Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Yoav Nir wrote:
> David-Sarah Hopwood wrote:
>> Marsh Ray wrote:
>>> Yair Elharrar wrote:
>>>> In addition, until such time that all clients in the world start
>>>> supporting this extension (e.g. kiosks in airports), servers will
>>>> have to support backward compatibility.
>>> It will be a trade-off for each server admin to weigh and decide their
>>> policy. I suspect many admins will prefer not to allow insecure
>>> connections from unpatched airport kiosks.
>> To prevent this attack, they don't have to disallow connections, only
>> renegotiations in which the extension is not used.
>
> Even that can be further refined. You can freely renegotiate an
> authenticated session, as long as the renegotiation does not involve an
> identity change.
I don't agree. In order for the security properties that are supposed
to be provided by TLS to be preserved, the client in the renegotiated
session must be able to prove cryptographically that it knows some secret
that was associated with the previous session, *and* that it intends this
session to be a continuation of that one. The only practical way to do
that is with the extension.
In particular, "any renegotiation that includes the same client cert" is
not fine. If the private key to a given client cert is compromised, that
should only allow an attacker who knows it to authenticate with that cert;
it should not allow them to attack the sessions of the original cert
holder.
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
Attachment:
signature.asc
Description: OpenPGP digital signature
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
