Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

To: Yoav Nir <ynir at checkpoint.com>
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
From: Marsh Ray <marsh at extendedsubset.com>
Date: Mon, 09 Nov 2009 16:09:41 -0600
Cc: "tls at ietf.org" <tls at ietf.org>
Delivered-to: tls at core3.amsl.com
In-reply-to: <006FEB08D9C6444AB014105C9AEB133FB36A4EBF03 at il-ex01.ad.checkpoint.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Openpgp: id=1E36DBF2
References: <CE2A65CAAFE55048BA6682475F9A7DBF5EA6E59A16 at ACLMAIL01.corp.audiocodes.com> <4AF81CFF.8010803 at extendedsubset.com>, <4AF86EDF.3090004 at jacaranda.org> <006FEB08D9C6444AB014105C9AEB133FB36A4EBF03 at il-ex01.ad.checkpoint.com>
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

Yoav Nir wrote:
> 
> Even that can be further refined. You can freely renegotiate an
> authenticated session, as long as the renegotiation does not involve
> an identity change.

Maybe. What about cases where the sessions are "authenticated" from the
perspective of TLS, but the higher-layer protocols stack on additional
notions of identity?

I seem to recall systems (MS Terminal Services Gateway perhaps?) where a
common client cert is used simply to grant basic access, then some form
of HTTP authentication is used to authenticate which user it is.

TLS does not necessarily know the full extent of "identity" attributed
by higher layers, so you would be allowing any party that can pass the
TLS level auth to MITM the others.

For example, a browser may have several connections to the same set of
servers behind https://ecommerce.example.com/, but you still wouldn't
want to allow a bad guy on one to splice channels between them.

> Obviously, if the first handshake include client authentication, any
> renegotiation that includes the same client cert is fine.

I disagree, I think it subtly violates the assumption of continuity over
the TCP connection.

> If the session is authenticated by the application (as in an HTTPS
> login page) it's also possible to renegotiate with impunity,

Renegotiation (in the absence of draft-rescorla-tls-renegotiate) offers
a point which allows anyone who can pose as one of the parties (perhaps
an anon) to splice in a connection from a third party to the one he is
posing.

This is bad, the HTTPS client-cert renego case.
   A---+---B
   C---+
A-Anonymous Alice
B-Bob
C-Client cert authenticated

These are also bad:

   A---+---B  C---+---B      +---A2 (requires buggy client)
   A---+      C---+      A---+---B

This violates core assumptions even if the same name or "anonymous"
appears at each end of the multiple sessions at play.

- Marsh

References:
- [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Yair Elharrar
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: David-Sarah Hopwood
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Yoav Nir

Prev by Date: [TLS] Early code point assignment
Next by Date: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
Previous by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Index(es):
- Date
- Thread

Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.