Re: [TLS] TLSrenego - current summary of semantics and possibilities

To: tls at ietf.org
Subject: Re: [TLS] TLSrenego - current summary of semantics and possibilities
From: Michael D'Errico <mike-list at pobox.com>
Date: Tue, 10 Nov 2009 12:58:59 -0800
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=CgAJGHUS0ycJ k7fbft3yxpVK0rE=; b=g6peYW0pKnDFCUeFChFBhfXIHGh3P6MDNhCQ6pCPYGSu wXVxQG9wzAUjWKrSGA8EPmKhFonW3NOymutb16QcecSnnPoPg3UlvHZ+1Te1ynW2 GcvrOT0LT9fc1Rd9NejW87dMset/CKZcbzlIy2WPUmAHFDnj5osdE71RNBFITc0=
Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=gwnYOU ad7SnHS713ibVXwneiPotHZnlDxq36lLKtwj3XOBEJcLgN5ZdL2ciyY33X1ZlkIe sLtOYcINXZMb6Dyp24RtQcQmZ5lRStoSPV6I7LAJc5IQ6zvSNchIelLJvC5iC8VQ KPCjR6Wehuk76Tfw9i0M2whR8o7WEm0JrUPCw=
In-reply-to: <200911101928.nAAJSGjI020038 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <200911101928.nAAJSGjI020038 at fs4113.wdf.sap.corp>
User-agent: Thunderbird 2.0.0.23 (Macintosh/20090812)

It is possible that a TLS client may not want to assert the TLS extension
Renegotiation_Info in an initial ClientHello because of interoperability
concerns with an installed base of not-quite-spec-compliant servers.


Then it will end up buying a lot of pizza.

Simply finishing the *initial* handshake completes the attack!  (The
server saw it as a renegotiation, not the client.)

To protect against this, the only thing that a client can do is include
the empty renegotiation info extension.  If the server returns it and
the handshake completes, there is no MITM.  In fact if you were to then
renegotiate, you wouldn't need the extension (!) because you are already
certain that the handshake was with the server and not the MITM.

There are a few possible results of sending the extension:

    a) the server responds with the extension
    b) the server responds without including the extension
    c) the server "crashes" because of the extension

(a) is fine as long as the extension is empty.
(c) could be simulated by the MITM, so be careful -- falling back to a
    less-secure mode can play into their hands
(b) continue at your own risk -- a client could hold off on sending a
    certificate (if requested) and not send any Cookies.  The HTTPS
    request will fail, but the client can just reissue it after the
    failure -- possibly after renegotiating to send its certificate
    (this is secure if the client has verified the server's cert).

Overloading ("abusing") the semantics of other regular elements
of an SSL/TLS handshake that have a lesser likelihood to upset
legacy servers.

   - Assign one (or two) specific ciphersuite IDs that the client
     can include in the ciphersuites list which signal the clients
     notion of the connection state (initial vs. renegotiation)
     to the server.

   - Assign one (or two) compression algorithm IDs that the client
     can include in the supported compression algorithms list which
     signal the clients notion of the connection state (initial vs.
     renegotiation) to the server.


I would not like to see this kind of solution.  If code has to change,
Do The Right Thing.

We could define a new TLS handshake message "RenegotiationRequest"
to be sent instead of a "HelloRequest".  This would be an option for
those servers, that will abort the handshake and connection
if the client does not send the TLS extension Renegotiation_Info.


Again, the attack happens on the client's *initial* handshake, so it
never receives a HelloRequest.

Mike

Follow-Ups:
- Re: [TLS] TLSrenego - current summary of semantics and possibilities
  - From: Martin Rex

References:
- [TLS] TLSrenego - current summary of semantics and possibilities
  - From: Martin Rex

Prev by Date: Re: [TLS] TLSrenego - current summary of semantics and possibilities
Next by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Previous by thread: Re: [TLS] TLSrenego - current summary of semantics and possibilities
Next by thread: Re: [TLS] TLSrenego - current summary of semantics and possibilities
Index(es):
- Date
- Thread

Re: [TLS] TLSrenego - current summary of semantics and possibilities

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.