Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Martin Rex <mrex@sap.com> Wed, 11 November 2009 01:39 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 87EED3A6BBB for <tls@core3.amsl.com>; Tue, 10 Nov 2009 17:39:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.146
X-Spam-Level:
X-Spam-Status: No, score=-6.146 tagged_above=-999 required=5 tests=[AWL=0.103, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jXJNeMmBsvVM for <tls@core3.amsl.com>; Tue, 10 Nov 2009 17:39:04 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 62D693A6999 for <tls@ietf.org>; Tue, 10 Nov 2009 17:39:04 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nAB1dUo4026253 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 Nov 2009 02:39:30 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911110139.nAB1dTH7011810@fs4113.wdf.sap.corp>
To: mike-list@pobox.com
Date: Wed, 11 Nov 2009 02:39:29 +0100
In-Reply-To: <4AF9FE4E.5050001@pobox.com> from "Michael D'Errico" at Nov 10, 9 03:59:10 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2009 01:39:05 -0000
Michael D'Errico wrote: > > I disagree. When you receive the ChangeCipherSpec, the new parameters > take effect; the Finished message has to immediately follow to verify > the handshake succeeded. Verification of the Finished message signals > the end of the old session and the beginning of the new. Correct. This is what rfc5246 (TLS 1.2) specified in 7.4.9 Finished message when describing the handshake protocol. Unfortunately there is a slightly confusing disagreement with the description of the SSL Record protocol (which is a logically seperate thing and often also a seperate sofwarer layer). As mentionend in a previous message, the final paragraph of 6.2.1 Fragmentation in the description of the Record Layer Protocol says this to implementors: Note: Data of different TLS record layer content types MAY be interleaved. Application data is generally of lower precedence for transmission than other content types. However, records MUST be delivered to the network in the same order as they are protected by the record layer. Recipients MUST receive and process interleaved application layer traffic during handshakes subsequent to the first one on a connection. If a company subscribes to agile software development with Scrum and assigns the implementation of the TLS record layer and of the TLS handshake protocol to different Scrum teams, you may be surprised with the result on this point of the spec. :-/ > > > But that will not affect the miserable ambiguity for where the > > original session ends and the new session starts if we do allow > > established identities to change during renegotiation. > > The CCS/Finished tells you where to draw the line. If the server implementation that you're looking at uses a callback scheme similar to OpenSSL, then the application might have hardwired the update of the client authentication state (as seen by the app) to the callback that is called when processing the clients certificate verify message. At that point, the session is still in the clear for an attacking MITM, and that MITM might start inserting application records that the server will receive at a point where it thinks the client is authenticated (which it is, just that the client authentication is tied to an encrypted channel that is still being negotiated and has not yet been confirmed for the current session yet... Does OpenSSL offer a callback for the finished messsage of a renegotiation, and which OpenSSL-based server is using that callback? I would be OK with interleaving application data with handshake message for the case where TLS enforces a lockdown of the communicating identities. I really don't like to allow both, change of identities during renegotiation _and_ arbitrary interleaving of application data with the renegotiation handshake messages. Applications may get this wrong easily. For earthbound TLS connections a rekeying of a TLS connection through renegotiation while application data continues to flow is probably not an issue. It might become an issue for a link to a space vehicle further out (like a moon of jupiter), where one might want to continue transfering a few gigabytes of data while the TLS renegotiation (for the purpose of rekeying) is performed... -Martin
- [TLS] draft-rescorla-tls-renegotiate and MITM res… Yair Elharrar
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yoav Nir
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yoav Nir
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Dr Stephen Henson
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yair Elharrar
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yoav Nir
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Nicolas Williams
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… David-Sarah Hopwood
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… David-Sarah Hopwood
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yair Elharrar
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yoav Nir
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Nicolas Williams
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… David-Sarah Hopwood
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Michael D'Errico
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Nicolas Williams
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Nicolas Williams
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Steve Dispensa
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… David-Sarah Hopwood
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Peter Saint-Andre
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yoav Nir
- Re: [TLS] To API or not Bill Frantz
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Michael D'Errico
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- [TLS] RC4+3DES rekeying - long-lived TLS connecti… Martin Rex
- Re: [TLS] RC4+3DES rekeying - long-lived TLS conn… David-Sarah Hopwood
- Re: [TLS] RC4+3DES rekeying - long-lived TLS conn… Peter Saint-Andre