Re: [TLS] Proposal for hybrid solution using most of the ideas

To: tls at ietf.org
Subject: Re: [TLS] Proposal for hybrid solution using most of the ideas
From: Michael D'Errico <mike-list at pobox.com>
Date: Wed, 18 Nov 2009 16:15:55 -0800
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=4PfkBddVFPj9 MwhkZDWow10FgVE=; b=i9wINNjK0dtW6zSu7BLfaan/VpRuqB2eHtKcDvg1M4wG lkkZtDYaCEdLF0LokFERTP+AsJhkvRZtlsmLBGLU+b6fnRoZewx9TgzPE33Q1/ud OnozTRXHMp7v86l5P0S6A/uNK7oa0TVG8rz50xsdcl+i9zMwM2aBLxFuPDw7X3M=
Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=DdTNj0 CCTmJD7vOVx2LET8WMnXCth6nD+NqjK4E+WKHt0ni2PluX94CCBpFKOJtKkx5hQw Hdl495wY/BmkZ5vsC1MF7ma73Q2wVmnVshFBoO7aRprNbbyRY8MEgrGcu3maFfxF e/b/9POPijq/+UyYpfwVyE+sGiJM9UjaMSKig=
In-reply-to: <B197003731D4874CA41DE7B446BBA3E829CCF34B at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <B197003731D4874CA41DE7B446BBA3E829CCF34B at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com>
User-agent: Thunderbird 2.0.0.23 (Macintosh/20090812)

So you want to have two solutions, one for TLS 1.0+ and another for
SSLv3?  I'm not sure why we need two when any solution that works
for SSL will also work for TLS.

Also the Certificate message is optional, so it would cause trouble
for some cipher suites.

And even more importantly, there is only ServerHello sent when you
resume an old session!

Mike


Nasko Oskov wrote:

Currently, many browsers attempt to negotiate TLS with extensions, but if it fails for any reason, they re-start the negotiation without extensions (either as a TLS negotiation or an SSLv2/3) negotiation. That behavior leads to a trivial downgrade attack by a MiTM - all the MiTM has to do is fail any negotiation with the renegotiation extension present and wait for the browser to try a negotiation without it. This leads to situation where the client is unaware if there is MiTM or real server that doesn't support extensions. If we want browsers to be secure we have no choice but fixing SSLv3 somehow or disabling it entirely.

I've been reading all the ideas people have come up with and there are some good suggestions in all the mails exchanged. After discussing the various approaches with Paul Leach and passing some ideas around with Marsh Ray, we came up with a blended approach to solving the overall problem. I would like to propose a solution that uses some of the ideas brought up.We all agree that there are two parts to the solution - signaling and changing state to allow for detection of the attack (aka cryptographically binding the two handshakes), so the general spirit is to use single way of changing state and different signaling for TLS and SSLv3.


For SSLv3, we can use the cipher suite idea and define the magic cipher suite value that SSLv3 client will send out to the server. Based on this indicator, server knows whether to use regular running hash as it is today or use the modified running hash. The problem for SSLv3 is the signal from the server to the client. S->C signaling must be done in a handshake message preceding the Finish message, so both client and server can agree on the version of the running hash. The one dynamic field we know from experience is handled properly by implementations is the list of certificates. We can use the server Certificate message as the signal by including specially defined certificate in the list of certificates sent by the server. If the server sees the magic cipher suite, the special certificate is included at the end of the certs being sent. We can define the cert to be the smallest possible server (aka very little real data in it) and include an unique OID to ensure we don't c

ol

 lide with some real usage of "empty" certificate.

Here is the matrix for interop:

                 Old server                              New server
----------------------------------------------------------------------------
Old Client | as is | server detects old client on| | ClientHello and can interop| | based on config| |----------------------------------------------------------------------------New Client | detects old server | server detects new client on| on Certificate message and | initial handshake| can interop based on config | client detects new server on| | Certificate| | both start using the modified| | running hash
----------------------------------------------------------------------------

There are few ways the running hash can be modified and it seems inserting the previous Finished message into the running hash is something everyone agrees should work. Inserting it as the initial input to the new running hash is a clean approach and allows for easier logic. The only drawback is that the SSLv3 client will have to keep two hash states around until the Certificate message is received, but the client needs to keep the ClientHello around until the ServerHello is received back, so the complexity should not be much greater.
For TLS 1.0 and above, we can use this same approach with very little modification. Since we have clear signaling in the Hello messages using extensions, both client and server can detect unpatched parties and based on config either proceed or terminate. The major difference is that TLS client doesn't have to maintain two different hash states, since server signals the client and the client can make the decision whether to hash the previous Finished message into the running hash or not. As such, the extension as proposed today does not need to transmit the actual Finished messages, as they will be cached on each end.
Overall what we achieve is:
* modifying the running hash only for renegotiations, which allows interop for cases where renego is not needed (a big portion of the traffic)
* clear signaling in TLS implementations
* backwards compatible solution for SSLv3
* both sides can interop or not with unpatched parties based on configuration
* even if both sides are lenient in behavior, they are secure as long as both of them are patched
* clients falling back from TLS to SSLv3 because of extensions compatibility will be safe

Alternatively, we can use the existing draft for TLS and the proposed solution here for SSLv3.

Nasko

P.S. The extension will have to be a "MUST" for all TLS implementations, otherwise the MiTM can downgrade to TLS without extensions and we are back at having the problem. This requires, among other things, that browser fallback logic be slightly changed. There should not be a case of sending a TLS ClientHello without the extension. If the server reacts poorly, a downgrade directly to SSLv3 plus the signaling solution should be attempted.

Follow-Ups:
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Nasko Oskov

References:
- [TLS] Proposal for hybrid solution using most of the ideas
  - From: Nasko Oskov

Prev by Date: Re: [TLS] TLS Protocol Version
Next by Date: Re: [TLS] TLS Protocol Version
Previous by thread: [TLS] Proposal for hybrid solution using most of the ideas
Next by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Index(es):
- Date
- Thread

Re: [TLS] Proposal for hybrid solution using most of the ideas

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.