Re: [TLS] MITM Attacks on Client Authentication after Resumption

Martin Thomson <martin.thomson@gmail.com> Tue, 04 March 2014 15:23 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25AB51A0085 for <tls@ietfa.amsl.com>; Tue, 4 Mar 2014 07:23:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RPSkki9pgfCJ for <tls@ietfa.amsl.com>; Tue, 4 Mar 2014 07:23:45 -0800 (PST)
Received: from mail-we0-x235.google.com (mail-we0-x235.google.com [IPv6:2a00:1450:400c:c03::235]) by ietfa.amsl.com (Postfix) with ESMTP id 6EC151A007C for <tls@ietf.org>; Tue, 4 Mar 2014 07:23:45 -0800 (PST)
Received: by mail-we0-f181.google.com with SMTP id q58so4976566wes.26 for <tls@ietf.org>; Tue, 04 Mar 2014 07:23:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=kjHdu+OQGHuNk7NckAHC1sweg/X9LYANj6yZ2suOLBw=; b=0BqlbN0jHmQvMXy+XhM4ER1CYMgYaYAZX/pJEIxUlyQLuzxLpv7d2qtLlQoe9Xti/I ZX15SWEf0pKeROYiNulb+RExQWLJgNu87S5EUkTNYK0eJql3zqE30RwDp2moiff0hOiO 6pmMapw2IrMYYxJFvAT0rgbMkJlReDUlM9tMAW3ONlhQRWWJKTZg4kxkaI2xVMUyV3eu Spp7N8Zp9MrjwYxke6f52Vw48dvmNaElV9tmje89ysHlBQiUMqdS3AjNQqM9jKho3Xs2 b0NBM1EVABzwL7neIGiaht0X8RqQU6xnJEu3jdtxTptntarzEJiNBfInh37Vk2DDYmnM 0s6w==
MIME-Version: 1.0
X-Received: by 10.194.170.167 with SMTP id an7mr14522wjc.39.1393946621776; Tue, 04 Mar 2014 07:23:41 -0800 (PST)
Received: by 10.227.10.196 with HTTP; Tue, 4 Mar 2014 07:23:41 -0800 (PST)
In-Reply-To: <5315DD23.30901@drh-consultancy.co.uk>
References: <20140303193737.2A2251AC36@ld9781.wdf.sap.corp> <5315DD23.30901@drh-consultancy.co.uk>
Date: Tue, 4 Mar 2014 15:23:41 +0000
Message-ID: <CABkgnnVYj-2BKwMLTgH-hVxSSGncoppOv-gZhbdBQB=QCBB-Ew@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Dr Stephen Henson <lists@drh-consultancy.co.uk>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/qZNS9AxykwwxiLdw-pl46tqEi8k
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] MITM Attacks on Client Authentication after Resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2014 15:23:47 -0000

On 4 March 2014 14:03, Dr Stephen Henson <lists@drh-consultancy.co.uk> wrote:
>
> I performed a few checks with an experimental option to change the server
> certificate during renegotiation, which I believe simulates the attack
> mechanism. If the client checks certificates in band then all versions choke
> with a verification error if a chain is untrusted. For 1.0.2 only it also chokes
> if the chain is trusted but the hostname doesn't match.

This is an interesting option.  I like the general idea, but wonder
what "hostname doesn't match" means in this case.

To provide some context, in HTTP/2 we are considering having multiple
names share the same connection, as long as they are covered by
wildcards or additional subjectAltName values.  You might start out
looking for "foo.example.com", but as long as you have "*.example.com"
or "bar.example.com" in subjectAltName, you will proceed with requests
to "bar.example.com" on that connection.

I think that it would be unlikely that a renegotiated certificate
would include some names from a previous certificate, but not others,
but that might be a problem if an implementation fixates on a single
name.