Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

To: Yoav Nir <ynir at checkpoint.com>
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Mon, 9 Nov 2009 12:21:21 -0600
Cc: "tls at ietf.org" <tls at ietf.org>
Delivered-to: tls at core3.amsl.com
In-reply-to: <195C3B4A-77FC-41AD-A0B7-6A3E076BE190 at checkpoint.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <CE2A65CAAFE55048BA6682475F9A7DBF5EA6E59A16 at ACLMAIL01.corp.audiocodes.com> <195C3B4A-77FC-41AD-A0B7-6A3E076BE190 at checkpoint.com>
User-agent: Mutt/1.5.7i

On Mon, Nov 09, 2009 at 02:36:47PM +0200, Yoav Nir wrote:
> On Nov 9, 2009, at 2:17 PM, Yair Elharrar wrote:
> 
> >The proposed draft is intended to resolve an MITM attack scenario,  
> >but is the new extension tamper-resistant?
> 
> It's as resistant as TLS is.
> 
> >Since the MITM handles all traffic between the real client and real  
> >server, it could add a fake extension to the 2nd ClientHello with  
> >its original verify_data, and empty the returned extension in the  
> >ServerHello.
> 
> The Finished messaged at the end of the TLS handshake signs all the  
> previous data. Unless the MITM can replicate the server's calculation  
> of the opaque_verify_data field, the client will notice that the  
> finished message is wrong (it signs an extension that the client did  
> not send).

Indeed, the Finished message is the key.

Note that there's no real need for the channel binding to actually be
sent, as in EKR's proposed fix: there's only a need to include it as an
extra input to the PRF call used to construct the Finished messages.
However, by sending the channel binding data as a Hello extension, this
proposal does the least amount of violence to existing implementations.

Nico
--

References:
- [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Yair Elharrar
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Yoav Nir

Prev by Date: Re: [TLS] Implementing https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegot iate.txt
Next by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Previous by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Index(es):
- Date
- Thread

Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.