IETF Logo Mail Archive

Re: [TLS] Quest for Unified Solution to TLS Renegotiation

David-Sarah Hopwood <david-sarah@jacaranda.org> Thu, 26 November 2009 18:25 UTC

Return-Path: <djhopwood@googlemail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EA9AA3A6AC4 for <tls@core3.amsl.com>; Thu, 26 Nov 2009 10:25:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zHS7ePatwvVD for <tls@core3.amsl.com>; Thu, 26 Nov 2009 10:25:03 -0800 (PST)
Received: from mail-ew0-f214.google.com (mail-ew0-f214.google.com [209.85.219.214]) by core3.amsl.com (Postfix) with ESMTP id 93DD53A689A for <tls@ietf.org>; Thu, 26 Nov 2009 10:25:02 -0800 (PST)
Received: by ewy6 with SMTP id 6so1069032ewy.29 for <tls@ietf.org>; Thu, 26 Nov 2009 10:24:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type; bh=gMN5JZjxwExBGb7ntY4KP9O30rEqHQ20GHqht7O8MBY=; b=OEEuJg/uvESqG/kqmHgWa7c/jKAZ0zxjnnTz1cZnV3bUPs43hVibmz9fdbjM8gWVBX Z8TxO6a/jSoJCO8i9c92PFd6IO8Zr9BMgmLhK5eZDBYExBJpxAIjnDxSkNwK4CBxJH1p PbdL70I8Ekomb2IbznwpeVmzE+VuhvVe6Abwc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type; b=E/Y7uTRSpkF9muSb7RE3Qrwh1altg7j900stJ6GcSvZGaHrPshcyONubgUg/ImrDRb p8OWxuDF8HVJxaLSeoRdKBO8QImfxP0NC+EysU7aOeh9LnDob5ZSsK6qN5UDSDtl1BGy oX8Mzqk+5/qhbUyYDLB+wLwvGwMnfUaJ2Pw8M=
Received: by 10.213.0.195 with SMTP id 3mr31521ebc.81.1259259889859; Thu, 26 Nov 2009 10:24:49 -0800 (PST)
Received: from ?192.168.0.2? (5adcc5d2.bb.sky.com [90.220.197.210]) by mx.google.com with ESMTPS id 15sm463848ewy.8.2009.11.26.10.24.48 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 26 Nov 2009 10:24:48 -0800 (PST)
Sender: David-Sarah Hopwood <djhopwood@googlemail.com>
Message-ID: <4B0EC7F5.5050100@jacaranda.org>
Date: Thu, 26 Nov 2009 18:24:53 +0000
From: David-Sarah Hopwood <david-sarah@jacaranda.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: tls@ietf.org
References: <200911260735.nAQ7ZbYP003893@fs4113.wdf.sap.corp> <4B0EBF04.7090708@jacaranda.org>
In-Reply-To: <4B0EBF04.7090708@jacaranda.org>
X-Enigmail-Version: 0.96.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------enigBD773CC4970866EA77B5B82F"
Subject: Re: [TLS] Quest for Unified Solution to TLS Renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2009 18:25:04 -0000

David-Sarah Hopwood wrote:
> Martin Rex wrote:
>> different possibilities:
>>   - add a bodyless-finished message to the beginning of the handshake
>>     message hash of a secure renegotiation before the ClientHello
>>     a position where the attacker can not insert handshake messages
> 
> It's not clear to me that the attacker can't insert handshake messages
> there. If an implementation normally ignores handshake messages with an
> unrecognized HandshakeType, then it is likely to ignore them before the
> ClientHello as well.

The TLS spec doesn't seem to be very clear on whether handshake messages
with an unrecognized HandshakeType must cause an error (section 7.4).
Does anyone know what implementations actually do?

> For a random 24-byte string, the HandshakeType has a 246 in 256 ~= 96%
> probability of being unrecognized, but then the length is a uint24,
> and the attacker needs it to encode the number 20 in order for the
> attack to work as I described it. So this attack almost certainly isn't
> practical, but we should be sure to prevent it rather than relying on
> probabilities.

Ah, but if the attacker makes ~17.5 million connections (which do not
all have to be to the same site; just to any site that they might want
to attack), then they can expect to get a previous_verify_data that
matches the encoding of a handshake message of unrecognized type.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

v2.23.0 | Report a Bug | By Email