[TLS] Protected Renegotiation -- refined proposal
Martin Rex <mrex@sap.com> Fri, 13 November 2009 15:34 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5B2763A6981 for <tls@core3.amsl.com>; Fri, 13 Nov 2009 07:34:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.168
X-Spam-Level:
X-Spam-Status: No, score=-6.168 tagged_above=-999 required=5 tests=[AWL=0.081, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dLahA6dzY0-d for <tls@core3.amsl.com>; Fri, 13 Nov 2009 07:34:32 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id F35433A695A for <tls@ietf.org>; Fri, 13 Nov 2009 07:34:31 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id nADFYx3t011993 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 13 Nov 2009 16:34:59 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911131534.nADFYxDa020395@fs4113.wdf.sap.corp>
To: ekr@networkresonance.com
Date: Fri, 13 Nov 2009 16:34:59 +0100
In-Reply-To: <20091113082235.C55F469F381@kilo.networkresonance.com> from "Eric Rescorla" at Nov 13, 9 10:22:35 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: [TLS] Protected Renegotiation -- refined proposal
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Nov 2009 15:34:33 -0000
Eric Rescorla wrote: > > Nicolas Williams wrote: > > > > The whole point of my post was to point out that there is a way to do > > the server->client signaling without changing a single bit on the wire > > -- just the Finished message computations. > > > > Interestingly, that approach could even be used on initial connections > > to detect if the server will support secure re-negotiation _before_ the > > client ever tries it. > > I don't see that. AFAICT both your options involve the client generating a > hello extension, so this does affect the bits on the wire. Obviously > there are approaches which don't require that, but they don't provide > detection of server capabilities on initial negotiation. By contrast > your message of 1854 doesn't allow the client to probe the server > AFAICT. Nico an I are talking about slighty different things. I will try to reexplain my most recent mind model of how this should be solved, and you will see that the cryptographic properties are almost identical to the TLS extension RI. My most recent model will actually grow naturally into TLS v1.3 and become invisible. The cryptographic concept behind the actual fix: I. Initial SSL/TLS Handshake on a connection Here we want to achieve three things: a) Securely signal from client to server that client is updated b) Securely signal from server to client that server is updated (provided that client has indicated that it will understand this information) c) Signal that this is an initial handshake so that it can not be proxied into a renegotiation handshake in an abstract fashion, the protocol update looks like this: Initial SSL/TLS handshake on a connection Traditional: Updated: ClientHello ClientHello + ProtocolUpdateIndicatorC2S ServerHello ServerHello + ProtocolUpdateIndicatorS2C -- all further handshake messages unchanged --- TLS extension RI: (1a) + (1c) For the TLS extension RI, the ProtocolUpdateIndicatorC2S is a ClientHelloExtension "RI" with empty data (1b) + (1c) For the TLS extension RI, the ProtocolUpdateIndicatorS2C is a ServerHelloExtension "RI" with empty data Both ProtocolUpdateIndicators have no special cryptographic properties. They're part of the handshake messages so that can not be stripped from an MITM without breaking the MAC-check by the Finished messages. My (revised) proposal: My proposal is to use two other ProtocolUpdateIndicators instead that can be added to all existing protocol versions with significantly less pain an suffering, and in a fully fowards compatible fashion so that this ProtocolUpdate will grow out naturally with the next TLS protocol update (TLSv1.3) (1a) assign a special ciphersuites ID as ProtocolUpdateIndicatorC2S that is to be included in the ciphersuites list of the ClientHello and extremely backwards compatible with installed base servers that implement SSLv3->TLSv1.2 (0x03,0x00) -> (0x03,0x03). (1c) change the computation of the finished mac for all renegotiation handshakes (1b) increase the major number of the protocol version by one as the ProtocolUpdateIndicatorS2C, which means: 0x03,0x00 SSLv3, unpatched 0x04,0x00 SSLv3 patched 0x03,0x01 TLSv1.0, unpatched 0x04,0x01 TLSv1.0 patched 0x03,0x02 TLSv1.1, unpatched 0x04,0x02 TLSv1.1 patched 0x03,0x03 TLSv1.2, unpatched 0x04,0x03 TLSv1.2 patched (0x03,0x04 TLSv1.3 only for client_version) 0x04,0x04 TLSv1.3 (1a2) A client that sends a ClientHello with a client_version that is >=0x03,0x04 also indicates that it will used the changed computation of finished mac calculation for the renegotiation handshake. II. Renegotiation SSL/TLS handshake on a connection Here we want to achieve: a) cryptographic binding of the renegotiation handshake to the previous session by adding the verify_data of the previous finished messages as known to the client into the handshake message hash (->ClientVerify, ->Finished) b) cryptographic binding of the renegotiation handshake to the previous session by adding the verify_data of the previous finished messages as known to the server into the handshake message hash (->ClientVerify, ->Finished) Renegotiation SSL/TLS handshake on a connection Traditional: Updated: ClientHello ClientHello + ClientsPreviousVerifyData ServerHello ServerHello + ServersPreviousVerifyData -- all further handshake messages unchanged --- TLS extension RI: (2a) adds the clients verify_data from previous client.finished message into ClientHelloExtension RI (2b) adds the servers verify_data from previous (client.finished and) server.finished message into ServerHelloExtension RI The Handshake Messages MAC will roughly receive the following data: ClientHello FF 01 00 01 0C <verify_data of client's previous client.finished> ServerHello FF 01 00 01 18 <verify_data of server's previous client.finished> <verify_data of server's previous server.finished> -- all further handshake messages unchanged --- My (revised) proposal: (2a)+(2b) effectively change the computation of the finished macs by redefining what goes into the handshake message hash if the updated protocol is used. The verify_data of the previous client.finished and server.finished messages are defined to be handshake messages that are _not_ sent in the current handshake (think of it as carryover from the previous handshake). The Handshake Messages MAC will roughly receive the following data: Client-side: ClientHello ServerHello <verify_data of client's previous client.finished> <verify_data of client's previous server.finished> -- all further handshake messages unchanged --- Server-side: ClientHello ServerHello <verify_data of server's previous client.finished> <verify_data of server's previous server.finished> -- all further handshake messages unchanged --- The verify_data should become a "virtual handshake message" _after_ the ServerHello, when client and server both know that they're really using the updated protocol. To me, it looks like this approach and TLS extension RI are very similar in their cryptographic properties. By adding the verify_data to the handshake message MACs (but not the message stream) always after ServerHello, they are also covered by the clients signature in the ClientVerify message -- in case that cert-based SSL/TLS client authentication is used. This property is also similar to TLS extension RI. If the clients memories about the previous session differ from those of the server, the finished messages of the renegotiation handshake will differ. If client cert authentication is used, the signature verification of ClientVerify will already fail. -Martin
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - current summary of semantic… Pasi.Eronen
- [TLS] assert TLSext in renego-ServerHello instead… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- [TLS] TLSrenego - current summary of semantics an… Martin Rex
- Re: [TLS] TLSrenego - current summary of semantic… Steve Dispensa
- Re: [TLS] TLSrenego - current summary of semantic… Nicolas Williams
- Re: [TLS] TLSrenego - current summary of semantic… Yair Elharrar
- Re: [TLS] TLSrenego - current summary of semantic… Michael D'Errico
- Re: [TLS] TLSrenego - current summary of semantic… Marsh Ray
- Re: [TLS] TLSrenego - current summary of semantic… Nicolas Williams
- Re: [TLS] TLSrenego - current summary of semantic… Martin Rex
- Re: [TLS] TLSrenego - current summary of semantic… Michael D'Errico
- Re: [TLS] TLSrenego - current summary of semantic… Martin Rex
- Re: [TLS] TLSrenego - current summary of semantic… Michael D'Errico
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yair Elharrar
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yair Elharrar
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] TLSrenego - possibilities, suggestion f… Rob P Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yoav Nir
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Rob P Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Michael D'Errico
- Re: [TLS] TLSrenego - possibilities, suggestion f… Peter Gutmann
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yoav Nir
- Re: [TLS] TLSrenego - possibilities, suggestion f… Peter Gutmann
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] History of extensions Marsh Ray
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] History of extensions Eric Rescorla
- [TLS] Protected Renegotiation -- refined proposal Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] Protected Renegotiation -- refined prop… Martin Rex
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Yoav Nir
- Re: [TLS] assert TLSext in renego-ServerHello ins… Dr Stephen Henson
- Re: [TLS] History of extensions Eric Rescorla
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] Protected Renegotiation -- refined prop… Eric Rescorla
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] History of extensions Eric Rescorla
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Nasko Oskov
- Re: [TLS] History of extensions Eric Rescorla
- [TLS] Redefine Finished message for TLS 1.3 ? Nelson B Bolyard
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nicolas Williams
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nelson B Bolyard
- Re: [TLS] Redefine Finished message for TLS 1.3 ? David-Sarah Hopwood
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] Protected Renegotiation -- refined prop… Martin Rex
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nicolas Williams
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] History of extensions David-Sarah Hopwood
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Michael D'Errico
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] Redefine Finished message for TLS 1.3 ? David-Sarah Hopwood
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- [TLS] A crazy idea Michael D'Errico
- Re: [TLS] A crazy idea Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nelson B Bolyard
- Re: [TLS] A crazy idea Michael D'Errico
- Re: [TLS] Protected Renegotiation -- refined prop… Yoav Nir
- Re: [TLS] A crazy idea Nicolas Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Bodo Moeller
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Joseph Salowey (jsalowey)
- Re: [TLS] A not-so crazy idea Michael D'Errico
- Re: [TLS] TLSrenego - possibilities, suggestion f… Bodo Moeller
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Bodo Moeller
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Bodo Moeller
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] A not-so crazy idea Nicolas Williams
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] A not-so crazy idea Yair Elharrar
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] A not-so crazy idea Yoav Nir
- Re: [TLS] assert TLSext in renego-ServerHello ins… Nelson B Bolyard
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nelson Bolyard