IETF Logo Mail Archive

Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Martin Rex <mrex@sap.com> Wed, 11 November 2009 01:39 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 87EED3A6BBB for <tls@core3.amsl.com>; Tue, 10 Nov 2009 17:39:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.146
X-Spam-Level:
X-Spam-Status: No, score=-6.146 tagged_above=-999 required=5 tests=[AWL=0.103, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jXJNeMmBsvVM for <tls@core3.amsl.com>; Tue, 10 Nov 2009 17:39:04 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 62D693A6999 for <tls@ietf.org>; Tue, 10 Nov 2009 17:39:04 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nAB1dUo4026253 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 Nov 2009 02:39:30 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911110139.nAB1dTH7011810@fs4113.wdf.sap.corp>
To: mike-list@pobox.com
Date: Wed, 11 Nov 2009 02:39:29 +0100
In-Reply-To: <4AF9FE4E.5050001@pobox.com> from "Michael D'Errico" at Nov 10, 9 03:59:10 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2009 01:39:05 -0000

Michael D'Errico wrote:
> 
> I disagree.  When you receive the ChangeCipherSpec, the new parameters
> take effect; the Finished message has to immediately follow to verify
> the handshake succeeded.  Verification of the Finished message signals
> the end of the old session and the beginning of the new.

Correct.  This is what rfc5246 (TLS 1.2) specified in 7.4.9 Finished
message when describing the handshake protocol.

Unfortunately there is a slightly confusing disagreement with the
description of the SSL Record protocol (which is a logically seperate
thing and often also a seperate sofwarer layer).  As mentionend in
a previous message, the final paragraph of 6.2.1 Fragmentation
in the description of the Record Layer Protocol says this to
implementors:

   Note: Data of different TLS record layer content types MAY be
   interleaved.  Application data is generally of lower precedence for
   transmission than other content types.  However, records MUST be
   delivered to the network in the same order as they are protected by
   the record layer.  Recipients MUST receive and process interleaved
   application layer traffic during handshakes subsequent to the first
   one on a connection.

If a company subscribes to agile software development with Scrum and assigns
the implementation of the TLS record layer and of the TLS handshake protocol
to different Scrum teams, you may be surprised with the result on this
point of the spec. :-/


> 
> > But that will not affect the miserable ambiguity for where the
> > original session ends and the new session starts if we do allow
> > established identities to change during renegotiation.
> 
> The CCS/Finished tells you where to draw the line.

If the server implementation that you're looking at uses a
callback scheme similar to OpenSSL, then the application might
have hardwired the update of the client authentication state
(as seen by the app) to the callback that is called when processing
the clients certificate verify message.  At that point, the
session is still in the clear for an attacking MITM, and that
MITM might start inserting application records that the server
will receive at a point where it thinks the client is authenticated
(which it is, just that the client authentication is tied to
an encrypted channel that is still being negotiated and has
not yet been confirmed for the current session yet...

Does OpenSSL offer a callback for the finished messsage of
a renegotiation, and which OpenSSL-based server is using that callback?


I would be OK with interleaving application data with handshake
message for the case where TLS enforces a lockdown of the communicating
identities. 

I really don't like to allow both, change of identities during
renegotiation _and_ arbitrary interleaving of application data
with the renegotiation handshake messages.  Applications
may get this wrong easily.


For earthbound TLS connections a rekeying of a TLS connection
through renegotiation while application data continues to flow
is probably not an issue.  It might become an issue for a link to
a space vehicle further out (like a moon of jupiter),
where one might want to continue transfering a few gigabytes of data
while the TLS renegotiation (for the purpose of rekeying) is performed...


-Martin

v2.23.0 | Report a Bug | By Email