IETF Logo Mail Archive

Re: [TLS] TLS identity protection using Signaling Cipher Suite Value

Martin Rex <mrex@sap.com> Wed, 30 November 2011 19:23 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5EA521F8A71 for <tls@ietfa.amsl.com>; Wed, 30 Nov 2011 11:23:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.692
X-Spam-Level:
X-Spam-Status: No, score=-9.692 tagged_above=-999 required=5 tests=[AWL=0.558, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cmleHas84a8l for <tls@ietfa.amsl.com>; Wed, 30 Nov 2011 11:23:10 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 2900421F8AF9 for <tls@ietf.org>; Wed, 30 Nov 2011 11:23:09 -0800 (PST)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id pAUJN6YQ023908 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 30 Nov 2011 20:23:06 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201111301923.pAUJN6VR022639@fs4113.wdf.sap.corp>
To: mbadra@gmail.com
Date: Wed, 30 Nov 2011 20:23:06 +0100
In-Reply-To: <CAOhHAXy=4vTRxO13=xkSQ9i3qcAa=TxRSt15hVBv85juu0xkUw@mail.gmail.com> from "Badra" at Nov 17, 11 10:49:47 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] TLS identity protection using Signaling Cipher Suite Value
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2011 19:23:11 -0000

Badra wrote:
> 
> I posted a document that defines a pecial Signaling Cipher Suite Value to
> enable the negotiation of the client identity protection. This approach had
> been initially proposed by Francisco Corella, to the TLS mailing list
> during August 2000.
> 
> http://www.ietf.org/id/draft-badra-tls-identity-protection-00.txt

A signaling cipher suite value is certainly *MUCH* better than
the other proposal for a cartesian product of common ciphersuites.

Although performing negotiation of this capability through ciphersuite
values instead of a TLS extension would protect against a very simplistic
DoS attack against a TLS handshake between the rightful client and
rightful server using TLS extension (but only in case the client is
capable and willing to perform a reconnect fallback with an
extension-less ClientHello),
this approach can *NOT* protect against an active attacker that
is determined to learn the client's identity and does not
care about causing a failed TLS handshake while doing so.

As I previously mentioned, the only reliable protection during the
handshake would be an indication from the server that is authenticated
by the server credential an can *not* be stripped from the handshake.
Basically, it would need to be hardwired into the server's credential,
like an additional certificate extension or a new EKU OID.

The Finished MAC protection of the handshake contents can only protect
the application from using the resulting connection, it can not
protect the negotiation and use of protocol features _during_
the TLS handshake because modifications of the handshake by an
active MitM can only reliably be detected *after* the handshake when
verifying the finished messages.

-Martin

v2.23.0 | Report a Bug | By Email