[openssl-dev] Enhance Extended Master Secret to conform to new MUST requirements in spec
Bill Cox
waywardgeek at google.com
Mon Apr 20 15:36:36 UTC 2015
Hi. I'm looking into extended master secret (EMS) support in OpenSSL. It
works on my machine correctly, except for session resumption. From the
latest EMS spec:
"If a server receives a ClientHello for an abbreviated handshake
offering to resume a previous session, it behaves as follows.
o If the original session did not use an extended master secret but
the new ClientHello does contain the "extended_master_secret"
extension, the server MUST NOT perform the abbreviated handshake.
Instead, it SHOULD continue with a full handshake to negotiate a
new session."
The threat here is that in a Triple Handshake attack, the attacker A
down-grades both initial connections to client C and server S to not
support EMS. In the second step, the session resumption step, he
re-enables EMS on both connections, causing the handshake logs to agree,
which allows the third connection (the renegotiation step) to complete with
EMS enabled for any client accepting a server cert change. At this point C
accepts the connection to A as actually a connection to S, thwarting TLS
authentication.
Emilia suggested that I develop a patch for this by forking master on
github and submitting a pull request. If I understand correctly, you guys
prefer an email like this before starting work on patches. Is that right?
There is also a bit of related behavior that I would also like to fix. As
described in the spec:
"If a client receives a ServerHello that accepts an abbreviated
handshake, it behaves as follows.
o If the original session did not use an extended master secret but
the new ServerHello does contain the "extended_master_secret"
extension, the client MUST abort the handshake."
In this case, the client has detected a bug in the server's EMS
implementation, and if the client continues, it is subject to the full TH
downgrade attack as above.
Thanks,
Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150420/ddc1e520/attachment.html>
More information about the openssl-dev
mailing list