IETF Logo Mail Archive

[TLS] simplistic renego protection

Martin Rex <mrex@sap.com> Mon, 16 November 2009 00:37 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 10C5D3A67D8 for <tls@core3.amsl.com>; Sun, 15 Nov 2009 16:37:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.697
X-Spam-Level:
X-Spam-Status: No, score=-5.697 tagged_above=-999 required=5 tests=[AWL=0.552, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id valz0OIZdzda for <tls@core3.amsl.com>; Sun, 15 Nov 2009 16:37:33 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id 0C6563A676A for <tls@ietf.org>; Sun, 15 Nov 2009 16:37:32 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id nAG0bVXB015250 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <tls@ietf.org>; Mon, 16 Nov 2009 01:37:31 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911160036.nAG0atRS014903@fs4113.wdf.sap.corp>
To: tls@ietf.org
Date: Mon, 16 Nov 2009 01:36:55 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal04
X-SAP: out
Subject: [TLS] simplistic renego protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2009 00:37:34 -0000

The most simplistic approch to renego protection is

   1. the client signals that it is patched through a fake
      ciphersuite ID in each ClientHello

   2. the client only supports secure renegotiation and
      secure renegotiation is specified to change the definition
      of the handshake message hash for renegotiation handshakes
      to include the verify_data of the client.finished and
      server.finished after the ServerHello.

Everything else is options for vendors and users.

If we do not provide a standardized signaling Server->Client in the
client hello, then it is not possible for the clients to offer
the option for insecure renegotiation (I have no idea whether such
a desire exists, but it might easily exist during transition).

With this simplistic approach, an MITM can not proxy a clients
initial handshake into an updated servers renegotiation, even
when the server still allows insecure renegotiation (e.g. during
the transition period).  


I really like to hear convincing arguments why we need the 
TLS extension in the renegotiation handshake, and why changing
the definition for the handshake message hash instead is not
a superior alternative.  In particular one that will grow
naturally into future TLS revisions.

-Martin

v2.23.0 | Report a Bug | By Email