IETF Logo Mail Archive

Re: [TLS] draft-ietf-tls-renegotiation-01.txt and DTLS

Tolga Acar <Tolga.Acar@microsoft.com> Thu, 03 December 2009 19:47 UTC

Return-Path: <Tolga.Acar@microsoft.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 155403A6907 for <tls@core3.amsl.com>; Thu, 3 Dec 2009 11:47:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id he9pQaZqt7XY for <tls@core3.amsl.com>; Thu, 3 Dec 2009 11:47:01 -0800 (PST)
Received: from mail.exchange.microsoft.com (mail7.exchange.microsoft.com [131.107.1.27]) by core3.amsl.com (Postfix) with ESMTP id 229493A68C2 for <tls@ietf.org>; Thu, 3 Dec 2009 11:47:00 -0800 (PST)
Received: from df-h14-02.exchange.corp.microsoft.com (157.54.78.140) by DF-G14-02.exchange.microsoft.com (157.54.87.56) with Microsoft SMTP Server (TLS) id 14.0.639.21; Thu, 3 Dec 2009 11:46:52 -0800
Received: from df-bhd-05.exchange.corp.microsoft.com (157.54.87.84) by DF-H14-02.exchange.corp.microsoft.com (157.54.78.140) with Microsoft SMTP Server (TLS) id 14.0.682.1; Thu, 3 Dec 2009 11:46:49 -0800
Received: from DF-POINTER-MSG.exchange.corp.microsoft.com ([157.54.62.139]) by df-bhd-05.exchange.corp.microsoft.com ([157.54.87.84]) with mapi; Thu, 3 Dec 2009 11:46:20 -0800
From: Tolga Acar <Tolga.Acar@microsoft.com>
To: Kyle Hamilton <aerowolf@gmail.com>, Eric Rescorla <ekr@networkresonance.com>
Date: Thu, 03 Dec 2009 11:46:20 -0800
Thread-Topic: [TLS] draft-ietf-tls-renegotiation-01.txt and DTLS
Thread-Index: Acpx67Ybf+aOSCEYTpOUwLJVYkSZSgCY4aBA
Message-ID: <EB755B5E6F52BE459F045532CFD8D32A161440BF50@DF-POINTER-MSG.exchange.corp.microsoft.com>
References: <61840634-EA19-470F-A77A-2494F493DE85@lurchi.franken.de> <4B14098A.9090801@extendedsubset.com> <20091130182931.39B596C3EB8@kilo.networkresonance.com> <6b9359640911301031o435c8ae9w93ffffb8ac04353a@mail.gmail.com>
In-Reply-To: <6b9359640911301031o435c8ae9w93ffffb8ac04353a@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-ietf-tls-renegotiation-01.txt and DTLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2009 19:47:02 -0000

I looked at DTLS and it doesn't seem like it is vulnerable as TLS is.
The "uint16 epoch" and "uint48 sequence_number" in the record header are input to the MAC and are validated per RFC4347 Section 4.1.2.1. It seems to me that a MiTM would not have a  matching epoch+sequence number, the MiTM can't change them (ok, may change, but MAC would not validate), and it takes 2^48 for them to roll over. So, short of 2^48 bit rollover (and, don't forget the message sequence number <uint16> inside the record), I don't see how MiTM would work in DTLS.

However, in the last paragraph of the same section, it says "DTLS implementations SHOULD silently discard data with bad MACs". If an implementation were to ignore bad MACs, things would go bad and MiTM would be applicable. I suggest SHOULD be changed to MUST; or people must expect that implementations would barf on mad MACs. 

- Tolga

-----Original Message-----
From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of Kyle Hamilton
Sent: Monday, November 30, 2009 10:32 AM
To: Eric Rescorla
Cc: tls@ietf.org
Subject: Re: [TLS] draft-ietf-tls-renegotiation-01.txt and DTLS

I would support randomizing the epoch counter in DTLS, giving a 1:2^16 chance of getting it right in a single attempt.  (This follows my observation that the hash saved from the last Finished message is essentially the same as a named epoch.)

-Kyle H

On Mon, Nov 30, 2009 at 10:29 AM, Eric Rescorla <ekr@networkresonance.com> wrote:
> At Mon, 30 Nov 2009 12:06:02 -0600,
> Marsh Ray wrote:
>>
>> Michael Tüxen wrote:
>> >
>> > If I'm not wrong, then the attack which works against TLS does not 
>> > work against DTLS, since DTLS has an epoch counter.
>> >
>> > If a client tries to establish a DTLS connection and a MITM 
>> > intercepts it, establishes itself a DTLS connection, the epoch is 
>> > 1. There will be a final mismatch in the epoch and the packets will 
>> > be discarded. When using the RI extension one could enforce the sending of the alert message.
>> > But the original attack is not possible, I think.
>> >
>> > Is my analysis correct or am I overlooking something?
>>
>> Can MitM do the same number of renegotitations as he does with the 
>> server before splicing him?
>
> Nagendray and I had this conversation last week. While I haven't done 
> a complete analysis, my intuition is that DTLS is more resistant (for 
> the reason you indicate) but not 100% resistant.  Another concern 
> would be epoch rollover: what if you do 65536 (65535?--too lazy to
> calculate) handshakes with the server and force the epoch back to 0?
>
> So, probably better to use RI with DTLS as well.
>
> -Ekr
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email