Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

To: mrex at sap.com
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
From: Marsh Ray <marsh at extendedsubset.com>
Date: Tue, 10 Nov 2009 15:42:24 -0600
Cc: tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <200911102101.nAAL1Ai9025439 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Openpgp: id=1E36DBF2
References: <200911102101.nAAL1Ai9025439 at fs4113.wdf.sap.corp>
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

Martin Rex wrote:

> If you lock down established identites, then I do not see a problem with this.

Really, it's the upper layers that define how 'identity' is to be
interpreted. TLS may know that the certs on one end or the other is the
same, but that is not the same as saying that the actual app-layer
identities are interchangeable.

>> I do see however, that data probably needs to stop flowing after sending
>> a Finished message until receiving the peer's Finished message, but
>> that affects only one direction and last for one round trip, not two.
> 
> Why Finished?  I think its everything following the ChangeCipherSpec.

For all the reasons that the Finished message was added to the protocol?

Hmmm, is app data allowed prior to the first finished message? No way,
couldn't happen.

> Sending an alert when that happens and closing the connection
> is fine with me.

Certainly preferable to passing something unexpected.

> I'm wondering whether there are application that actively abuse
> this feature and would break if the TLS implementation would exhibit
> semantics similar to those I outlined above and fail with an error
> if the TLS implementation would reject application data while
> performing the renegotiation handshake.

I believe that there are TLS library implementations that conduct
renegotiation transparently to the application code unless the app
specifically requests it.

Really there are a few missing letters in the plaintext alphabet.

Handshake - A marker, encodes identity info.
0x00 - 0xFF traditional data byte values.
EOD - End of data, like EOF.

Without that 'handshake' value actually there in the middle of the
plaintext buffered data coming out of the API, I don't know how
application code can get this right.

I haven't seen a TLS library API that defines things that way though.
Many provide a callback for the identity change, but it's unclear
what happens to buffered plaintext at the time it's called.

> What about the application data sent between the ChangeCipherSpec
> and the Finished messages?

Possibly Handshake is really two messages, HandshakeCCS and
HandshakeFinished.

If app data is prohibited before the first Finished, and the RI ext
strongly ties the sessions together, does this issue go away?

- Marsh

Follow-Ups:
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Martin Rex

References:
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Martin Rex

Prev by Date: Re: [TLS] TLSrenego - current summary of semantics and possibilities
Next by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Previous by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Index(es):
- Date
- Thread

Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.