Re: [TLS] Could the renegotiation attack be used for session hijacking?

To: Yoav Nir <ynir at checkpoint.com>, "tls at ietf.org list" <tls at ietf.org>
Subject: Re: [TLS] Could the renegotiation attack be used for session hijacking?
From: Marsh Ray <marsh at extendedsubset.com>
Date: Mon, 09 Nov 2009 09:18:09 -0600
Delivered-to: tls at core3.amsl.com
In-reply-to: <34C84617-2B75-4F6D-9F0B-50A528D445C8 at checkpoint.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Openpgp: id=1E36DBF2
References: <34C84617-2B75-4F6D-9F0B-50A528D445C8 at checkpoint.com>
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

Yoav Nir wrote:
> 
> 1. Client connects without a certificate, but the session is
> authenticated by the protocol (like an HTTP form or FTP login). The MITM
> just proxies the connection to allow the client to authenticate.

TLS is now doing its job providing encryption and MITM cannot read or
modify traffic.

> 2. After a while, the session requires rekeying, so the server sends a
> HelloRequest.

This will be observable by MITM because the record layer does not
encrypt the payload type identifier. It will be seen as a handshake
message from server to client, I believe of predictable size.

> 3. The MITM stops passing data to the client, and sends a ClientHello to
> the server.

The renegotiation handshaking is covered by the encryption state of the
previous session. So this attack is defeated.

It may be that some TLS servers would accept an unencrypted Client Hello
at this point, or even an SSLv2-compatible Client Hello which may be
handled by a different code path. But I don't think those would be bugs
in the TLS protocol, just implementation bugs.

- Marsh

References:
- [TLS] Could the renegotiation attack be used for session hijacking?
  - From: Yoav Nir

Prev by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by Date: Re: [TLS] Implementing https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegot iate.txt
Previous by thread: [TLS] Could the renegotiation attack be used for session hijacking?
Index(es):
- Date
- Thread

Re: [TLS] Could the renegotiation attack be used for session hijacking?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.