Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

To: tls at ietf.org
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
From: Michael D'Errico <mike-list at pobox.com>
Date: Mon, 09 Nov 2009 21:00:19 -0800
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=6Rv8739VjmaQ gELgB8HyuNRiN2g=; b=wisd/c9ybgAUfwPuCvWQbbtBKRcAHcnq25lT1FrNWjSZ PmsvuUZbRsRpv+cJJQBjZoNiA3JCiODEMScn43pNWmUIbFmMkwDx8VMX509B1tc7 d76BfIlq9dSUJZCW8ZzIIh3KE/ytgbJq0YfwX0YzlKuV2QEsQsExZcypzWR6j4I=
Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=DB8Oo8 uX0Uq/Jv2X5RCHgm5uAcMP4DYuXXK92jnAlvEprl9Yf4f5EDX8lM92M0GWKF6D6s /KDQEaFVGshqLuh3L1dHkZLLTcmAHnO5BlKvdcOmtmMbm5rA8unDe6khQrWOtifV NmgZ2NB2daTbloVl6v3XVO7zxgU5V5ocTAUZw=
In-reply-to: <200911092152.nA9LqVkW000963 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <200911092152.nA9LqVkW000963 at fs4113.wdf.sap.corp>
User-agent: Thunderbird 2.0.0.23 (Macintosh/20090812)

As previously described in another message, the current spec has a
requirement that additonal application data may be arbitrarily
interleaved with a renegotiation handshake.  I think this requirement
makes a security assessment of the protocol impossible for changing
identities.


If your TLS API was able to tell you exactly where in the application
data stream a renegotiation has completed successfully, you would
be able to apply the original security parameters to the data received
prior to the renegotiation, and then switch to the new parameters for
the data received after the renegotiation.

That would catch the MITM attack being discussed now.

Personally, I would it find much cleaner if the semantics for the
renegotiation would require the TLS peers to suspend transmission
of application data while performing TLS renegotiation,
i.e.

   the client must not send any application data between
   ClientHello and the client's Finished message

   the server must not send any application data between
   ServerHello and either no_renegotiation alert or

the server's Finished message

   the client must drop all application data received
   between ServerHello and either no_renegotiation alert
   or the server's Finished message

   the server must drop all application data received
   between the ClientHello and the client's Finished message


When I first implemented TLS, the only reason I could envision for
renegotiation was to refresh the symmetric keys, so I made it work
asynchronously.  I wrote about it in this message:

  http://www.ietf.org/mail-archive/web/tls/current/msg04042.html

With this design, application data can flow at nearly full speed while
a renegotiation is taking place.  Requiring all data to stop flowing
during a renegotiation, may be unnecessary in some situations.  I do
see however, that data probably needs to stop flowing after sending
a Finished message until receiving the peer's Finished message, but
that affects only one direction and last for one round trip, not two.

When you add changing client credentials to the mix, then data flow
probably has to stop, but that is really an application-level decision.
Also silently dropping data never seems like the right thing to do IMHO.

Are there currently applications that actively abuse the possibility
provided by the spec to interleave application data and handshake
messages of a TLS renegotiation handshake (provided that the
TLS implementation that (a) they're using and (b) they're talking
to actually allow this.  The fact that the spec says so, doesn't
mean that everyone has implemented it in this fashion (since it
is complex,difficult and possibly insecure)?


Yes, see the above referenced message.  But I don't agree that it's
abuse since that is what the spec. says to do.

Mike

Follow-Ups:
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Martin Rex

References:
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Martin Rex

Prev by Date: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
Next by Date: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
Previous by thread: Re: [TLS] To API or not
Next by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Index(es):
- Date
- Thread

Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.