Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

To: tls at ietf.org
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
From: Michael D'Errico <mike-list at pobox.com>
Date: Tue, 10 Nov 2009 15:59:10 -0800
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=GPP5xcV34Rek 14RcBBv4Fv9vjKc=; b=kvCNfds5BVaKk2gpe/AvpeIXbm/DB/Es/dvlLviuBpeQ FB5ejfhcEICivggzLjH/Ehh3nYaJNZqn34ydnSbA/r+f5pmEk6Rt+9Vh+MX2I82c x81hqtjOZyoXu/5KcYAgU3ej5G/gOT+Y1vpbnZN/5+xUL+EPulIJgqk3b7hRcsc=
Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=UPblOV gg2Vh6jz8cFqLTKg2weJZmwb8kyfZJTWm3IIe7qjdnFmKXZZR1MP5LntajAzTFbd wi2HCHXQ33+zyYwZHkq2Jd93DZuYfebWnWAKGcIGxRdYeZjnbCf0I/1vUjoyYdyZ AflElIMgMs3LMggj/YtwCt5jgYyYVvAmb4ANM=
In-reply-to: <200911102101.nAAL1Ai9025439 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <200911102101.nAAL1Ai9025439 at fs4113.wdf.sap.corp>
User-agent: Thunderbird 2.0.0.23 (Macintosh/20090812)

What about the application data sent between the ChangeCipherSpec
and the Finished messages?


I don't think application data should be (allowed to be) sent between
ChangeCipherSpec and Finished.  Should it be required for a fatal alert
to be sent if such data is received?  That would make sense.

Since the current SSL&TLS specs are completely ambiguous, you can
not claim "if your TLS API was able to tell you exactly where in
the application data stream", because currently no such semantics
exist!  Two independent implementations of TLS that claim to
tell you exactly where the position is may identify entirely
different positions -- and with the current spec, it is impossible
to decide where the position should be.


I disagree.  When you receive the ChangeCipherSpec, the new parameters
take effect; the Finished message has to immediately follow to verify
the handshake succeeded.  Verification of the Finished message signals
the end of the old session and the beginning of the new.

This would require no application data be sent between CCS and Finished,
but that should be a requirement anyway.  And it would be surprising
to learn about an implementation that doesn't generate Finished
immediately after generating the CCS.

That would catch the MITM attack being discussed now.


We're going to plug that MITM attack with secure renegotiation.


Sure, but my point was that if these semantics had existed, this MITM
attack might not have been possible.  Or rather, it would have been
easier to see the problem of applying the new credentials to the old
request retroactively.  I think it would be valuable for an API to add
these semantics even with the addition of secure renegotiation.

But that will not affect the miserable ambiguity for where the
original session ends and the new session starts if we do allow
established identities to change during renegotiation.


The CCS/Finished tells you where to draw the line.

To fix that, we will have to spell out the precise semantics
in a specification.  IMHO, the cleanest would be to disallow
application data transfer during a renegotiation handshake.


This should be up to the particular application.  If rekeying is the
reason for the renegotiation, you want to keep data flowing as much
as possible.  For changing identities, an application might forbid
data flow, or it may not.

Also silently dropping data never seems like the right thing to do IMHO.


_I_ did not write _silent_ dropping.  Dropping and aborting is fine.
Dropping in the sense of "MUST NOT make it available to the application".


OK, but I would advocate MUST make available to the application and
provide an indication of where the renegotiation finished.

The problem with HTTPS is that the request line is sent before the
handshake even starts, and then once completed, that request line is
reused under the new credentials.  HTTP(S) needs a way to ask the
client to resend its entire request.

Mike

Follow-Ups:
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Martin Rex

References:
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Martin Rex

Prev by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by Date: Re: [TLS] TLSrenego - current summary of semantics and possibilities
Previous by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Index(es):
- Date
- Thread

Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.