Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

To: Yair Elharrar <Yair.Elharrar at audiocodes.com>
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
From: Yoav Nir <ynir at checkpoint.com>
Date: Mon, 9 Nov 2009 14:36:47 +0200
Accept-language: en-US
Acceptlanguage: en-US
Cc: "tls at ietf.org" <tls at ietf.org>
Delivered-to: tls at core3.amsl.com
In-reply-to: <CE2A65CAAFE55048BA6682475F9A7DBF5EA6E59A16 at ACLMAIL01.corp.audiocodes.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <CE2A65CAAFE55048BA6682475F9A7DBF5EA6E59A16 at ACLMAIL01.corp.audiocodes.com>
Thread-index: AcphOVCIx8Rz2UcRREmZUnBnx/9AKg==
Thread-topic: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Below

On Nov 9, 2009, at 2:17 PM, Yair Elharrar wrote:

The proposed draft is intended to resolve an MITM attack scenario,but is the new extension tamper-resistant?


It's as resistant as TLS is.

Since the MITM handles all traffic between the real client and realserver, it could add a fake extension to the 2nd ClientHello withits original verify_data, and empty the returned extension in theServerHello.

The Finished messaged at the end of the TLS handshake signs all theprevious data. Unless the MITM can replicate the server's calculationof the opaque_verify_data field, the client will notice that thefinished message is wrong (it signs an extension that the client didnot send).

To calculate the opaque_verify_data field, the MITM would need the(pre_)master_secret, and that is encrypted using the server's publickey. So no, the MITM cannot mess with the extensions.

In addition, until such time that all clients in the world startsupporting this extension (e.g. kiosks in airports), servers willhave to support backward compatibility. The MITM can downgrade everyclient by simply removing the extension from the ClientHello.

They can't downgrade the client, but the client can't expect anyserver to support the extension. Maybe the browser vendors can disablethe green EV indication for servers that don't support the extension.

       Yair

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Follow-Ups:
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Nicolas Williams
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Yair Elharrar

References:
- [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Yair Elharrar

Prev by Date: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by Date: [TLS] Could the renegotiation attack be used for session hijacking?
Previous by thread: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Index(es):
- Date
- Thread

Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.