Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Dr Stephen Henson <lists@drh-consultancy.demon.co.uk> Mon, 09 November 2009 14:01 UTC

Return-Path: <lists@drh-consultancy.demon.co.uk>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 286D43A6B6E for <tls@core3.amsl.com>; Mon, 9 Nov 2009 06:01:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bvQbpUL2CtGh for <tls@core3.amsl.com>; Mon, 9 Nov 2009 06:01:02 -0800 (PST)
Received: from claranet-outbound-smtp04.uk.clara.net (claranet-outbound-smtp04.uk.clara.net [195.8.89.37]) by core3.amsl.com (Postfix) with ESMTP id E4BEC3A6B6C for <tls@ietf.org>; Mon, 9 Nov 2009 06:01:01 -0800 (PST)
Received: from drh-consultancy.demon.co.uk ([80.177.30.10]:49754 helo=[192.168.7.8]) by relay04.mail.eu.clara.net (relay.clara.net [213.253.3.44]:10587) with esmtpa (authdaemon_plain:drh) id 1N7Uo7-000879-Fu (Exim 4.69) (return-path <lists@drh-consultancy.demon.co.uk>); Mon, 09 Nov 2009 14:01:24 +0000
Message-ID: <4AF820B4.6070303@drh-consultancy.demon.co.uk>
Date: Mon, 09 Nov 2009 14:01:24 +0000
From: Dr Stephen Henson <lists@drh-consultancy.demon.co.uk>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <CE2A65CAAFE55048BA6682475F9A7DBF5EA6E59A16@ACLMAIL01.corp.audiocodes.com> <4AF81CFF.8010803@extendedsubset.com> <B1F20B37-462E-4224-9536-3DBF1B080831@checkpoint.com>
In-Reply-To: <B1F20B37-462E-4224-9536-3DBF1B080831@checkpoint.com>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "tls@ietf.org list" <tls@ietf.org>
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2009 14:01:03 -0000

Yoav Nir wrote:
> 
> On Nov 9, 2009, at 3:45 PM, Marsh Ray wrote:
> 
>> Yair Elharrar wrote:
>>> The proposed draft is intended to resolve an MITM attack scenario,
>>> but is the new extension tamper-resistant?
>>>
>>> Since the MITM handles all traffic between the real client and real
>>> server, it could add a fake extension to the 2nd ClientHello with its
>>> original verify_data, and empty the returned extension in the
>>> ServerHello.
>>
>> A valid concern, which I believe is addressed by the fact that the
>> 'Finished' message in TLS contains a MAC which covers extensions present
>> on the Client and Server Hellos.
>>
>> IIRC, earlier SSLs did not cover extensions with a MAC.
> 
> I think SSLv3 did not allow for client extensions at all, and TLSv1.0
> already covered everything.
> 

I think that SSLv3 did allow additional arbitrary data to be added after a
ClientHello without specifying the format (meaning that technically extensions
could be included) and that this additional data was included in MACs.

However testing has shown that many implementations (including one ancient
version of OpenSSL) didn't handle this properly meaning that including
extensions in SSLv3 can result in handshake failure.

OpenSSL did include extensions in SSLv3 but the resulting failures have meant we
don't do this any more.

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.