IETF Logo Mail Archive

Re: [TLS] simplistic renego protection

Martin Rex <mrex@sap.com> Mon, 16 November 2009 10:29 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 57D4F3A6801 for <tls@core3.amsl.com>; Mon, 16 Nov 2009 02:29:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.688
X-Spam-Level:
X-Spam-Status: No, score=-5.688 tagged_above=-999 required=5 tests=[AWL=0.561, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u-BEm1pRxwaz for <tls@core3.amsl.com>; Mon, 16 Nov 2009 02:29:13 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 478D43A6929 for <tls@ietf.org>; Mon, 16 Nov 2009 02:29:13 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nAGAT9GM011383 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 16 Nov 2009 11:29:09 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911161029.nAGAT8uN019401@fs4113.wdf.sap.corp>
To: mike-list@pobox.com
Date: Mon, 16 Nov 2009 11:29:08 +0100
In-Reply-To: <4B00A722.1020400@pobox.com> from "Michael D'Errico" at Nov 15, 9 05:13:06 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] simplistic renego protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2009 10:29:14 -0000

Michael D'Errico wrote:
> 
> > The most simplistic approch to renego protection is
> > 
> >    1. the client signals that it is patched through a fake
> >       ciphersuite ID in each ClientHello
> > 
> >    2. the client only supports secure renegotiation and
> >       secure renegotiation is specified to change the definition
> >       of the handshake message hash for renegotiation handshakes
> >       to include the verify_data of the client.finished and
> >       server.finished after the ServerHello.
> 
> No, this does not plug the hole.  The magic ciphersuite in (1)
> requires that the server recognize it, i.e. it is patched.
> Therefore it will not perform insecure renegotiation even
> without seeing the ciphersuite (especially without seeing it).

Of course the server needs to implement secure renegotiation as well.

If the server doesn't want to support old style renegotiation,
it doesn't need to look for the ciphersuite ID at all, it can also
just perform the new handshake message hash for ever renegotiation
handshake.

The fake ciphersuite ID is only for the signaling, and the server
wants to signal back, re-puposing an existing protocol field of a
vanilla ServerHello, then it needs to check whether the client
will get the hint and not choke on it.

> 
> And again the client's INITIAL handshake is the one that the
> server sees as a renegotiation in Marsh's attack, so the fact
> that the client won't REnegotiate (2) is unhelpful; the attack
> has already completed.

Bugs of the server must be fixed at the server.  You can not expect
from end users that they will have every piece of TLS client software
that they might be using reviewed before the dare touching it.


-Martin

v2.23.0 | Report a Bug | By Email