IETF Logo Mail Archive

Re: [TLS] Root certificates in server certificate chains

Martin Rex <mrex@sap.com> Wed, 15 September 2010 00:44 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 60A713A6AA3 for <tls@core3.amsl.com>; Tue, 14 Sep 2010 17:44:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.555
X-Spam-Level:
X-Spam-Status: No, score=-8.555 tagged_above=-999 required=5 tests=[AWL=-0.906, BAYES_50=0.001, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W2D8Y+ca2o4l for <tls@core3.amsl.com>; Tue, 14 Sep 2010 17:44:30 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 51B643A6846 for <tls@ietf.org>; Tue, 14 Sep 2010 17:44:24 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id o8F0ikmP009890 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 15 Sep 2010 02:44:47 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201009150044.o8F0iZfw005929@fs4113.wdf.sap.corp>
To: matt@mattmccutchen.net
Date: Wed, 15 Sep 2010 02:44:35 +0200
In-Reply-To: <1283316888.2175.14.camel@mattlaptop2.local> from "Matt McCutchen" at Sep 1, 10 00:54:48 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal07
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Root certificates in server certificate chains
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Sep 2010 00:44:32 -0000

Matt McCutchen wrote:
> 
> What attack are you describing?  If the attacker replaces the entire
> Certificate message with one containing his public key chained to a
> bogus root certificate, that is just a MITM attack.  If the attacker
> does some tampering but does not replace the server's public key with
> his own, he has no way to generate valid Finished messages.

At the TLS level, this is not a MitM attack.
TLS (at least when no old/vulnerable renegotiation can be coerced)
reliably protects against MitM.  What you're describing, if it
succeeds at the TLS level, is a TLS server impersonation, and
unless the the server has somehow acquired the real servers
credentials, could only happen if the clients method to
identify (or authenticate) the server is fatally flawed.

At the application(!) level, the attack might might still
be an MitM attack.  It does not necessarily require an
TLS-encrypted communication channel between the impersonating
server and the real server. 

-Martin

v2.23.0 | Report a Bug | By Email