[TLS] Could the renegotiation attack be used for session hijacking?

To: "tls at ietf.org list" <tls at ietf.org>
Subject: [TLS] Could the renegotiation attack be used for session hijacking?
From: Yoav Nir <ynir at checkpoint.com>
Date: Mon, 9 Nov 2009 14:59:27 +0200
Accept-language: en-US
Acceptlanguage: en-US
Delivered-to: tls at core3.amsl.com
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Thread-index: AcphPHrrNqDIrBl6R52p3VeQwkc5tw==
Thread-topic: Could the renegotiation attack be used for session hijacking?

Hi.

One of our security experts came up with an extension to therenegotiation attack, that may lead to session hijacking. It'sprobably not relevant for HTTPS, because those connections are short-lived, but may be relevant for applications with longer-lived sessionsthat require rekeying. draft-rescorla-tls-renegotiation should solvethis as well:

1. Client connects without a certificate, but the session isauthenticated by the protocol (like an HTTP form or FTP login). TheMITM just proxies the connection to allow the client to authenticate.

2. After a while, the session requires rekeying, so the server sends aHelloRequest.

3. The MITM stops passing data to the client, and sends a ClientHelloto the server.

4. The server and MITM complete the handshake, and the MITM haseffectively hijacked the session from the client. The persistentapplication session means that the MITM is now authenticated to theserver as the client.


Seems to me that this will work, right?  Am I missing something?

Yoav

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Follow-Ups:
- Re: [TLS] Could the renegotiation attack be used for session hijacking?
  - From: Marsh Ray

Prev by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Previous by thread: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by thread: Re: [TLS] Could the renegotiation attack be used for session hijacking?
Index(es):
- Date
- Thread

[TLS] Could the renegotiation attack be used for session hijacking?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.