Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Yoav Nir <ynir@checkpoint.com> Mon, 09 November 2009 12:36 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 069E53A6805 for <tls@core3.amsl.com>; Mon, 9 Nov 2009 04:36:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H-6oGisQhqNJ for <tls@core3.amsl.com>; Mon, 9 Nov 2009 04:36:26 -0800 (PST)
Received: from dlpdemo.checkpoint.com (dlpdemo.checkpoint.com [194.29.32.54]) by core3.amsl.com (Postfix) with ESMTP id B6DC93A672F for <tls@ietf.org>; Mon, 9 Nov 2009 04:36:25 -0800 (PST)
X-CheckPoint: {4AF809D4-6-14201DC2-FFFF}
Received: by dlpdemo.checkpoint.com (Postfix, from userid 105) id 7D76029C00B; Mon, 9 Nov 2009 14:36:50 +0200 (IST)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by dlpdemo.checkpoint.com (Postfix) with ESMTP id 5919029C002; Mon, 9 Nov 2009 14:36:50 +0200 (IST)
X-CheckPoint: {4AF809D4-0-14201DC2-FFFF}
Received: from il-ex01.ad.checkpoint.com (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id nA9Canc6015583; Mon, 9 Nov 2009 14:36:49 +0200 (IST)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Mon, 9 Nov 2009 14:36:53 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Yair Elharrar <Yair.Elharrar@audiocodes.com>
Date: Mon, 09 Nov 2009 14:36:47 +0200
Thread-Topic: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Thread-Index: AcphOVCIx8Rz2UcRREmZUnBnx/9AKg==
Message-ID: <195C3B4A-77FC-41AD-A0B7-6A3E076BE190@checkpoint.com>
References: <CE2A65CAAFE55048BA6682475F9A7DBF5EA6E59A16@ACLMAIL01.corp.audiocodes.com>
In-Reply-To: <CE2A65CAAFE55048BA6682475F9A7DBF5EA6E59A16@ACLMAIL01.corp.audiocodes.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/signed; micalg="sha1"; boundary="Apple-Mail-33-290133861"; protocol="application/pkcs7-signature"
MIME-Version: 1.0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2009 12:36:27 -0000

Below

On Nov 9, 2009, at 2:17 PM, Yair Elharrar wrote:

> The proposed draft is intended to resolve an MITM attack scenario,  
> but is the new extension tamper-resistant?

It's as resistant as TLS is.

> Since the MITM handles all traffic between the real client and real  
> server, it could add a fake extension to the 2nd ClientHello with  
> its original verify_data, and empty the returned extension in the  
> ServerHello.

The Finished messaged at the end of the TLS handshake signs all the  
previous data. Unless the MITM can replicate the server's calculation  
of the opaque_verify_data field, the client will notice that the  
finished message is wrong (it signs an extension that the client did  
not send).

To calculate the opaque_verify_data field, the MITM would need the  
(pre_)master_secret, and that is encrypted using the server's public  
key. So no, the MITM cannot mess with the extensions.

>
> In addition, until such time that all clients in the world start  
> supporting this extension (e.g. kiosks in airports), servers will  
> have to support backward compatibility. The MITM can downgrade every  
> client by simply removing the extension from the ClientHello.

They can't downgrade the client, but the client can't expect any  
server to support the extension. Maybe the browser vendors can disable  
the green EV indication for servers that don't support the extension.

>        Yair