Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego

To: tls at ietf.org
Subject: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
From: David-Sarah Hopwood <david-sarah at jacaranda.org>
Date: Tue, 10 Nov 2009 06:24:14 +0000
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type; bh=5jLpQXjD+u2BqhgVdKA/j4IeAP7Gf52BV41vt6mEv6g=; b=jPSEGx403NSCW+qI/XQMtQ5lkuwhwDNjd7quLTgj4sdXmE8fM91ZehCnddnvwi7lBS wuLEgrUgMi297i+wG6mK98i+BCnMDY10QEG1WPzJUZjheb7jion101SMyCzqBCM8ijYC u2VlrduQ9hBnN4vtjWqq8XIyMJiyehG+sHE9M=
Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type; b=MnBGWPpNJNvnRzaWys45Hzu+M3S25F31nzvGvX/99TKrhlJ/ka+GBr5o4fWk+Uk+xd eQpLAbjv8E43frlnyPRGRl7sIWL/SA/SIQLJKS4552yCMUSbKchJTdZm/i7Bz8BVreRQ u8lms/bq8c4xTIu/JPToOjktcUz89C0+OIq0E=
In-reply-to: <4AF8FDBD.4080003 at jacaranda.org>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <200911092035.nA9KZviE026489 at fs4113.wdf.sap.corp> <4AF8EF8F.3090100 at jacaranda.org> <4AF8F7B4.7020101 at pobox.com> <4AF8FDBD.4080003 at jacaranda.org>
Sender: David-Sarah Hopwood <djhopwood at googlemail.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.5.666

David-Sarah Hopwood wrote:
> Michael D'Errico wrote:
>>> Suppose that the client sent an SSLv3 ClientHello
>>> with client_version = 3.1 (or higher). Assuming the server supports TLS,
>>> then TLS will be negotiated. So when the client sends the renegotiation,
>>> it knows that it is safe to send extensions. The attack is prevented as
>>> long as the renegotiating handshake uses the extension; it is not
>>> necessary for the initial handshake to have used it.
>> The problem is that your initial handshake *is* the renegotiation!
>> (from the server's point of view)
> 
> I may well be confused, but: a handshake is a renegotiation if-and-only-if
> it is encrypted. Initial handshakes are in the clear. So there is no
> ambiguity, from either party's point of view, about whether a handshake
> is a renegotiation.

Actually this is not quite right, although not in a way that affects my
main point.

A handshake is a renegotiation from the server's point of view
if-and-only-if a ciphersuite other than TLS_NULL_WITH_NULL_NULL is
in effect. It is possible that an initial handshake by a client that
was sent in the clear, could be encrypted by an attacker and appear to
the server as a renegotiation. In that case, the server can reject the
renegotiation if the ClientHello doesn't contain a correct (and non-empty)
Renegotiation_Info.

It is also possible that, if a client that does not support the extension
requests a renegotiation on a session with the attacker, then the attacker
can decrypt it and present it to the server as an initial handshake.
But this only applies to clients that do not support the extension at all.
If a client does support it and sends it only when renegotiating, then
this variant of the attack is still prevented.

So, I was right in my original statement that "the attack is prevented
as long as the renegotiating handshake uses the extension." Note that
both clients and servers must avoid renegotiating without using the
extension; it isn't sufficient for only servers to avoid doing so.
As long as that is the case, for a client does support the extension,
failing to send the zero-length Renegotiation_Info in an initial handshake
does not enable an attack.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

Attachment: signature.asc
Description: OpenPGP digital signature

Follow-Ups:
- Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
  - From: Michael D'Errico

References:
- [TLS] assert TLSext in renego-ServerHello instead of disable renego
  - From: Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
  - From: David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
  - From: Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
  - From: David-Sarah Hopwood

Prev by Date: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
Next by Date: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
Previous by thread: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
Next by thread: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
Index(es):
- Date
- Thread

Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.