Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Martin Rex <mrex@sap.com> Tue, 10 November 2009 20:11 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 94F6B3A6928 for <tls@core3.amsl.com>; Tue, 10 Nov 2009 12:11:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.156
X-Spam-Level:
X-Spam-Status: No, score=-6.156 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I84HEEa6sCVQ for <tls@core3.amsl.com>; Tue, 10 Nov 2009 12:11:44 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 17DE43A68FC for <tls@ietf.org>; Tue, 10 Nov 2009 12:11:43 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nAAKC7ef001106 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 10 Nov 2009 21:12:07 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911102012.nAAKC5HV022217@fs4113.wdf.sap.corp>
To: Nicolas.Williams@sun.com
Date: Tue, 10 Nov 2009 21:12:05 +0100
In-Reply-To: <20091110181544.GW1105@Sun.COM> from "Nicolas Williams" at Nov 10, 9 12:15:45 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 20:11:45 -0000
Nicolas Williams wrote: > > Marsh Ray wrote: > > > > Nicolas Williams wrote: > > > > > > TLS connections are not so long lived > > > > But there is no defined upper limit. > > True, and indeed, IMAP depends on that. Are there IMAP/other servers > the request re-negotiation when a client's cert reaches/nears > expiration? There is only a suggestion in the TLS spec that a TLS session ID should not be valid for more than 24 hours. That refers to the TLS session cache and the possibility to resume a TLS session, not for the lifetime of an established TLS session. Busy Web-Servers may use significantly shorter session cache lifetimes (our default is 15 minutes). TLS connection lifetimes and session lifetimes, in particular for SSL-VPNs that Steve mentioned, might be much longer. But keep in mind, that issuer of credentials (like CAs) may have a problem if an authenticated session can be held for several days even though the credential may have long be expired, revoked or the ACL may have been updated in the interim. An application that depends on an authentication to be valid for several days or weeks is probably a security problem all by itself. How about recommending two recommendations instead of one: - TLS implementations should, by default, lock down identities during session renegotiation once they have been established in a TLS handshake, i.e. the implementation should ensure they match exactly (e.g. memcmp() of the certificate blob). Identities not previously established in a TLS handshake can be established in a renegotiation for the first time. - TLS implementations are encouraged to offer an API to the applications where an application can request permission for a change in identities during renegotiation. Application protocols that need this functionality, MUST specify the procedure how to perform authentication of the peer and the semantics of a change in identity during renegotiation. TLS implementations must provide a signaling facility to such applications to distinguish application data received over the original TLS session from application data received over the newly renegotiated TLS session. > > I suppose non-anon->anon re-negotiation, but with the new inner->outer > connection binding should be OK once too (to allow for re-keying without > having to bother with authentication). I do not like that idea. If renegotiation is performed and the identity is maintained, this can be detected with a memcmp() on the certificate blob, and then one can skip that authentication. If the identity changes, a re-authentication ought to be performed. Usually the issuer of a certificate assumes that it can no longer be used once it is expired, but if you allow renegotiations to Renegotiation creates a new session, that servers will usually add to their session caches. If such a session is resumed from the cache on a new connection, you can _not_ perform an authentication. -Martin
- [TLS] draft-rescorla-tls-renegotiate and MITM res… Yair Elharrar
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yoav Nir
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yoav Nir
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Dr Stephen Henson
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yair Elharrar
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yoav Nir
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Nicolas Williams
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… David-Sarah Hopwood
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… David-Sarah Hopwood
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yair Elharrar
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yoav Nir
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Nicolas Williams
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… David-Sarah Hopwood
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Michael D'Errico
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Nicolas Williams
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Nicolas Williams
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Steve Dispensa
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… David-Sarah Hopwood
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Peter Saint-Andre
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Yoav Nir
- Re: [TLS] To API or not Bill Frantz
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Michael D'Errico
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM… Martin Rex
- [TLS] RC4+3DES rekeying - long-lived TLS connecti… Martin Rex
- Re: [TLS] RC4+3DES rekeying - long-lived TLS conn… David-Sarah Hopwood
- Re: [TLS] RC4+3DES rekeying - long-lived TLS conn… Peter Saint-Andre