[TLS] Thoughts on the protocol and backward-compatibility (was: Server-only solution - proposed text)
Kyle Hamilton <aerowolf@gmail.com> Tue, 24 November 2009 22:15 UTC
Return-Path: <aerowolf@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E5BA83A6819 for <tls@core3.amsl.com>; Tue, 24 Nov 2009 14:15:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AHiiRik3+oDy for <tls@core3.amsl.com>; Tue, 24 Nov 2009 14:15:00 -0800 (PST)
Received: from mail-pz0-f176.google.com (mail-pz0-f176.google.com [209.85.222.176]) by core3.amsl.com (Postfix) with ESMTP id 8317B3A680C for <tls@ietf.org>; Tue, 24 Nov 2009 14:15:00 -0800 (PST)
Received: by pzk6 with SMTP id 6so4871949pzk.29 for <tls@ietf.org>; Tue, 24 Nov 2009 14:14:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:cc:content-type; bh=KNU22gqckwGCr+OsWdid7sanB1lS0VSj1kZdtervCcU=; b=DfTZviw7XV4yhHuKKO25OI0njwI96KFv2mDUiVkO+aakozKfOgGU+NxOoSsuSwgpWS FXKxOJNDZRMBC8uZ2rWesG1bPTG8wZYsvn2Gw1I3GMZuDIFyCo7SedAT8PHLVuc9gJSY AEyBYlfNVufwmG9PkbQHewIHSWeK1OReFBUA0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:cc:content-type; b=Jl1QAQj7/c0JYty44W5BYiVhrZ5EaB8rrM8RwpPTjZ0pAygl0tFCO5tv7lCDYNVwtd EOgbJ63S5KPCwpslhXR23IJy6gyjzVdzEap/vfC/qE31S9N4ZPdXQDKABRUPUUp6iyLg g2bUZ9Zl2whHaX68escjK/k+7KQ3TqIIXHaZI=
MIME-Version: 1.0
Received: by 10.142.119.20 with SMTP id r20mr730581wfc.303.1259100893465; Tue, 24 Nov 2009 14:14:53 -0800 (PST)
Date: Tue, 24 Nov 2009 14:14:53 -0800
Message-ID: <6b9359640911241414o1468616ajfdd0840f84e2cbc7@mail.gmail.com>
From: Kyle Hamilton <aerowolf@gmail.com>
To: Marsh Ray <marsh@extendedsubset.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailman-Approved-At: Tue, 24 Nov 2009 15:49:13 -0800
Cc: tls@ietf.org, yaronf@checkpoint.com
Subject: [TLS] Thoughts on the protocol and backward-compatibility (was: Server-only solution - proposed text)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2009 23:44:32 -0000
On Tue, Nov 24, 2009 at 12:43 PM, Marsh Ray <marsh@extendedsubset.com> wrote: > Pasi.Eronen@nokia.com wrote: >> Earlier Eric noted that if no application data is exchanged between the >> initial and renegotiation handshake (i.e. no application data is sent >> using the 1st session), this would be safe even without protocol >> changes. Should this be included in this section, too? > > In order for that scenario to be 'safe' we would need to find some > language in the TLS spec, there since the beginning, which says that an > application MUST NOT attribute any semantics to the successful > authentication of the remote party. I don't believe the spec has any > such language. > > There is probably some application out there which interprets a > connection from an authenticated client (or to an authenticated server) > as an "event" with real semantics. > > Using SSH as an analogy, sometimes a login shell is set to, say, a > backup program. Commands get launched when the user authenticates. > > Back with TLS, Microsoft IIS, for example, has a > client-certificate-to-user mapping facility. It's certainly possible > that the connection from such authenticated clients could trigger > certain "non-idempotent" activities, even if just adding false log records. > > - Marsh I still want the ability to negotiate using an ephemeral suite, and only then (in the protected-from-eavesdropping-but-not-yet-authenticated channel) offer the certificates. In my view, this is a rather serious information-disclosure vulnerability in the original protocol, where the Certificate messages are sent before ChangeCipherSuite. This is simply not possible without renegotiation. The TLS library has the ability to detect when application data has come in -- and one of the ways to mitigate this might be for the TLS library to maintain an additional flag to prevent any application data from being sent out or accepted while a (re)negotiation is taking place. (There's already a requirement that application data not be sent with NULL-NULL-NULL, the initial state of the connection... and the one value which is illegal to negotiate.) If it does, the server could fatal-alert either unexpected_value, protocol_error, or insufficient_security. (If a patched server *requires* that the client be patched, insufficient_security or protocol_version would be appropriate.) Since there is already one magic value that must not be negotiated as a cipher suite, there's precedent to use that mechanism... and since this is a problem that affects all current versions of SSL3/TLS implementations, it is important that we not change the semantics of any of the messages that those implementations would normally see. This means that we must use the only extension mechanism defined in all SSL/TLS specifications -- the ability to add new cipher suites. Because of this, I see no way to avoid adding a second "it is an error if this suite is negotiated" tag to the cipher suite list. Thus, I support the idea of using a new magic value in the cipher list to indicate that a client has been patched (with the patch including "must not negotiate this cipher suite, but including it means that the server knows that the client can do the new renegotiation semantics"). I also support the idea of standards action with all due haste (once things are agreed upon) to update TLS 1.0, 1.1, and 1.2 with new semantics (and the Standards Action necessary to allocate a new cipher suite tag), with a recommendation to also update SSL 3.0 implementations. (SSL 2 is just bad in the first place, and I see no reason to try to improve it.) The only downside I see to this is the eventual possibility of branches of the protocol like Limewire did... using magic strings in what essentially amounted to the User-Agent string to identify extra capabilities. I believe that this problem is much more effectively and efficiently solved using TLS Extensions, so I am loath to add any additional magic values unless something else comes up that requires additional *retroactive* changes to the protocols that need to be signalled. (Using a cipher suite tag essentially leaves the protocol untouched for unpatched clients, and the workarounds on the server side ('no renegotiation' or 'server-initiated renegotiation only') will still work. If a server demands that the client be patched, I've discussed above what the appropriate response would appear to be, to my eyes (based on the definitions in RFC 5246 -- I haven't looked at earlier versions).) Once the signal has been sent by the client that it has been patched, both the patched client and server implementations could then branch into a different Finished calculation. I do like the idea of adding the hash from the last Finished message that the client sent -- initial state as all bits off -- to a renegotiated Finished handshake calculation. Since a client is not considered authenticated until the server has verified that the certificate is valid, the key to that certificate is held by the entity at the other end of the connection, and the ChangeCipherSpec and Finished messages check out... well, there's no worry of a client being improperly authenticated and triggering anything other than at most a 'bad login' attempt. Though I would prefer to see that one not be 'bad login' (since that could be a non-idempotent action that, for example, locks the user account), but 'attack detected'.) I also support the creation of a Renegotiation Indication extension, so that TLS servers that support extensions won't have to set a connection-context flag during processing of the cipher list. RI should also include the magic cipher code, or even have its tag *be* the magic 'patched cipher' code. (I do hate special-casing code -- in this case, during the cipher list processing, and then during the Finished message calculation -- but I don't really see much of a choice if we want to maintain some limited backward compatibility with the world that already exists, which the AD has stated is a priority.) -Kyle H
- Re: [TLS] Thoughts on the protocol and backward-c… Marsh Ray
- Re: [TLS] Thoughts on the protocol and backward-c… Kyle Hamilton
- [TLS] Thoughts on the protocol and backward-compa… Kyle Hamilton
- Re: [TLS] Thoughts on the protocol and backward-c… Nicolas Williams
- Re: [TLS] Thoughts on the protocol and backward-c… Martin Rex
- Re: [TLS] Thoughts on the protocol and backward-c… Marsh Ray