[TLS] potential attack on TLS cert compression

Subodh Iyengar <subodh@fb.com> Thu, 22 March 2018 16:04 UTC

Return-Path: <prvs=66190ed8da=subodh@fb.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FFCC124B18 for <tls@ietfa.amsl.com>; Thu, 22 Mar 2018 09:04:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fb.com header.b=CC18NdL7; dkim=pass (1024-bit key) header.d=fb.onmicrosoft.com header.b=C0IZXodC
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nU2ADMEKQmMw for <tls@ietfa.amsl.com>; Thu, 22 Mar 2018 09:04:25 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 603251200FC for <tls@ietf.org>; Thu, 22 Mar 2018 09:04:24 -0700 (PDT)
Received: from pps.filterd (m0109333.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w2MG10TS032260 for <tls@ietf.org>; Thu, 22 Mar 2018 09:04:24 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : subject : date : message-id : content-type : mime-version; s=facebook; bh=hNUEDjBhn3HLONMMCwiP3PViByCGCS0GQVg5Z67ZStY=; b=CC18NdL7IHSkh0D86Vo59P4IXGGj3TtWg60rbCK8aLiSVJXn4KrOnBt5+TFPa4MUYgSN vvKwt7eSkxxRbIsE1u0Mw4kZfRD7QJanz9E864vnhPKwQuuNeWbF/V6K6pFVaMPTgCZL +oUTcTZ8kvefxhUsXuw4wGoyQkZ4v1f+vr8=
Received: from maileast.thefacebook.com ([199.201.65.23]) by mx0a-00082601.pphosted.com with ESMTP id 2gvd0k0ky3-4 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT) for <tls@ietf.org>; Thu, 22 Mar 2018 09:04:24 -0700
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (192.168.183.28) by o365-in.thefacebook.com (192.168.177.31) with Microsoft SMTP Server (TLS) id 14.3.361.1; Thu, 22 Mar 2018 12:03:01 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com; s=selector1-fb-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=hNUEDjBhn3HLONMMCwiP3PViByCGCS0GQVg5Z67ZStY=; b=C0IZXodCbmvJb8/M2W0dwUhshfz7IBX26ALxM60yusfFKAUk+MmU3qcqFP533vEHxEVseU4Sl5OL9ww3Wae86iRMeqJdXpLUOxRR/bhPr7Q236UL/8kjoQEpi5VqG4PuXCVkhaDe1cVGtMwCBOFN4Q/sJpQmZP/fZuiRLPdISp8=
Received: from MWHPR15MB1821.namprd15.prod.outlook.com (10.174.255.137) by MWHPR15MB1792.namprd15.prod.outlook.com (10.174.255.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.588.14; Thu, 22 Mar 2018 16:03:00 +0000
Received: from MWHPR15MB1821.namprd15.prod.outlook.com ([fe80::b431:b2fb:1912:34d8]) by MWHPR15MB1821.namprd15.prod.outlook.com ([fe80::b431:b2fb:1912:34d8%17]) with mapi id 15.20.0588.017; Thu, 22 Mar 2018 16:03:00 +0000
From: Subodh Iyengar <subodh@fb.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: potential attack on TLS cert compression
Thread-Index: AQHTwfUqvzIdgGnQXkqEA9sKCzBOZw==
Date: Thu, 22 Mar 2018 16:03:00 +0000
Message-ID: <MWHPR15MB1821D5D75667B3C8F4132A1EB6A90@MWHPR15MB1821.namprd15.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:67c:370:128:3cc1:8c99:1ed7:bcc4]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR15MB1792; 7:uW+4sLxNVqDVyS48RhxNx3Ru5zqTudSlz4owEOnIUxrxHzWx2uzZ/facxvzhRyR2k107k+ZPTKax3gVAipeBXVJOoAzTbvrl6Lg9xsMlK1qK/VjbZ8zvUcNPRDhrXRQ8bmsqnB8wo1dnpFlm/iTHy3a7FFhdFocmIJQRRuSIurKq4YXMSICaCE7IKjaspgsobrlkw+riXbnPrygU1L7FCPk77c20R1OcL1+Ep/ptbqctjtBwkjOLQqk5CPZEaLgr; 20:RWqqL4TJ2QIYFcmndSfml14K0V5eBn/6hL++5li2X0sJRw5j7rVLBvCDYG1TIglxf7K90JDyI/CA+wGPfIoeRQzH89DKeUGi7ijty8DgYDwq9ZAf8bRCwV+B6VQqIfPot8Tk+Qh1b4NyC7bbjd/riZcJaNmyoKlsGi0l4zvtISw=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: fe46871f-c0aa-41fb-3546-08d5900e62db
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:MWHPR15MB1792;
x-ms-traffictypediagnostic: MWHPR15MB1792:
x-microsoft-antispam-prvs: <MWHPR15MB1792A21B85ECD3AB9EF11554B6A90@MWHPR15MB1792.namprd15.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(3002001)(3231221)(11241501184)(944501327)(52105095)(93006095)(93001095)(6041310)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123558120)(20161123560045)(6072148)(201708071742011); SRVR:MWHPR15MB1792; BCL:0; PCL:0; RULEID:; SRVR:MWHPR15MB1792;
x-forefront-prvs: 0619D53754
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(39860400002)(396003)(346002)(39380400002)(366004)(189003)(199004)(81156014)(74316002)(7736002)(186003)(99286004)(25786009)(6506007)(59450400001)(2900100001)(102836004)(55016002)(316002)(97736004)(6436002)(46003)(5660300001)(5640700003)(14454004)(105586002)(68736007)(6116002)(8676002)(6916009)(2906002)(33656002)(2351001)(6606003)(106356001)(5250100002)(81166006)(478600001)(1730700003)(2501003)(7696005)(54896002)(86362001)(53936002)(3280700002)(9686003)(8936002)(3660700001)(19627405001); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR15MB1792; H:MWHPR15MB1821.namprd15.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: fb.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: WSxHKXP8WWNyS/SOHqZsyVDyBi1g1OOmyEgY12muWotnAu52J5DvxDgWO8/863qNPs4njgX1V4DdioJKLx43qXZLaePMwiLtaICCnsBRAqYnQh84oLcJK7ZpfDy/XgxUsW4El9vJXigcRico6hNv72zREb3Sw0L3DBJD8/oQoIhLSsxxFB/IrnDvIRsMzU9QbGGHcaCYp7yhziLUuirNS7HCbzFD34EvW/lQytGvP1ktGxcE1eA4cf79BdtB3xjXx1g6/J7SE8Q3RnsSFx8lyxvXQWyog5/Myun/cw1Vv7WbxiYervdBsdcNxH46d79j7MvvC9Y6Gnms0tBmDFEpKA==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR15MB1821D5D75667B3C8F4132A1EB6A90MWHPR15MB1821namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: fe46871f-c0aa-41fb-3546-08d5900e62db
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Mar 2018 16:03:00.4174 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR15MB1792
X-OriginatorOrg: fb.com
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-22_08:, , signatures=0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/FNFAcCV6btB3zLWqMQ_nA11Fp5I>
Subject: [TLS] potential attack on TLS cert compression
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Mar 2018 16:04:32 -0000

Antoine and I were discussing draft-ietf-tls-certificate-compression over lunch today and we think there could be a potential attack on the current scheme which could be fixed with some changes.


Currently the CompressedCertificate is included in the handshake transcript. However let's say a server fragments it's compressed certificate message into multiple records, and an attacker has found a vulnerability in the decompression function based on the timing in which the data is delivered to the decompression function due to a race condition. They could manipulate the CompressedCertificate message to manipulate the peer to decompress something other than what the sender sent even though the handshake transcript remains the same.

Normally this wouldn't matter if there were only certificates, however we have extensions in certificates which could manipulate how certificates can be interpreted. This creates a time to check to time to use bug which relies on the security of the decompression function to determine the security of the TLS exchange.


This is definitely a far fetched attack I don't think this is desirable to base the security of TLS on the security of a decompression function. This is probably solvable by hashing in the uncompressed cert message into the TLS transcript rather than the compressed message which seems more secure because it enforces that the client and server have the same state of the uncompressed message.


Subodh