Re: [TLS] Need for S->C signaling

To: Marsh Ray <marsh at extendedsubset.com>
Subject: Re: [TLS] Need for S->C signaling
From: Yoav Nir <ynir at checkpoint.com>
Date: Fri, 20 Nov 2009 22:21:58 +0200
Accept-language: en-US
Acceptlanguage: en-US
Cc: "tls at ietf.org" <tls at ietf.org>
Delivered-to: tls at core3.amsl.com
In-reply-to: <4B05C6D8.6030205 at extendedsubset.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <C72AC445.671C%stefan at aaa-sec.com> <B197003731D4874CA41DE7B446BBA3E829CD28D4 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com> <334EA87E-FDC3-4A45-B4EB-316A046EBFFD at checkpoint.com> <4B05C6D8.6030205 at extendedsubset.com>
Thread-index: AcpqHyB5KmtSQfH6QoGjUOby/fMQWA==
Thread-topic: [TLS] Need for S->C signaling

OK. So this is the case where the MitM has already sent the entire request, and the server decided it wants client authentication, and there is no session cookie that needs to be sent.

Although for nearly all HTTPS cases this won't work, I guess it could happen.
 
On Nov 20, 2009, at 12:29 AM, Marsh Ray wrote:

> Yoav Nir wrote:
>> 
>> But even if the server did send the CCS and Finished message, the
>> Finished message does not check out,
>> so the client does not complete the request. So where's the damage.
>         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> http://tools.ietf.org/html/rfc4346
>    Client                                               Server
> 
>      ClientHello                  -------->
>                                                      ServerHello
>                                                     Certificate*
>                                               ServerKeyExchange*
>                                              CertificateRequest*
>                                   <--------      ServerHelloDone
>      Certificate*
>      ClientKeyExchange
>      CertificateVerify*
>      [ChangeCipherSpec]
>      Finished                     -------->
>                                               [ChangeCipherSpec]
>                                   <--------             Finished
>      Application Data             <------->     Application Data
> 
>             Fig. 1. Message flow for a full handshake
> 
> 
> The client has to send his Finished message before he sees the server's.
> 
> The server executes the request when he receives Finished from the
> client. There is nothing later he can wait for, really.
> 
> MitM can drop the server's Finished message before the client gets a
> chance to verify it.
> 
> - Marsh
> _______________________________________________
> TLS mailing list
> TLS at ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> 
> Scanned by Check Point Total Security Gateway.

References:
- [TLS] Need for S->C signaling
  - From: Stefan Santesson
- Re: [TLS] Need for S->C signaling
  - From: Nasko Oskov
- Re: [TLS] Need for S->C signaling
  - From: Yoav Nir
- Re: [TLS] Need for S->C signaling
  - From: Marsh Ray

Prev by Date: Re: [TLS] Need for S->C signaling
Next by Date: [TLS] Consensus Call for draft-ietf-tls-renegotiation-00.txt
Previous by thread: Re: [TLS] Need for S->C signaling
Next by thread: Re: [TLS] Need for S->C signaling
Index(es):
- Date
- Thread

Re: [TLS] Need for S->C signaling

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.