Re: [TLS] TLSrenego - current summary of semantics and possibilities

Martin Rex <mrex@sap.com> Wed, 11 November 2009 00:57 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 144913A69C4 for <tls@core3.amsl.com>; Tue, 10 Nov 2009 16:57:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.852
X-Spam-Level:
X-Spam-Status: No, score=-5.852 tagged_above=-999 required=5 tests=[AWL=-0.203, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9bSvmQTjX6Sx for <tls@core3.amsl.com>; Tue, 10 Nov 2009 16:57:49 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id 10B5D3A67B6 for <tls@ietf.org>; Tue, 10 Nov 2009 16:57:48 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id nAB0wFSl022031 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 Nov 2009 01:58:15 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911110058.nAB0wEUB009635@fs4113.wdf.sap.corp>
To: mike-list@pobox.com
Date: Wed, 11 Nov 2009 01:58:14 +0100
In-Reply-To: <4AFA06CC.2080703@pobox.com> from "Michael D'Errico" at Nov 10, 9 04:35:24 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] TLSrenego - current summary of semantics and possibilities
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2009 00:57:50 -0000

Michael D'Errico wrote:
> 
> > What you're asking for is to discontinue talking to the entire installed
> > base of SSL&TLS implementations.  i.e. clients should only talk to
> > updated servers (which means they must be updated clients).
> 
> I'm not asking for that.  People seem confused about who sees the
> renegotiation.  The client *does not* see a renegotiation in the MITM
> attack.  It simply connects once giving its credentials, and the attack
> is complete.

It doesn't see one in the scenarios described by Marsh.

The client will see an renegotiation in the scenario I posted to this list.

> 
> > HUH?  The Renegotiation_Info is required for cryptographic binding
> > during the renegotiation handshake.  Without it, there is zero protection.
> 
>  From just the client's perspective, all it needs is for its initial
> handshake to have sent and received an empty renegotiation info extension.
> Once that handshake completes, it knows that there is no MITM.  From then
> on, it doesn't need secure renegotiation; it can only be talking to the
> same server.

So if I mount the attack I described on your client, and use the
empty TLS extension in the sess1 handshake between your client and
my MITM, then your client is going to renegotiate blindly with the
server to which I'm connecting it?  Not good.  Your fix is incomplete.



Here's a mean out-of-context quote from RFC-5246:    :-D

   D.4.  Implementation Pitfalls

      [...]

   TLS protocol issues:

      [...]

   -  Do you support renegotiation, both client and server initiated?


-Martin