Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

To: Yoav Nir <ynir at checkpoint.com>
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
From: Dr Stephen Henson <lists at drh-consultancy.demon.co.uk>
Date: Mon, 09 Nov 2009 14:01:24 +0000
Cc: "tls at ietf.org list" <tls at ietf.org>
Delivered-to: tls at core3.amsl.com
In-reply-to: <B1F20B37-462E-4224-9536-3DBF1B080831 at checkpoint.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <CE2A65CAAFE55048BA6682475F9A7DBF5EA6E59A16 at ACLMAIL01.corp.audiocodes.com> <4AF81CFF.8010803 at extendedsubset.com> <B1F20B37-462E-4224-9536-3DBF1B080831 at checkpoint.com>
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

Yoav Nir wrote:
> 
> On Nov 9, 2009, at 3:45 PM, Marsh Ray wrote:
> 
>> Yair Elharrar wrote:
>>> The proposed draft is intended to resolve an MITM attack scenario,
>>> but is the new extension tamper-resistant?
>>>
>>> Since the MITM handles all traffic between the real client and real
>>> server, it could add a fake extension to the 2nd ClientHello with its
>>> original verify_data, and empty the returned extension in the
>>> ServerHello.
>>
>> A valid concern, which I believe is addressed by the fact that the
>> 'Finished' message in TLS contains a MAC which covers extensions present
>> on the Client and Server Hellos.
>>
>> IIRC, earlier SSLs did not cover extensions with a MAC.
> 
> I think SSLv3 did not allow for client extensions at all, and TLSv1.0
> already covered everything.
> 

I think that SSLv3 did allow additional arbitrary data to be added after a
ClientHello without specifying the format (meaning that technically extensions
could be included) and that this additional data was included in MACs.

However testing has shown that many implementations (including one ancient
version of OpenSSL) didn't handle this properly meaning that including
extensions in SSLv3 can result in handshake failure.

OpenSSL did include extensions in SSLv3 but the resulting failures have meant we
don't do this any more.

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson at drh-consultancy.co.uk, PGP key: via homepage.

References:
- [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Yair Elharrar
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Yoav Nir

Prev by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Previous by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Index(es):
- Date
- Thread

Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.