Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

To: Nicolas Williams <Nicolas.Williams at sun.com>
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
From: Marsh Ray <marsh at extendedsubset.com>
Date: Tue, 10 Nov 2009 12:02:06 -0600
Cc: tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <20091110164609.GS1105 at Sun.COM>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Openpgp: id=1E36DBF2
References: <006FEB08D9C6444AB014105C9AEB133FB36A4EBF03 at il-ex01.ad.checkpoint.com> <200911092152.nA9LqVkW000963 at fs4113.wdf.sap.corp> <20091109223417.GK1105 at Sun.COM> <4AF8E755.5020208 at extendedsubset.com> <20091110164609.GS1105 at Sun.COM>
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

Nicolas Williams wrote:
> On Mon, Nov 09, 2009 at 10:08:53PM -0600, Marsh Ray wrote:
> 
> TLS connections are not so long lived

But there is no defined upper limit.

> that we should worry about issues
> such as, for example, public key rollover or certificate expiration
> during a connection's lifetime.

I agree, but we should probably check that it's documented somewhere.

> Therefore a simple Certificate octet-
> for-octet comparison will do for identity comparison.  Anything more
> complicated than that (and anon->non-anon) would make Martin's proposal
> too unqieldy to consider at this point, and possibly ever.

So this restriction would not apply when another auth type is used?

>> Isn't that one of the major uses of renegotiation? To change identity?
> 
> But only from anonymous to non-anonymous, right?  That's also easy to
> specify.

One subtlety is that apps (https servers) are still expecting the
transition to preserve some guarantees about identity. Even though the
first session is "anonymous" it still has an identity, namely it has to
be the same party as all previous non-anonymous sessions on the same
connection.

The proposed Renegotiation Indication extension attempts to enforce
those guarantees, but I'm not sure it's so easy to specify that it
shouldn't be given a lot of thought. (Consider what happens when you add
various combinations of resumption into the mix.)

> Ordering cipher suites by strength is a complex
> topic that I'd rather avoid for the specific enhancement that Martin
> proposes.

Perhaps ordering levels of authentication is equally complex.

>> Would that make it illegal to resume a previous session over the same
>> underlying connection if it could not be proven it was "the same" identity?
> 
> There's no authentication during session resumption handshakes --
> there's only proving that both peers remember the relevant state,
> including master secret.

Isn't proving "I'm the same as that other guy" a form of authentication?

Surely this will be allowed:

  |--- session A anon ---||-- resumed A --|

Is this allowed?

  |--- session A anon ---|
  |--- session B anon ---||-- resumed A --|

I have heard that browsers may do this.

>> What if the session's identity were strengthened? Could you end up in a
>> situation where a session could be resumed on any of several other
>> connections except the one on which it originated!
> 
> I'm not sure I follow.  See above.

1  |--- session A anon ---||-- session B client cert auth --|
2  |--- session C anon -----|
3  |--- session D anon -----------|
4  |--- session E anon -----|

Would an effect of the proposal be that session A can be resumed on
connections (2, 3, 4) but not 1?

- Marsh

Follow-Ups:
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: David-Sarah Hopwood
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Nicolas Williams

References:
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Yoav Nir
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Nicolas Williams
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Nicolas Williams

Prev by Date: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
Next by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Previous by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Index(es):
- Date
- Thread

Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.