default, seeing
what breaks, and helping app developers fix it securely. But that's a
decision for each library vendor independently, not for the TLS wire
protocol spec.

> It might be easier to implement than comparing identities across
> negotiations, and it would cope with those (somewhat unbelievable) niche
> cases of renegotiating with a re-issued certificate etc.

SSL/TLS has been around long enough, and has been popular enough, that
it's pretty much guaranteed to have some of everything in operation. Any
change to the semantics of the protocol or widely-used interfaces is
going to break something. It's a question of how much you break, whether
anything ends up less secure as a result, and whether the result ends up
being easier or harder to understand.

Solutions that involve adding new logic (such as keeping the old
certificate and showing it to the application in place of the new) seem
to have a lot of potential for breaking things in subtle and silent ways.

- Marsh

v2.23.0 | Report a Bug | By Email