Re: [TLS] Need for S->C signaling

To: Nasko Oskov <noskov at microsoft.com>
Subject: Re: [TLS] Need for S->C signaling
From: Yoav Nir <ynir at checkpoint.com>
Date: Thu, 19 Nov 2009 23:42:22 +0200
Accept-language: en-US
Acceptlanguage: en-US
Cc: "tls at ietf.org" <tls at ietf.org>
Delivered-to: tls at core3.amsl.com
In-reply-to: <B197003731D4874CA41DE7B446BBA3E829CD28D4 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <C72AC445.671C%stefan at aaa-sec.com> <B197003731D4874CA41DE7B446BBA3E829CD28D4 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com>
Thread-index: AcppYTF1QMw6eT5oQ16hclBjhvmd4w==
Thread-topic: [TLS] Need for S->C signaling

On Nov 19, 2009, at 5:32 PM, Nasko Oskov wrote:

> Stefan Santesson wrote:
>> Just a question to make sure we have accurately exhausted this aspect.
>> 
>> Is it really necessary for the Server to signal that is is patched other than 
>> using a modified finished calculation if it is patched/upgraded.
> 
> Yes. If you use the finished message, the attack is still possible.
> 
>> One scenario could be:
>> 
>> 1) Client use the magic cipher suite to signal that it is patched/upgraded.
>> 2) Client sends a normal finished message.
>> 3a) Un-patched server replies with normal finished message.
>> 3b) Patched server replies with upgraded finished message.
>> 
>> This way the client could determine whether the server is patched or not
>> and act accordingly and get the security context of renegotiate from the
>> patched server.
> 
> Once the server replies with the Finished message, it would move to
> connected state and the HTTP stack is clear to execute the MiTM request. As
> part of developing proof of concept for our own testing, I've observed that
> connecting to IIS server will send the server CCS, Finished, App data.
> Even if the client were to drop the connection, the request has been
> executed and attack is carried out.

I don't quite see why the attack still works.

MITM does the handshake and forwards a partial request to the server. After that, the MITM forwards the client's ClientHello. That ClientHello contains the magic cipher suite.

The server sends the ServerHello, certificate, serverKeyExchange.

The client thinks this is an initial handshake, so it sends a "normal" Finished message.
The server, however, thinks this is a re-negotiation, so it expects the modified Finished message (the normal finished is only for the initial handshake)
So the server never replies with any CCS and Finished message. 

But even if the server did send the CCS and Finished message, the Finished message does not check out, so the client does not complete the request. So where's the damage.

The other attack is where the server initiates the re-negotiation with a HelloRequest. In that case, again, the client's Finished message doesn't check out, because it's calculated as an initial handshake Finished. So the server does not execute the request.

So how does the attack still work?

Yoav

Follow-Ups:
- Re: [TLS] Need for S->C signaling
  - From: Marsh Ray
- Re: [TLS] Need for S->C signaling
  - From: Michael D'Errico

References:
- [TLS] Need for S->C signaling
  - From: Stefan Santesson
- Re: [TLS] Need for S->C signaling
  - From: Nasko Oskov

Prev by Date: Re: [TLS] Proposal for hybrid solution using most of the ideas
Next by Date: Re: [TLS] Need for S->C signaling
Previous by thread: Re: [TLS] Need for S->C signaling
Next by thread: Re: [TLS] Need for S->C signaling
Index(es):
- Date
- Thread

Re: [TLS] Need for S->C signaling

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.