Re: [TLS] MITM Attacks on Client Authentication after Resumption
mrex@sap.com (Martin Rex) Mon, 03 March 2014 23:13 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EC9C1A024B for <tls@ietfa.amsl.com>; Mon, 3 Mar 2014 15:13:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ruA8XZHHY_k for <tls@ietfa.amsl.com>; Mon, 3 Mar 2014 15:13:21 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id C94891A0249 for <tls@ietf.org>; Mon, 3 Mar 2014 15:13:20 -0800 (PST)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id s23NDGpm004613 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 4 Mar 2014 00:13:16 +0100 (MET)
In-Reply-To: <b38d76f917ce46ca8d673928d35eb76d@BL2PR03MB419.namprd03.prod.outlook.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Date: Tue, 04 Mar 2014 00:13:15 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <20140303231316.03E2E1AC37@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/meDw26qN0Vi1YEI-OUBhhbjFTqE
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] MITM Attacks on Client Authentication after Resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2014 23:13:24 -0000
Andrei Popov wrote: > > Ø I would note that the renegotiation handshake we are speaking about > is not exactly a standalone authentication protocol. But we know since at least late 2009 that TLS server that use/allow delayed authentication through renegotiation abuse the rengotiation handshake in EXACTLY such a fashion, they have been turning the mere technical successful completion of a TLS renegotiation handshake into an OTP scheme that authorizes a previously received, unauthenticated request. As I wrote in my 2009 posting about the problem: The victim [] TLS server has no means to detect that it has been attacked. Whether the TLS client cares about receiving a different TLS server cert in the renegotiation handshake and what it will do about it -- if anything, depends entirely on the application of the TLS client. At the TLS level, everything looks just fine. I'm not sure that all clients will repeat the server authentication. They can be expected to verify the server certificate before sending off their request. Depending on the API architecture, they may not always realize or care that a renegotiation was performed while they were sitting on SSL_read() waiting for the server reply. And even if they decide to perform an additional server endpoint identification, they might be doing it after the renegotiate handshake has been successfully completed -- a point where the victim [] TLS server has started performing the action requested in the anonymous request from the MITM. Because of the nature of this problem, that the server reinterprets a technically successful renegotiation handshake into an OTP authentication scheme to authenticate a previously received, unrelated and unauthenticated request, the following guidance was added to rfc5746: http://tools.ietf.org/html/rfc5746#section-5 While this extension mitigates the man-in-the-middle attack described in the overview, it does not resolve all possible problems an application may face if it is unaware of renegotiation. For example, during renegotiation, either the client or the server can present a different certificate than was used earlier. This may come as a surprise to application developers (who might have expected, for example, that a "getPeerCertificates()" API call returns the same value if called twice), and might be handled in an insecure way. TLS implementations SHOULD provide a mechanism to disable and enable renegotiation. TLS implementers are encouraged to clearly document how renegotiation interacts with the APIs offered to applications (for example, which API calls might return different values on different calls, or which callbacks might get called multiple times). To make life simpler for applications that use renegotiation but do not expect the certificate to change once it has been authenticated, TLS implementations may also wish to offer the applications the option to abort the renegotiation if the peer tries to authenticate with a different certificate and/or different server name (in the server_name extension) than was used earlier. TLS implementations may alternatively offer the option to disable renegotiation once the client certificate has been authenticated. > > It is the second handshake on a connection, with different client or > server identity than the first handshake. This leaves room for confusion: > should an implementation associate the connection to the first set > of principals or the second? The guidance from rfc5746 should be clear. The server which is doing delayed authentication through renegotiation is still comitting the sin here. Currently, it dumps the problem and its mitigation for this risky server-side behaviour entirely on the client. > > When a renegotiation happens, the TLS client must validate the newly > negotiated parameters, including the server cert, the cipher suites, > Finished hash, etc. A TLS client that neglects to validate the server > certificate after renegotiation simply has a bug. The problem can easily be an "added value" provided transparently by the underlying TLS client implementation, and the application client may not be aware that it has to cover the ass of the server, who is abusing the renegotiatiation handshake for delayed authentication. > > It appears that the attack described is only feasible when two > implementation defects are present: > > 1. TLS implementation error in the client (failure to validate > the server cert), and After rfc5746 this would be a defect of an rfc5746-enhanced TLS client to "transparently" replace the server cert after the first handshake completed without being explicitly authorized by the application caller to do so. > > 2. A server application that associates data received from an > unauthenticated client with the data received after enabling > TLS client authentication. Requesting TLS clients through renegotiation rather than upfront seems to be pretty common (it even seems to be the default in IIS 7.x), and some browser even have small difficulties being asked for a certificate upfront (such as Safari). > > While we cannot prevent the latter at the TLS protocol layer, > I believe fixing the bug in the TLS client effectively thwarts this attack. The original renegotiation problem and the newly describe session resumption problem are very similar: flawed assumptions about a cryptographic binding that doesn't exist. But until you write down the exact properties and think about it, you may not notice the problem. As soon as you write it down, the problem becomes obvious. The abbreviated TLS handshake authenticates only the MasterSecret. But the MasterSecret is derived exclusively from ClientHello.random, ServerHello.random and the keyExchange transform, there is no cryptographic binding to any identities that are authenticated during the TLS handshake. So the fix of the abbreviated TLS handshake needs to account for the (re-)authentication of the identities of the original full handshake, either by modifying the MasterSecret computation or by authenticating the original full handshake during the abbreviated TLS handshake through a TLS extension similar to how the renegotiation_info extension does this in the renegotiation handshake. -Martin
- [TLS] MITM Attacks on Client Authentication after… Karthikeyan Bhargavan
- Re: [TLS] MITM Attacks on Client Authentication a… Paterson, Kenny
- Re: [TLS] MITM Attacks on Client Authentication a… Dr Stephen Henson
- Re: [TLS] MITM Attacks on Client Authentication a… Karthikeyan Bhargavan
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Thomson
- Re: [TLS] MITM Attacks on Client Authentication a… Paterson, Kenny
- Re: [TLS] MITM Attacks on Client Authentication a… Adam Langley
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Rex
- Re: [TLS] MITM Attacks on Client Authentication a… Andrei Popov
- Re: [TLS] MITM Attacks on Client Authentication a… Watson Ladd
- Re: [TLS] MITM Attacks on Client Authentication a… Adam Langley
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Rex
- Re: [TLS] MITM Attacks on Client Authentication a… Salz, Rich
- Re: [TLS] MITM Attacks on Client Authentication a… Watson Ladd
- Re: [TLS] MITM Attacks on Client Authentication a… Nico Williams
- Re: [TLS] MITM Attacks on Client Authentication a… Dr Stephen Henson
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Thomson
- Re: [TLS] MITM Attacks on Client Authentication a… Dr Stephen Henson
- Re: [TLS] MITM Attacks on Client Authentication a… Adam Langley
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Rex
- Re: [TLS] MITM Attacks on Client Authentication a… Daniel Kahn Gillmor
- Re: [TLS] MITM Attacks on Client Authentication a… Nico Williams
- Re: [TLS] MITM Attacks on Client Authentication a… Bodo Moeller
- Re: [TLS] MITM Attacks on Client Authentication a… Xuelei Fan
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Rex
- Re: [TLS] MITM Attacks on Client Authentication a… Adam Langley
- Re: [TLS] MITM Attacks on Client Authentication a… Karthik Bhargavan
- Re: [TLS] MITM Attacks on Client Authentication a… Karthik Bhargavan
- Re: [TLS] MITM Attacks on Client Authentication a… Martin Rex
- Re: [TLS] MITM Attacks on Client Authentication a… Xuelei Fan
- Re: [TLS] MITM Attacks on Client Authentication a… Karthik Bhargavan
- Re: [TLS] MITM Attacks on Client Authentication a… Xuelei Fan
- Re: [TLS] MITM Attacks on Client Authentication a… Liz meeks